Privacy Policy

Lunit Inc. (“Lunit”, “we”, “us”, or “our”) owns and operates the websites, including without limitation, www.lunit.io (“Websites”). Through our Websites, we offer various online services that enable visitors to the Websites (“you” or “Users”) to receive access to information about our products and services.

Lunit understands that the privacy of information is of great importance to all Users. Thus, we are committed to protecting it through our compliance with the following privacy policy (“Privacy Policy”). This Privacy Policy is subject to change pursuant to relevant laws, regulations, and rules and Lunit’s internal operation policies, in which case the changes made to this Privacy Policy will be disclosed in accordance with the methods stipulated by relevant laws and regulations

Lunit processes the following particulars of personal information:

1. Representative Website Product Inquiries: Name, email, phone number, country, title, organization/company name, nature of inquiry
2. Job application and recruitment inquiry on recruitment website:

- Job Application

• Required: Name, address, phone number, cell phone number, e-mail, resume (Nationality, eligibility for veterans and disabled persons, academic background and grades, work experience, military service, overseas experiences, social activity, languages and other skills, awards, hobbies, talents, self-introduction, etc)
• Optional: additional submissions (skills, cover letters, portfolios, etc)

3. Providing SCOPE Services

• Required: Name, e-mail
• Optional: cell phone number

4. Product Technical Assistance: email
5. Product Educational Assistance: email
6. Clinical Research and Product Development: Pseudonymized Medical Imaging Information and Metadata
7. Other information items that may be automatically generated and collected during service use on the Internet: IP addresses, cookie, MAC addresses, service use records, visit records, and locations

Lunit processes personal information for the following purposes. Your personal information processed by Lunit is not used for any purpose other than the purposes specified in the following, and we will take necessary measures when any change occurs in the purposes of use, such as obtaining additional consent in accordance with Article 18 of the Personal Information Protection Act.

1. Representative Website Product Inquiries: Responding to inquiries about Lunit’s Products
2. Job application and recruitment inquiry on recruitment website: Managing recruitment process, providing recruitment information, notification for each selection process, handling recruitment inquiries, etc.
3. Providing SCOPE Services
4. Product Technical Assistance: providing technical assistance for any of Lunit’s products
5. Product Educational Assistance: providing education and training for any of Lunit’s products
6. Clinical Research and Product Development

1. Lunit handles and retains personal information only during the period specified by relevant statutes for retaining and using personal information or the period to which each User consents when we collect the User’s personal information.
2. The period using which a User’s personal information is handled and retained is as follows:
   

   1) Representative Website Product Inquiries: until permission is rescinded

   2) Job application and recruitment inquiry on recruitment website: 2 years

   3) Providing SCOPE Services: until the end of the service

   4) Product Technical Assistance: until permission is rescinded

   5) Product Educational Assistance: until permission is rescinded

   6) Clinical Research and Product Development: until the completion of the development of the related models

3. Lunit, in principle, does not use or provide personal information without the consent of the data subject. However, the criteria for determining when personal information may be additionally used or provided without the consent of the data subject in accordance with relevant laws are as follows:

   • Whether the usage or provision of personal information is related to the original purpose of collecting personal information
   • Whether the additional use or provision of personal information is foreseeable in light of the circumstances of collecting or processing personal information
   • Whether the usage or provision of personal information unfairly infringes on the interests of the data subject
   • Whether measures necessary for securing safety, such as pseudonymization or encryption, have been taken

1. In accordance with Article 26 of the Personal Information Protection Act, Lunit outsources the processing of a User’s personal information to maintain its Websites as follows:

   Outsourced Companies	Outsourced Tasks
   Workable Software Limited	Operation of recruitment website and recruitment management computer system and handling of related complaints
   AWS	Data archiving and infrastructure management
   Fivecloud	IT System Maintenance, info infodesk
   Miracle Four Man	Information desk management

2.  When executing an outsourcing agreement, Lunit agrees on responsibilities such as the prohibition of processing of personal information other than for the purpose of performing outsourced tasks, technical and administrative protection measures, restrictions on re-outsourcing, management and supervision of the outsourced companies, and compensation for damages, in accordance with Article 26 of the Personal Information Protection Act, and supervise whether the outsourced companies handles personal information safely.

3.  In case of any change to the outsourced tasks or companies, Lunit will promptly disclose the information through this Privacy Policy.

Lunit may transmit or manage the User’s personal information overseas for the purpose of service provision and user convenience as follows.

※ Users may refuse the transfer of their personal information to foreign countries through the company’s privacy protection officer or designated personnel. If a user refuses the transfer of their personal information to foreign countries, the company will exclude that user’s personal information from being transferred abroad. However, in this case, the user may not be able to use services for which the transfer of personal information abroad is a mandatory part of the service.

1. Lunit destroys a User’s personal information after the period during which the personal information is retained ends or the purposes of handling the personal information have been attained.

2. If Lunit is required by the relevant laws or regulations to retain personal information even when the agreed retention period is over or after achieving the purpose of its collection, Lunit shall transfer the said personal information (or personal information file) to a separate database or another storage space.

