Privacy Policy
Your data matters. We protect it.
In accordance with the Personal Information Protection Act, MEDLEE safely protects members' personal data and processes it transparently.
Effective: June 1, 2026 · Last updated: May 22, 2026
Table of Contents
Click an item below to jump to that section
MEDLEE (the “Company”) operates the MEDLEE service and, in accordance with Article 30 of the Personal Information Protection Act, establishes and discloses the following privacy policy to protect data subjects' personal information and to handle related grievances promptly and smoothly.
Purposes of Processing Personal Information
The Company processes personal information for the following purposes.
| Purpose | Details |
|---|---|
| Registration and management | Identity verification and authentication, maintaining and managing membership, preventing service misuse, and various notices. |
| Medical interpretation matching | Posting interpretation requests, interpreter applications and matching, schedule and location coordination, and 1:1 chat. |
| Identity verification | Hospitals: verifying business registration certificate and medical institution permit / Interpreters: verifying ID, visa, and qualifications. |
| Service improvement | Analyzing service usage statistics, improving user experience, and developing new services. |
| Grievance handling | Verifying the complainant's identity, confirming the complaint, notifications for fact-finding, and reporting results. |
Personal Information Collected
The Company collects only the minimum personal information necessary to provide the service.
A. Hospital (requesting organization) members
| Category | Items |
|---|---|
| Required | Organization name, contact person name, email address, password, contact number, organization type, business registration number. |
| Optional | Organization introduction, profile image. |
| Verification documents | Business registration certificate, medical institution permit (stored separately after verification). |
B. Interpreter members
| Category | Items |
|---|---|
| Required | Full name, email address, password, contact number, available interpretation languages, available regions. |
| Optional | Work history, copies of qualifications, self-introduction, profile image. |
| Verification documents | ID (resident registration card, alien registration card, or passport), residency status documents (stored separately after verification). |
C. Automatically collected items
During use of the service, IP address, cookies, access timestamps, service usage records, and device information (OS, browser type) may be automatically generated and collected.
Retention and Use Period of Personal Information
Once the purpose of collecting and using personal information has been achieved, the Company destroys the information without delay. However, where retention is required by applicable law, the information is kept for the periods below.
| Basis for retention | Retention period |
|---|---|
| Upon withdrawal | Destroyed within 30 days of the withdrawal date (grace period to prevent re-registration abuse). |
| E-Commerce Act | Records of contracts and withdrawal of subscription: 5 years / Records of payment and supply of goods: 5 years / Records of consumer complaints and dispute handling: 3 years. |
| Communications Privacy Act | Website log records: 3 months. |
| Medical-related | Identity verification documents: destroyed within 7 days of completion of verification (only the verification result is retained). |
Provision of Personal Information to Third Parties
As a rule, the Company does not provide data subjects' personal information to third parties. However, the following are exceptions:
- When the data subject has consented in advance
- When a matching is established, limited information is provided to the counterparty to fulfill the service (organization/interpreter name, contact number — disclosed only between the matching parties)
- When there is a special provision of law, or it is unavoidable to comply with a legal obligation
Protecting personal data in pre-matching chat
Before a matching is confirmed, personal contact details such as phone numbers and emails are automatically masked in 1:1 chat. Mutual contact details are disclosed only after a matching is confirmed.
Outsourcing of Personal Information Processing
To provide the service smoothly, the Company outsources personal information processing tasks as follows.
| Processor | Outsourced task |
|---|---|
| Supabase Inc. | Cloud infrastructure operation and database management. |
| Vercel Inc. | Web application hosting. |
In accordance with Article 26 of the Personal Information Protection Act, outsourcing contracts specify in writing matters such as the prohibition of processing personal information beyond the purpose of the outsourced work, technical and administrative safeguards, and the purpose and scope of the outsourced work.
Procedures and Methods for Destroying Personal Information
When personal information becomes unnecessary, such as upon expiry of the retention period or achievement of the processing purpose, the Company destroys it without delay.
| Category | Method |
|---|---|
| Electronic files | Deleted using technical methods that prevent the records from being recovered (low-level deletion or encryption followed by key disposal). |
| Paper documents | Destroyed by shredding or incineration. |
| Verification documents | Original files permanently deleted within 7 days of completing identity verification; only the verification result (pass/fail) is retained. |
Rights and Obligations of Data Subjects and How to Exercise Them
Data subjects may exercise the following rights against the Company at any time:
- Request to access personal information
- Request to correct errors, if any
- Request to delete
- Request to suspend processing
These rights may be exercised through Profile Settings within the service or by email (service@medlee.co.kr), and the Company will take action without delay.
Measures to Ensure the Security of Personal Information
The Company takes the following measures to ensure the security of personal information.
Administrative measures
Establishing and implementing an internal management plan, and minimizing and training staff who handle personal information.
Technical measures
Encryption of personal information (AES-256), operating access control systems, installing and updating security programs, and applying Row Level Security (RLS).
Physical measures
Physical access control of cloud infrastructure (compliance with processors' security policies).
Data Protection Officer
The Company designates a data protection officer as below, who has overall responsibility for personal information processing and for handling data subjects' complaints and providing remedies in relation to personal information processing.
Data Protection Officer
- Position: CEO
- Email: service@medlee.co.kr
If you need to report or consult on other personal information infringements, please contact the agencies below.
- Personal Information Infringement Report Center (KISA): privacy.kisa.or.kr / 118
- Personal Information Dispute Mediation Committee: kopico.go.kr / 1833-6972
- Supreme Prosecutors' Office Cyber Investigation Division: 1301
- National Police Agency Cyber Bureau: 182
Matters Concerning Changes to This Privacy Policy
This privacy policy takes effect on June 1, 2026. Where there are additions, deletions, or amendments due to changes in laws, policies, or security technology, the Company will give notice through service announcements at least 7 days before the changes take effect.
This policy is provided in Korean and English versions. In the event of any discrepancy in interpretation between the Korean and English versions, the Korean version shall prevail.