The company processes personal information for the following purposes. The personal information being processed is not used for any purpose other than the following, and if the purpose of use is changed, necessary measures will be implemented, such as obtaining separate consent under the Personal Information Protection Act.

•    Membership registration and management: Confirmation of the intention to join as a member, identification and certification of identity in accordance with the provision of membership services, maintenance and management of membership status, prevention of fraudulent use of services, various notices, grievance handling, etc.

•    Company service delivery: Service delivery, contract delivery, content delivery, custom service delivery, payment of usage fees, debt collection, etc.

•    Marketing and advertising delivery: Providing event guidance, customized advertising, and advertising for services.

•    Improve services and develop new services.

Processing of alias information for statistical preparation, preservation of public records, etc

① The company is processing the following personal information items:

•    Input directly by the member upon membership registration or after membership registration

◦                        Required: Email, Password, Name

◦                        Optional: Date of birth, Gender, Nickname, Profile picture, Hospital visit, Doctor

② The company is processing the following sensitive information items:

•    Collected when members sign up or when members directly input or agree to collect after membership registration

◦                        Optional: Height, Weight, Thyroid function test results, Thyroid dysfunction and hyperplasia survey results, Medication information being taken, Daily dose of a particular drug, Thyroid disease/treatment history, Family history of thyroid disease, History of comorbidities, Comorbidities family history, Face photography, Eyeball photography, Usual smoking, Smoking, Daily drinking, Daily iodine intake, Daily exercise hours, Daily work hours, Emotional status/unique notes, Heart rate, Steps, Sleep, Exercise information, etc.

•    Information collected through devices of third-party products connected to members' mobile phones (hereinafter referred to as "smart watches, etc.")

◦                        Optional: Heart rate, Sleep information

▪                                            ※ The company uses Google Health Connect for this purpose. The Company does not transfer or sell the information received from Health Connect to advertising platforms, data brokers, or other data resellers of the Member's user data, and its scope of use is limited by Health Connect's rights policy. View Google Health Connect Permissions Policy

▪                                            Heart rate and sleep data collected via Google Health Connect are securely stored in Amazon Web Service RDS, using AES-256 encryption for added security.

③ The following information may be automatically collected during the service use process:

•    Connection (login) time, Connected device OS, Connection device model, Device language, Unique connection device identifier for Glandy applications, Connection network information

④ The Company shall provide the necessary items among the above information for the handling of grievances of the members and separate items necessary for handling the complaint and (through Kakao channel) for inquiries, collect the KakaoTalk nickname set by the member.

⑤ The company wants to introduce participants in clinical trials using the Glandy application. Only by filling out a separate consent form, the personal information of the relevant participant is provided available from clinical testing agencies.

① The period of retention and use of personal information in accordance with laws and regulations, or personal information agreed upon when collecting personal information from the information main agent, process and hold personal information within the retention and use period.

② Upon the achievement of the purpose of collecting personal information or withdrawal from the membership, the company deletes it. However, despite withdrawal of membership or loss of user qualification, the following information is preserved for the following reasons:

•    A. Where an investigation or inquiry, etc. in accordance with the violation of relevant statutes is in progress, until the completion of the relevant investigation or inquiry.

•    B. If the bond/debt relationship remains due to the use of the website, until the settlement of the bond/debt relationship.

•    C. Where a company terminates a service use contract due to a violation of the terms of use, it shall not re-join for one year from the date of termination.

•    D. If a member participates in a clinical trial, preserve it for the period stated in the subject's manual and consent signed by the member.

③ Notwithstanding the preceding paragraph, the company shall preserve it until the end of the period if it falls under the following reasons:

•    A. Records on the details of contracts and transactions, such as implementation, under the Act on the Protection of Consumers in Electronic Commerce, etc.:

◦                        Supply record of contract or subscription withdrawal, payment, goods, etc.: 5 years

◦                        Records on handling consumer complaints or disputes: 3 years

•    B. Computer communication, Internet log data, and access tracking data under Article 41 of the Communications Secret Protection Act: 3 months

•    C. Ledger and documentary evidence of all transactions prescribed by the Tax Act: 5 years, the period of preservation under the Framework Act on National Taxes

•    D. (For clinical trial participants) Records of clinical trials and data:

◦                        Clinical trials for manufacturing permission, import permission, or permission to change it: 3 years from the date of authorization

◦                        Other clinical trials: 3 years from the date of completion of the clinical trial

The company only provides personal information of the data subject within the scope specified in Article 1 processing, obtaining consent from the information main agent, or under the Personal Data Protection Act or any other personal information to a third party only if there are special provisions of the law.

① The company entrusts the processing of personal information to Korea as follows for smooth personal information processing:

•    A. Amazon Web Services, INC.

◦                        Consignment work: Data storage, cloud server operation and management

•    B. MongoDB, INC.

