1. Introduction
BONROI ("we", "us") operates a medical concierge platform, healwith, that helps international patients access medical care in the Republic of Korea. healwith is not a medical institution and does not provide diagnosis or treatment.
This Policy is primarily governed by the Korean Personal Information Protection Act (PIPA), the Medical Service Act, and the Act on Support for Overseas Expansion of Healthcare Systems and Attraction of International Patients. Where applicable, it also reflects the requirements of your country of residence (e.g., EU GDPR, Kazakhstan Law 94-V, Russian Federal Law 152-FZ, etc.). Jurisdiction-specific notices are provided in dedicated sections below.
We treat the personal information of all users with care, regardless of nationality or residence, and handle it in accordance with applicable laws.
2. Data Controller
Trade name: BONROI (service: healwith)
Entity type: Sole proprietorship
Representative: JUYOUNG KANG
Business Registration Number: 463-35-00902
International Patient Facilitator Registration Number: A-2026-01-02-06761 (valid 2026-03-11 ~ 2029-03-10, issued by the Mayor of Seoul)
Registered address: Room 613, 385 Gangseo-ro, Gangseo-gu, Seoul, Republic of Korea
Contact: +82-10-4772-1075 (international) · 070-7500-7795 (domestic)
Email: admin@healwith.co.kr
Business hours: Mon-Fri 09:00-18:00 KST (excluding Korean public holidays)
3. Personal Data We Collect
【Mandatory】
· Name, date of birth, gender, nationality, passport number (for visa and hospital registration)
· Contact details (email, phone, messenger ID)
· Residential address (stay-support purposes)
· Guardian/companion information (for minor or elderly patients)
【Sensitive Data — Separate Consent】
· Diagnosis, medical history, current symptoms, medications
· Medical certificates, test results, imaging (X-ray, CT, MRI, etc.)
· Health insurance and travel insurance information
· Disability status (for accessibility support)
【Automatically Collected】
· IP address, cookies, session logs, service usage records
· Device information (OS, browser, model), approximate geolocation (country-level; precise location only with consent)
【Payment-Related】
· Payment details are processed by a Payment Gateway. We do not store full card numbers.
4. Purposes of Collection and Use
a. Member identification and authentication
b. Hospital matching, appointment booking, visa and stay support
c. Provision of consent-based medical information to healthcare providers
d. Interpretation, transportation, and accommodation services
e. Payment processing and issuance of receipts or tax invoices
f. Customer support and dispute resolution
g. Service quality improvement, statistical analysis, security incident response
h. Compliance with legal obligations
5. Sensitive Data (PIPA §23 / GDPR Art. 9)
healwith processes "health-related information" which constitutes Sensitive Data under PIPA §23 and a Special Category of personal data under GDPR Article 9. Such data is collected and used only with your explicit, separate consent.
Sensitive data is used solely for hospital matching and appropriate care coordination, and is shared with healthcare providers only within the scope of your consent.
You have the right to withhold consent for processing of sensitive data; doing so may restrict your ability to use medical matching services.
6. Retention and Use Period
We delete personal data without delay once the purpose of collection has been fulfilled, except where required to be retained by law.
【Statutory Retention】
· Contract/withdrawal records: 5 years (Act on Consumer Protection in E-Commerce §6)
· Payment and supply records: 5 years
· Consumer complaints/dispute records: 3 years
· Login records: 3 months (Protection of Communications Secrets Act §15-2)
· Medical records held by hospitals: 10 years (Medical Service Act §22). Note: healwith does not retain copies of medical records; originals are maintained by the hospital.
【Service-Based Retention】
· Account information: until account closure (dormant accounts archived after 1 year)
· Sensitive health data: deleted immediately after concierge service completion, unless retained up to 3 years at user's explicit request
· Marketing consent data: until withdrawal
7. Disclosure to Third Parties
Based on your consent, we share personal data with the following third parties:
【Healthcare Providers】
· Recipients: Korean hospitals and clinics selected and consented by you
· Purpose: Medical consultation, appointment, treatment planning
· Items: Name, date of birth, contact, passport number, diagnosis, symptoms, medical records
· Retention: Per each provider's legal obligations (typically 10 years)
【Visa Agencies】
· Recipients: Partner visa agencies (with consent)
· Items: Passport copy, invitation letter, travel schedule
· Purpose: Medical visa application (C-3-3, G-1)
【Insurance Companies】
· Recipients: Travel/international insurance partners (with consent)
· Purpose: Claims support
You may refuse third-party disclosure, subject to service limitations.
