MaumJuui, Inc. (headquartered in Seoul, Korea) (hereinafter referred to as the "Company") processes the Personal Information of counselors and clients (collectively referred to as "Users") in adherence to global data protection standards, including principles related to Protected Health Information (PHI) and international regulations.
In accordance with these principles, the Company establishes and publicly discloses this Privacy Policy concerning the MaumJuui Service and its subsequent services (collectively referred to as the "Service") to protect the information of data subjects and ensure the prompt and smooth handling of related grievances.
Table of Contents1. Collection and Processing of Personal Information
A. Personal Information Collected
The Company collects the minimum necessary Personal Information during membership registration or service use for service provision:
Category | Information Collected | Purpose and Scope |
Common Registration | Full Name, Date of Birth, Gender, Mobile Phone Number, Email Address, Affiliated Institution (if applicable) | User identification and core service provision. |
Third-Party Accounts | Nickname, Profile Photo, Email Address (from Google, Naver, Kakao) | Simplified login and user identification. |
Service Usage Data | Photos, Videos, Voice Information, Text Messages, Counseling Records (including notes), Log Data, IP Address, Device Info (ID, OS, Model), Location (City/Country at login), Device Time Zone, Service interaction data, Advertising IDs (ADID, IDFA). | Service function, quality improvement, troubleshooting, and personalized service. |
PHI/Sensitive Data (Explicit Consent) | Information concerning ideology/beliefs, political opinions, health/diseases, medication use, sexual life, genetic information, criminal records (as provided by the User/Client). | To facilitate professional counseling and supervision services only with explicit, separate consent. |
Financial/Tax Data | Account Information (Bank Name, Account Number, Depositor Name), Identification Number (for tax/payment compliance) | For institutional clients: Salary payment, tax withholding, and compliance with related labor laws. |
Google Calendar Integration | Schedule Title, Time, Notes, Participant Information, Account Email Address (from linked Google Calendar). | Providing reservation and scheduling functionality. |
B. Recording and Surveillance Policy
•
The Company may record audio or video of counseling sessions only with the explicit consent of both the User and the Client.
•
The recorded information may be shared with supervisors or examiners strictly for supervision and qualification purposes, only when separate consent for such disclosure is obtained.
C. Method of Collection
•
Direct Input: Via direct input during web/mobile application registration and service use.
•
Third-Party Provision: Via linked accounts (Google, etc.), public profile information is provided after the User's explicit consent to the platform.
•
Automated Collection (oAuth, Cookies): Information is automatically generated and collected during service use for service improvement and operation.
2. Purposes of Processing Personal Information
The Company processes Personal Information for the following purposes:
•
Service Function & Scheduling (Zoom Integration): Synchronizing Google Calendar data for efficient reservation and schedule management, including the generation of meeting links for counseling sessions.
•
User Management & Safety: User identification, age verification, preventing fraudulent or unauthorized use, restricting users who violate terms, and ensuring a secure service environment.
•
Core Service Provision: Providing customized counseling connections, saving/searching counseling records, facilitating effective counseling management, processing payments, handling inquiries, and delivering notices.
•
Service Improvement & Analytics: Error analysis via log analysis, enhancing service features and performance, and providing customized services based on usage statistics.
•
Institutional HR Management (If applicable): Fulfilling legal obligations related to salary, tax, and labor laws for institutional members.
3. Sharing and Third-Party Data Provision
The Company does not, in principle, provide Users' Personal Information to third parties without prior consent, except in the following cases:
•
User's Prior Consent: Provision within the scope explicitly agreed upon by the User.
•
Legal/Regulatory Requirement: Provision required by law, court order, or governmental/investigatory request (e.g., mandatory reporting for child abuse or imminent harm to self/others).
•
Outsourcing for Service Provision (Data Processing Agreements): The Company commissions third-party service providers and provides only the minimum necessary information under strict Data Processing Agreements.
Recipient | Outsourced Task | Data Protection Measures | Provided Information (Sample) |
AWS / GCP / Naver Cloud | Data Storage, System Operation & Management | Secure system operation, encryption (as detailed in Section 8). | All collected usage data, logs, session content, counseling records (encrypted). |
Google Calendar | Calendar Sync & Scheduling | Complies with Google's Security & Privacy standards. | Schedule Title, Time, Notes, Participants, Account Email. |
Zoom Communications Inc. (API) | Meeting Generation and Connection Management | Complies with Zoom Developer Terms of Use. | User/Counselor Name, Email Address, Meeting Creation Metadata. |
Payment Gateways | Payment Processing | PCI DSS Compliance, high-level security. | Name, Phone, Email, Credit Card/Financial Account Info. |
4. International Data Transfer and Data Protection Measures
The Company transfers Personal Information internationally to provide and operate the Service. All recipients are contractually obligated to protect User data in compliance with international data protection standards.