3. The procedure, deadlines, and methods for destroying it are as follows:

   • Procedure for Destruction: Lunit selects personal information (or personal information file) subject to destruction, obtains approval from the person in charge of personal information protection, and destroys it.
   • Methods for Destruction: Personal information stored in electronic file formats is to be deleted using technical means which makes the information unrecoverable. Personal information recorded and stored in paper is to be destroyed through shredding or incineration.

1. The data subject may exercise their rights (hereinafter referred to as "exercise of rights") at any time with respect to Lunit, including the right to access, correct, delete, suspend processing, or withdraw consent.

   ※ Requests for access, correction, or deletion of personal information regarding children under the age of 14 must be made directly by the child's legal guardian. For data subjects who are minors aged 14 or older, they may exercise their rights regarding their personal information either by themselves or through their legal guardian.

2. An information subject may exercise the rights specified in paragraph (1) above via written documents or e-mail, etc. In such cases, Lunit will promptly take the required actions.

3. In case of a User requests the correction or deletion of his/her personal information, Lunit does not use or disclose the relevant personal information to any third party until the correction or deletion is complete.

4. A User may exercise his/her rights through an agent such as his/her legal representative or a person with a mandate. In such cases, the User shall submit a power of attorney as specified in attached Form 11 of Notification on the Methods of Personal Information Processing.

5. Users must not infringe on their own privacy or the privacy of other people collected by Lunit by violating the Act on the Protection of Personal Information.

6. The rights of the information subject may be restricted in accordance with Article 35, Paragraph 4 or Article 37, Paragraph 2 of the Personal Information Protection Act.

7.  If the personal information is specified as the collection target in other laws, the personal information may not be deleted even if you request the deletion of the personal information.

8. Lunit verifies whether the person exercising their rights is the data subject or a legitimate representative.

Lunit has taken the following measures necessary for ensuring safety, in compliance with Article 29 of the Personal Information Protection Act:

• Administrative measures: Establishment/Implementation of internal management plans, regular training of employees, etc.
• Technical measures: Management of access to systems processing personal information, installation of access control systems, encryption of identifiable information, and installation of security programs.
• Physical measures: Access control to computer rooms and data storage rooms

When processing pseudonymized information, Lunit takes the following additional security measures in accordance with Article 28-4 of the Personal Information Protection Act:

• Storing pseudonymized information and additional information separately (if additional information is unnecessary, additional information will be destroyed)
• Separating access rights to pseudonymized information and additional information

Creating and retaining records related to the management of pseudonymized information, including the purpose of processing pseudonymized information, the items of personal information that have been pseudonymized, the usage history of pseudonymized information, the recipients when provided to a third party, the processing period of pseudonymized information (limited to cases where the processing period is separately determined in accordance with Article 28-4, Paragraph 2 of the Personal Information Protection Act), and other matters deemed necessary by the Personal Information Protection Commission

Devices

1.  Lunit uses “cookies” that store and loads user information to give you the best experience on our Website.
2. Cookies are small pieces of information sent from the Website’s server to the browsers in the User’s computers. Some of them are stored in the User’s hard disk drive.
   • For more detailed information regarding the types, purposes, and management of cookies used by Lunit, please refer to our Cookie Policy.

1. Lunit has appointed the following persons as its Personal Information Protection Officer for the coordination of all tasks related to the processing of personal information, addressing information subjects’ complaints regarding the processing of personal information, and providing remedies for damages.

   Chief Privacy Officer

   • Name: Jungin-Lee
   • Department: Information Security Team, Infrastructure Department
   • E-mail: jilee@lunit.io

   Privacy Manager

   • Name: Seungwoo Jung
   • Department: Information Security Team, Infrastructure Department
   • E-mail: jsw@lunit.io

    

2. Please contact the Chief Privacy Officer or Privacy Manager for any question, complaint, and remedy related to personal information during the use of Lunit’s services. Lunit will promptly respond to and process your inquiry.

A User may request Lunit to permit him/her to inspect his/her personal information under Article 35 of the Personal Information Protection Act. Lunit will strive to ensure that such requests will be processed without delay.

• Department in charge of personal information viewing Name: Seungwoo Jung
• Department: Information Security Team, Infrastructure Department
• E-mail: jsw@lunit.io

1. Lunit may amend its Privacy Policy to reflect any legal or service changes. Lunit shall promptly notify such amendment in advance.

• Privacy Policy Version Number: v0.5
• Privacy Policy Notification/Effective Date: 2025.01.21
  
  

2.Please find the previous versions of Privacy Policy below.

- 2025-01-21 ~ (Privacy Policy v0.5.0)

- 2024-05-01 ~ 2025-01-21 (Privacy Policy v0.4)

- 2024-02-01 ~ 2024-05-01 (Privacy Policy v0.3)

- 2023-02-01 ~ 2024-02-01 (Privacy Policy v0.2)

- 2022-02-01 ~ 2023-02-01 (Privacy Policy v0.1)

- 2021-02-01 ~ 2022-02-01 (Privacy Policy v0.0)

This section supplements the information contained in our Privacy Policy and applies solely to Users who reside in the State of California. We adopt this notice in this section to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this section.