8. International Transfers (PIPA §28-8 / GDPR Art. 44-49)
By the nature of our service — helping overseas patients access Korean healthcare — we transfer personal data from your country of residence to the Republic of Korea. Certain operational data may also be transferred to other jurisdictions.
【Recipients & Jurisdictions】
· Korean partner hospitals (for medical purposes)
· Cloud infrastructure: Vercel Inc. (USA), Supabase Inc. (USA)
· Analytics: Google Ireland Ltd. (GA4, Ireland)
· Customer support tools: [To be confirmed]
【Purposes & Items】
· Hospitals: Same as Section 7
· Cloud/Analytics: Account information, logs, cookie identifiers
【Retention】 Per each recipient's policy and contractual terms.
【Your Rights】 You may refuse the transfer, but as transfers are essential to the service, refusal will prevent use of the service.
【Safeguards】
· EU→Korea transfers: Pursuant to the European Commission's adequacy decision for Korea of December 2021 (Decision 2022/254), such transfers may take place without separate SCCs, provided the data is processed in Korea under PIPC supervision.
· Other transfers: We secure the recipient's data protection obligations through Standard Contractual Clauses or equivalent contractual and technical safeguards (encryption, pseudonymization).
· Regarding Kazakhstan: Please refer to the localization obligation provisions in Section 15.
9. Data Processors (PIPA §26)
We entrust the following processors with personal data processing under contract:
· Supabase Inc. — Database hosting (USA)
· Vercel Inc. — Web application hosting (USA)
· Google LLC — Authentication (OAuth), analytics, maps (USA/Ireland)
· [Payment Gateway — TBC] — Payment processing
· [Email service — TBC] — Email delivery
· [AI Translation — TBC] — Translation (with user consent)
Contracts require processors to observe data protection obligations, prohibition on use beyond stated purposes, and technical/organizational safeguards. We audit processors regularly.
10. Your Rights
You may exercise the following rights:
· Request the status of processing and suspension of processing (PIPA §35, §37)
· Access to your personal data (§35)
· Correction and deletion of your personal data (§36)
· Withdrawal of consent (§37)
· Right to object to automated decisions (§37-2)
· Right to claim compensation for damages (§39)
You may exercise these rights by contacting admin@healwith.co.kr or the Data Protection Officer (DPO) under Section 14 of this Policy. We respond within 10 days.
You may also file a report or apply for dispute mediation with the Personal Information Protection Commission of the Republic of Korea:
· Personal Information Protection Commission: 182 (no area code), www.privacy.go.kr
· Personal Information Dispute Mediation Committee: 1833-6972, www.kopico.go.kr
11. Children Under 14 (PIPA §22-2)
healwith may receive concierge requests involving minor patients (e.g., pediatric cancer). In such cases, we require verified consent from a legal guardian (parent/caretaker).
Legal guardians may at any time request access, correction, deletion, or suspension of processing of the minor's personal data. We respond without delay.
12. Security Measures
We implement the following safeguards:
· Administrative: DPO appointment, periodic training, least-privilege access
· Technical: Encryption (TLS 1.3 in transit, AES-256 at rest), intrusion prevention, security patch management
· Physical: Access control to data processing areas
· Incident response: Notification to authorities and data subjects within 72 hours of a breach
14. Data Protection Officer (DPO / CPO)
Name: JUYOUNG KANG
Title: Representative (concurrent — per Korean PIPA §31 and GDPR Art 37)
Email: admin@healwith.co.kr
Phone: +82-10-4772-1075 (international) · 070-7500-7795 (domestic)
You may contact the DPO directly for any privacy-related inquiry, complaint, or remedy request. We respond within 10 business days.
15. Additional Notice for Residents of Kazakhstan
This section provides additional disclosures under the Republic of Kazakhstan Law on Personal Data and Its Protection (No. 94-V, 2013, as amended in 2015 and 2022) and related implementing regulations.