Recipient (Contact) | Transfer Country | Transferred Personal Information | Purpose, Retention Period, Method |
Amazon Web Services Inc. / Google Cloud Platform | United States | All information collected during service provision (including PHR/PHI) | Purpose: Data storage and system operation (including Zoom/Calendar data) / Period: Until purpose achievement / Method: Transferred frequently via secure network during service use. |
Google Calendar | United States | Schedule Title, Time, Notes, Participant Info, Account Email | Purpose: Calendar sync and scheduling (Meeting creation data) / Period: Up to 5 years, then fully destroyed / Method: Transferred frequently via secure network during service use. |
Zoom Communications Inc. (API) | United States | Meeting Creation Metadata (User/Counselor Name, Email Address) | Purpose: Meeting reservation and proxy creation of secure consultation links / Period: Until service purpose achieved / Method: Transferred frequently via secure network during reservation process. |
Data Protection Measures for International Transfers
The Company employs the following measures to protect data transferred internationally:
•
Encryption: Use of TLS 1.2 or higher for secure data transmission.
•
Access Control: Minimal necessary access is granted with strict authentication procedures.
•
Contractual Obligations: All subprocessors are required to meet security standards equivalent to the Company's own policy.
5. Retention, Use Period, and Destruction of Personal Information
•
Retention Period: Personal Information is retained for the period consented to by the User or the period mandated by applicable laws (e.g., commercial transaction records).
•
Destruction: Once the purpose of collection and use is achieved, the data is destroyed without delay.
◦
Electronic Files: Deleted using a technical method that prevents recovery or regeneration.
◦
Printed Material: Shredded or incinerated.
•
Dormant Accounts: Accounts with no service usage activity for one year will be separated and stored/managed separately (dormant status), with prior notice provided to the User 30 days before conversion.
6. Users' Rights and Methods of Exercise
Users may, at any time, view, correct, delete, or request suspension of processing of their Personal Information (excluding the Email address used as ID, if applicable) via the "My Information" section of the Service or by contacting the Data Protection Officer.
•
Withdrawal of Consent: Users may withdraw consent or request membership withdrawal via the "Withdrawal" function in the Service settings.
•
Limitation: These rights are acknowledged only for Personal Information within the Company's management and control scope.
7. Installation and Operation of Automatic Personal Information Collection Devices (Cookies)
The Company uses 'cookies' to automatically collect connection logs, device information, and other data necessary for service provision.
•
Purpose: To analyze user behavior for customized services and improve the service.
•
User Control: Users have the option to allow all cookies, confirm acceptance each time, or refuse storage entirely via browser settings.
•
Opt-Out of Personalized Advertising: Users can disable personalized advertising settings in their device OS.
8. Measures for Securing the Safety of Personal Information (Enhanced for Zoom/SSDLC)
The Company implements stringent security measures to prevent the loss, theft, leakage, alteration, or damage of Users' Personal Information and to ensure the secure integration with third-party services like Zoom and Google.
A. Technical Measures: Data and System Security
•
Encryption of Sensitive Data (PHI): All sensitive personal data, including Counseling Records and PHI, is protected by AES-256 encryption with secure key management for data At Rest (stored data).
•
Encryption in Transit: All data transmission (including to Zoom/Google) is secured using Transport Layer Security (TLS 1.2 or higher).
•
Secure API and Integration:
◦
Authentication: Integration with external services is secured using the OAuth 2.0 protocol, ensuring the Company does not store external passwords.
◦
Validation: All data exchanged with third-party APIs undergoes strict Input/Output Validation to prevent data injection and ensure integrity.
•
Access Control Systems: Implementation of Role-Based Access Control (RBAC) and network firewalls to restrict unauthorized network access.
B. Administrative Measures: Process and Training
•
Access Privilege Management: Access to the Personal Information Processing System is strictly governed by the Principle of Least Privilege.
•
Authentication: Administrative accounts require Multi-Factor Authentication (MFA).
•
Security Training: Mandatory, regular (annual) security and privacy training is provided to all personnel, covering secure coding practices and PHI handling procedures.
•
Incident Response: Establishment and enforcement of a formal Security Incident Response Plan (SIRP) for rapid detection and containment of breaches.
C. Physical Measures
•
Server Room Access Control: Access to physical data storage locations is strictly controlled through multi-layered physical security measures (e.g., CCTV, biometric authentication, entry logs).
•
Secure Data Storage: Paper documents containing Personal Information are stored in locked cabinets or facilities and are destroyed using shredders or incineration.
9. Data Protection Officer (DPO)
The Company designates the following DPO to handle all personal information protection duties and related grievances:
•
Name: Sungwon Lee
•
Department: Data Protection Team
•
Contact: support@mindism.care
10. Other Provisions
•
Outbound Links: This policy does not apply to the processing of Personal Information by third-party websites or services accessed via links from the Service.
•
Changes to Policy: This policy may be revised. Any changes will be announced via the website, email, or push notifications at least seven days prior to implementation.
•
Enforcement Date: This Privacy Policy is effective from March 1, 2025