Information We Collect

Lunit collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular User (“personal information”). In particular, Lunit has collected the following categories of personal information from its Users in the last twelve (12) months. We obtain the categories of personal information listed below as set forth in the methods described in our Privacy Policy.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the business purposes indicated in Article 2 of our Privacy Policy. We will not collect additional categories of personal information or use the personal information for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

We may disclose your personal information to a third party for business purposes. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purposes except performing the contract. We share your personal information with the categories of third parties listed in Article 5 and Article 6 of our Privacy Policy.

In the preceding twelve (12) months, we have shared or disclosed the following categories of personal information for business purposes.

• Identifiers
• California Customer Records personal information categories
• Protected classification characteristics under California or federal law
• Commercial Information
• Internet or other similar network activity
• Geolocation Data
• Professional or employment-related information
• Non-public education information
• We do not sell personal information. In the event that we do sell any personal information, we will update Privacy Policy to list the categories of Users’ personal information sold.

Your Rights and Choices

The CCPA provides California residents with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

1) Right to Access Specific Information and Data Portability Right

You have the right to request that we disclose certain information to you about our collection, sharing, disclosure, or use of your personal information over the past twelve (12) months from the time of your request. Once we receive and confirm your verifiable consumer request, we will disclose to you the following information:

• The categories of personal information we collected about you;
• The categories of sources for the personal information we collected about you;
• Our business or commercial purpose for collecting or selling that personal information;
• The categories of third parties with whom we share or sell that personal information;
• The categories of personal information sold by each third party who sold personal information;
• The categories of personal information disclosed for business purposes or commercial purposes; and
• The specific pieces of personal information we collected about you (also called a data portability request).

Please note that we have not sold any personal information in the preceding twelve (12) months.

2) Right to Delete

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for use or our service providers to:

• Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
• Debug products to identify and repair errors that impair existing intended functionality;
• Exercise free speech, ensure the rights of other consumers to exercise their free speech rights, or exercise other rights provided for by law;
• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
• Comply with legal obligations; or
• Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

3) Opt-Out Rights

We have not sold and will not sell any personal information collected from Users.

4) Non-Discrimination

We will not discriminate against California residents for exercising any of their rights under the CCPA. Moreover, unless permitted by the CCPA, we will not:

• Deny you goods or services;
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
• Provide you a different level or quality of goods or services; or
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

5) Exercising Access and Deletion Rights

• To exercise the access and deletion rights described above, please submit a verifiable consumer request to us by contacting us in the contact specified in Article 11 of our Privacy Policy.
• Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information You may also make a verifiable consumer request on behalf of your minor child.
• The verifiable consumer request must:
  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative (e.g. a copy of your passport, residence certificate, etc.); and
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond thereto.

This section supplements the information contained in our Privacy Policy and applies solely to Users who reside in the EEA. Lunit complies with the General Data Protection Regulation (GDPR) as well as the domestic laws of each member country.

• If you reside in the EEA and your personal data is covered by the EU General Data Protection Regulation (“GDPR”), subject to the limitations and exceptions provided in the applicable law, you have the rights provided under the Articles 15, 16, 17, 18, 20, 21 of the GDPR.
• The right to obtain from Lunit a confirmation as to whether your personal data is being processed, and if so, request for access to your personal data;
• The right to rectify your personal data that is inaccurate;
• The right to request Lunit for the erasure of your personal data;
• The right to restrict the processing of your personal data;
• The right to object to the processing of your personal data for direct marketing or for any other reason relating to your particular situation;
• The right to data portability (i.e., the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit those data to another controller);
• The right to withdraw your consent, if applicable. The withdrawal of the consent does not affect the lawfulness of processing your personal data based on your consent provided prior to the withdrawal. Once you withdraw your consent, Lunit may further process your personal data only if there is other legal ground for Lunit to do so; and
• The right to lodge a complaint with the responsible supervisory authority if you believe that our data processing is in breach of the GDPR.

International Transfers of Personal Data

Please be aware that the personal data we collect may be transferred to and maintained on servers or databases located outside your state, province, country, or other jurisdiction, where the privacy laws may not be as protective as those in your location, pursuant to Article 5 and Article 6 of our Privacy Policy. By using this Website, you agree that any of your personal data that is collected by this Website may be managed in this way.

• 2025-01-21 ~ (Privacy Policy v0.5.0)
• 2024-05-01 ~ 2025-01-21 (Privacy Policy v0.4)
• 2024-02-01 ~ 2024-05-01 (Privacy Policy v0.3)
• 2023-02-01 ~ 2024-02-01 (Privacy Policy v0.2)
• 2022-02-01 ~ 2023-02-01 (Privacy Policy v0.1)
• 2021-02-01 ~ 2022-02-01 (Privacy Policy v0.0)