◦                        Consignment work: Store data and send e-mails to provide convenience in managing inquiries on the website

•    C. Slack Technologies, LLC

◦                        Consignment work: Providing convenience in managing inquiries on the website, save data, email

•    D. Kakao INC.

◦                        Consignment work: Kakao message collection/transmission service

•    E. BizCon

◦                        Send mobile coupons to winners of the event

② For smooth personal information processing, the company entrusts the processing of personal information overseas as follows:

•    A. Google, INC.

◦                        Information management manager and contact information: googlekrsupport@google.com

◦                        Transfer Purpose: Implementing software features

◦                        Personal information transferred: Mobile device unique number, Mobile device model

◦                        Date and time of transfer: Transfer over the network at the time of service availability

◦                        Country to be transferred: United States

◦                        Personal information usage period: Consistent with the storage period stipulated in this personal information processing policy

③ If the contents of the entrusted work or the trustee changes, we will disclose it through this personal information processing policy without delay.

① The company destroys the personal information without delay when personal information becomes unnecessary, such as the lapse of the period of personal information retention and the achievement of the purpose of processing.

② If personal information must be preserved in accordance with the laws in Article 3 despite the expiration of the personal information retention period agreed by the data subject or the purpose of processing has been achieved, the personal information shall be moved to a separate database (DB) or stored in a different place.

③ The procedure and method of destroying personal information are as follows:

•    Destruction procedure: The company selects personal information that caused the reason for destruction and destroys personal information with the approval of the company's personal information protection manager.

•    Destruction method: The company destroys personal information recorded/stored in the form of an electronic file using a technical method so that the record cannot be reproduced, and shreds or incinerates the personal information recorded/stored in paper documents.

To improve service quality, the company uses Firebase Analytics, a service provided by Google, INC., to analyze users' activities within the service application. If you don't want Google to process your information, you can contact the Privacy Commissioner. Learn more about Google's information processing at https://firebase.google.com/docs/analytics.

The company may use personal information or provide it to a third party without the consent of the information main agent, taking into account each of the following criteria within the original purpose of collection and reasonable scope.

•    Whether it is related to the original purpose of collection: Determining whether the original purpose of collection and the purpose of additional use and provision are related in nature or trend.

•    Whether there is predictability of further use or provision of personal information in light of the circumstances or processing practices in which personal information is collected: The relationship between the personal data controller and the information main agent, the skill level and speed of development, and the general circumstances (practice) established over a considerable period of time.

•    Whether the interests of the information subject are unfairly infringed: Judgment in consideration of whether the interests of the information subject are actually infringed and whether the infringement of the interests is unfair in relation to the purpose of additional use.

•    Whether measures necessary for securing safety, such as alias processing or encryption, have been taken: Judgment in consideration of whether safety measures are taken in consideration of the possibility of infringement.

① The information subject may exercise the following rights related to personal information protection against the company at any time:

•    Request for personal information access information

•    Request correction in case of errors, etc.

•    Deletion request

•    Processing stop request

② The exercise of rights under paragraph 1 can be done by using the relevant menu provided by the service (personal information verification and change menu, withdrawal menu), or by writing, telephone, or e-mail to the company, and the company will take action without delay.

③ If the information subject requests correction or deletion of errors in personal information, etc., the company will not use or provide the personal information until correction or deletion is completed.

④ The exercise of rights under paragraph ① may be conducted through an agent, such as a legal representative of the information main agent or a person entrusted. In this case, you have to submit a power of attorney to the company.

⑤ The information subject shall not infringe on the personal information and privacy of the information subject or others handled by the company in violation of related laws such as the Personal Information Protection Act.

The company is taking the following measures to ensure the safety of personal information:

1. Technical measures: Personal information of the information main agent is protected by a password, and sensitive data is protected by separate security features, such as encrypting files and transmitted data or using file locking. The company installs vaccine programs and updates them periodically to prevent damage caused by computer viruses, and uses an intrusion prevention system for each server to prevent external intrusion such as hacking.

2. Management measures: We minimize personnel handling personal information, provide regular training on personal information protection obligations, and manage access rights.

① The company is in charge of handling personal information and designating a person in charge of personal information protection as follows to handle complaints and remedy damages of information subjects related to personal information processing.

•    Name: Yoonwon Tak

•    Position: CIO

•    Contact: +82-52-264-4154

•    Email: yoonwon.tak@thyroscope.com

② The information main agent can contact the person in charge of personal information protection and the department in charge of personal information protection, complaint handling, damage relief, etc. that occurred while using the company's service. The company will respond and handle inquiries from the information subject without delay.

This personal information processing policy can be revised according to changes in related laws and internal operation policies. In case of revision, the contents will be announced at least 7 days before the revision through the 'notice' of the service. However, if there is an important change in the rights of the information main agent in the collection and use of personal information, it will be notified at least 30 days in advance.

• This personal information processing policy will be applied from October 25, 2021.