
Privacy Policy
I.M.LAB, Inc. (the "Company") protects users' personal information in accordance with the Personal Information Protection Act (PIPA) and other applicable laws of the Republic of Korea. This Policy applies to your use of the Company's website (imlabworld.com), the CPR cloud web and mobile services, and the CPR station, class, and plus device applications (the "Services").
1. General Provisions and Scope
This Policy applies commonly to the Company's Services. The Services are provided primarily to organizations such as institutions, companies, and schools, and login accounts (administrator codes) are issued to administrators and instructors. Trainees who take part in practice sessions use the Services without a separate account and are data subjects. Where the Company processes the personal information of an institutional customer's employees or trainees at that customer's request, the Company does so only for that customer and within the scope of its purposes, and the institutional customer determines whether and to what extent such personal information is collected and used.
2. Items of Personal Information Collected and Methods of Collection
The Company collects the following information to the extent necessary to provide the Services. - Account information: administrator code, password, and contact details (such as name, email, and phone number) - Training information: a nickname entered by the user (including an employee number on enterprise training devices), CPR measurement and evaluation results, and, where optional, age group and gender - Automatically collected information: device information and app version, service usage and access records, cookies and similar technologies, and the approximate installation location of the device/kiosk (city or district level) - Inquiry information: name, contact number, and inquiry content submitted through the website The Company does not collect direct identifying information such as a name, and processes only minimal information such as a nickname and employee number. Of these, information with identifying potential, such as an employee number, is stored in encrypted form. Methods of collection: entry and automatic collection during use of the Services and devices, website inquiries, and provision by institutional customers.
3. Purposes of Collection and Use
The Company uses collected information for the following purposes. - Synchronizing and aggregating training results, providing dashboards and reports, and monitoring and remotely managing devices - Identifying and authenticating members and managing accounts and licenses - Providing training performance and completion status to institutional customers - Improving the Services, analyzing statistics, diagnosing errors, and responding to inquiries - Fulfilling obligations under applicable law
4. Retention and Use Period
The Company destroys personal information without delay once its purpose has been achieved. However, the following information is retained as set out below. - Account information: retained during the period of service use and of the contract, and destroyed upon termination of the contract or upon a destruction request by the institution or data subject - Training and result data: because providing access to and reporting of training history and statistics over the entire period is an essential function of the Services, retained while the Services are operated, and destroyed upon termination of the contract with the institution, where required by law, or upon a destruction request - Other information: where retention is required by applicable law (such as the Act on Consumer Protection in Electronic Commerce and the Protection of Communications Secrets Act), retained for the relevant period
5. Procedure and Method of Destruction
Personal information is destroyed once the retention period has elapsed or the purpose of processing has been achieved. Electronic files are deleted by methods that make recovery difficult, and printed materials are shredded or incinerated.
6. Provision of Personal Information to Third Parties
The Company does not provide personal information to any external party except with the consent of the data subject or where there is a legal basis. However, under agreements with institutional customers, the Company may provide training completion information (identifier, completion status and time, etc.) to the relevant institution or to an education management system designated by that institution, in which case it is limited to the scope for which the necessary consent is obtained or a legal basis exists.
7. Entrustment of Processing and Overseas Transfer
To provide the Services reliably, the Company entrusts personal information processing tasks to domestic and overseas providers as set out below, and some personal information is transferred overseas. Principal data such as training results is stored domestically (Seoul).
| Trustee (Transferee) | Entrusted / Transferred Task | Items Processed | Country of Storage/Processing |
|---|---|---|---|
| Supabase Inc. | Operation of database and storage (principal data such as training results) | Account and training information, etc. | Stored in the Republic of Korea (Seoul), accessible by the overseas provider |
| Google LLC (Firebase) | Management of device status and license information | Account and device information, etc. | United States |
| Vercel Inc. | Web and website hosting | Access records, etc. | United States |
| Resend, Inc. | Email delivery | Name, email, etc. | United States |
| Google LLC (Google Analytics), Microsoft Corporation (Clarity), Functional Software, Inc. (Sentry), Google LLC (Firebase Crashlytics) | Analysis of service usage statistics and behavioral information, and error diagnostics | Device information, service usage and access records, etc. | United States |
- Time and method of transfer: transferred from time to time over the information and communications network at the time the Services are used - Purpose of use and retention/use period: until the purpose of each task above is achieved or the entrustment agreement is terminated - The data subject may refuse some of the above entrustment/transfer (such as statistical and behavioral analysis and error diagnostics) through cookie and device settings. However, entrustment/transfer essential to providing the Services, such as data storage and hosting, is by its nature difficult to refuse individually, and refusal may restrict the use of all or part of the Services. - The specific details of entrustment and transfer will be announced through this Policy if changed.
8. Rights of Data Subjects and Legal Representatives and How to Exercise Them
Data subjects may at any time request access to, correction of, deletion of, or suspension of processing of their personal information, and may withdraw consent. Upon a request to the Personal Information Protection Officer in writing or by email, the Company handles it in accordance with applicable law. A trainee without an account may make requests through their affiliated institution or the Officer, and a legal representative may exercise the rights on behalf of a child under the age of 14.
9. Measures to Ensure Safety
The Company takes the following measures to the extent reasonable to protect personal information. - One-way encryption of authentication information such as passwords, and encrypted storage of information with identifying potential such as employee numbers - Encrypted communication during transmission - Minimization of access rights and management of access records, and minimization of handling staff
10. Cookies and Other Automatic Collection Devices and Behavioral Information
The Company may use cookies and similar technologies and analytics tools to provide and improve the Services. Users may refuse cookies in their web browser settings; in such cases, the use of some features may be restricted.
11. Public Rankings and Real-Time Status
Practice results from devices or services used by an unspecified number of people in public places may, together with an automatically generated nickname and after masking, be displayed on the public ranking and real-time status page (live.heartisense.com).
12. Personal Information of Children Under the Age of 14
The Company does not separately collect personal information that could identify an individual, such as a name, from children under the age of 14. Training kiosks installed in public places may be used by anyone, but practice results are based on minimal information such as a nickname, and age group and gender are optional items collected for statistical purposes.
13. Personal Information Protection Officer and Remedies for Infringement
Inquiries and complaints regarding personal information may be directed to the Personal Information Protection Officer. - Personal Information Protection Officer: Hyeongmook Lee (hmlee@imlabworld.com) If you need to report or consult about an infringement of personal information, you may contact organizations such as the Personal Information Infringement Report Center (privacy.kisa.or.kr, 118), the Personal Information Dispute Mediation Committee (www.kopico.go.kr, 1833-6972), and the National Police Agency Cyber Investigation Bureau (182).
14. Changes to This Policy and Notice
When this Policy is changed, the Company will give notice at least 7 days before the effective date (30 days in advance for material changes) through the service screen or by email. - Notice date: July 7, 2026 - Effective date: August 6, 2026