【Explicit Consent to Cross-Border Transfer (Article 16)】
Given the nature of this service in helping overseas patients access Korean healthcare, your personal data is transferred to the Republic of Korea. Article 16 of the Kazakhstan law permits cross-border transfer based on the data subject's explicit written consent. When applying to use the service, you explicitly consent to the following through this Policy's cross-border transfer provisions and a separate consent checkbox:
· Recipient country: Republic of Korea
· Recipients: Korean partner hospitals selected by you, and cloud service providers (Vercel Inc., Supabase Inc.)
· Items transferred: The collected items in Section 3 and the sensitive data in Section 5
· Purpose of transfer: Provision of medical concierge services
【Notice on Local Storage (Article 12)】
Article 12 of the Kazakhstan law requires the primary storage of Kazakhstani citizens' personal data within Kazakhstan's territory. The Company currently operates the service on the legal basis of the explicit consent mechanism under Article 16 above, and, as the service grows, will review the introduction of a local primary-storage structure through Kazakhstan-based cloud partners (such as QazCloud or Yandex Cloud Kazakhstan). Any material change will be promptly announced through an update to this Policy.
【Separate Consent for Sensitive (Medical) Data (Articles 8, 9)】
Under Kazakhstan law, sensitive data requires consent obtained in a manner verifiable in writing or by electronic signature (EDS, integrated with eGov). The Company records electronic checkbox-based consent together with a timestamp, IP address, and user identifier to secure evidentiary value equivalent to a written form. Oral consent is not collected.
【Official Languages】
This Policy is provided concurrently in Kazakh (the state language) and Russian (an official language). You may select your preferred language; in the event of any discrepancy in interpretation between translations, the Korean version shall govern for legal effect in the Republic of Korea.
【Supervisory Authorities】
· Committee on Information Security (Комитет по информационной безопасности, under the KNB)
· Ministry of Digital Development, Innovations and Aerospace Industry (Министерство цифрового развития, инноваций и аэрокосмической промышленности)
【Reports and Disputes】
You may contact us at the address in Section 19 of this Policy, or bring proceedings before the courts or supervisory authority of your place of residence.
15-2. Automated Decisions (PIPA §37-2)
The Company uses an AI-based matching algorithm to recommend suitable healthcare providers to you. This may constitute an "automated decision" under Article 37-2 of the Personal Information Protection Act.
【Automated Processing Items】
· Matching of medical departments based on symptoms and diagnosis
· Hospital ranking recommendations based on past treatment cases and language-support availability
· Automatic generation of packages suited to your stay period and budget
【Your Rights】
· Request an explanation of the outcome of an automated decision
· Refuse an automated decision and request review by a human
· Submit the above requests to admin@healwith.co.kr or the DPO contact in Section 14
Please always obtain the judgment of medical professionals for any final medical decision. AI recommendations are for reference only and do not constitute diagnosis or treatment.
16. Additional Notice for Residents of EU/EEA (GDPR)
Where GDPR applies, the following rights are guaranteed:
· Right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and regarding automated decision-making (Art. 22).
· Special category data (health, Art. 9) is processed only based on explicit consent.
· International transfers (Art. 44-49) rely on Standard Contractual Clauses where applicable.
· You may lodge a complaint with your national DPA.
· EU Representative: [To be designated under Art. 27 if targeting EU market]
17. Additional Notice for Residents of Russia
Russian Federal Law 152-FZ requires initial collection of personal data of Russian citizens within Russian territory.
healwith is separately evaluating compliance with this requirement. By using the service, Russian residents acknowledge and explicitly consent to these terms.
Supervisory authority: Roskomnadzor (Роскомнадзор).
18. Changes to This Policy
Material changes will be notified via our service notice and email at least 7 days prior to effect (30 days for adverse changes).
Current version: 2.0.0 (Effective 2026-04-20).
19. Contact
Privacy and general inquiries: admin@healwith.co.kr
Address: Room 613, 385 Gangseo-ro, Gangseo-gu, Seoul, Republic of Korea
Phone: +82-10-4772-1075 (international) · 070-7500-7795 (domestic)
Business hours: Mon-Fri 09:00-18:00 KST