Privacy policy

1. Purpose of personal information processing

CRScube processes personal information to the minimum extent necessary for the following purposes. The personal information processed by CRScube will not be used for any purpose other than the following purposes, and if the purpose of use changes, CRScube will take necessary measures such as obtaining additional consent. (Article 28 of the EU General Data Protection Regulation [GDPR] and §164.502 of HIPAA)

1. Creation and management of cubeSOLUTION user accounts

2. Storage of data entered into cubeSOLUTION

3. Generation of analytics for operation and maintenance of cubeSOLUTION

4. Provision of cubeSOLUTION

5. Customer support for cubeSOLUTION

6. Delivery of information via CRScube HOMEPAGE

*cubeSOLUTION collectively refers to every Web/Mobile-based application developed and provided by CRScube.

2. Personal information processed

1. CRScube processes the following personal information upon the consent of the data subjects, in accordance with Article 7 of the EU General Data Protection Regulation [GDPR].

2. The data entered into cubeSOLUTION is stored without being subjected to any processing procedures beyond storage and statistical analysis.

3. The items required for service provision are used to ensure more stable provision of the cubeSOLUTION service.

Use of cubeSOLUTION

Delivery of information via CRScube HOMEPAGE

3. Period of personal information processing and retention

1. CRScube processes and retains personal information within the period stipulated by relevant laws and regulations, or within the period agreed by the data subjects when CRScube collects the personal information.

2. Clinical trial data collected through cubeSOLUTION is retained for the duration of the clinical trial data retention period in accordance with relevant laws and regulations.

   • In cases where investigations or inquiries are ongoing due to violations of relevant laws and regulations, information may be provided to agencies in accordance with the law, and such information will be retained until the completion of the relevant investigation or inquiry, notwithstanding the standard retention period.

3. The period of personal information processing is as follows.

4. Destruction of personal information

1. CRScube will destroy the relevant personal information when it becomes unnecessary, such as when the period of personal information retention has expired or when the purpose of the processing has been achieved.

2. The procedure and method of destroying personal information are as follows:

   • Procedure of destruction: CRScube selects the personal information which falls under any reason for destruction and will destroy the personal information with the approval of the Personal Information Protection Officer.

   • Method of destruction: CRScube ensures that personal information recorded and stored in the database is destroyed in such a way that the records cannot be regenerated.

5. Entrustment of personal information processing

1. CRScube entrusts the processing of personal information to the following trustees in order to facilitate the handling of personal information.

1. CRScube, when entrusting tasks, specifies in writing the prohibition of processing personal information for purposes other than those of the entrustment, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of the entrusted party, and liability for damages, to ensure the secure processing of personal information. (Articles 29 and 30 of the EU General Data Protection Regulation [GDPR])

2. ​If the details of the entrusted tasks or trustees change, CRScube will promptly disclose the changes through this Privacy Policy.

3. The task of personal information processing is partially delegated to foreign parties, the details of which can be found in Paragraph 6 ‘International transfer of personal information’.

6. International transfer of personal information

CRScube provides and delegates personal information collected from the user and through HOMEPAGE in accordance with relevant laws and regulations. CRScube may also process personal information of the data subjects on servers located outside the user’s country of residence.

AWS

1. Transferred personal information: Name, contact information (cell phone and telephone number, fax number, alternate email address), email address, ID, password, subject data stored via cubeSOLUTION, IP address, identifiers of browser and device, and operating system, the version of the currently used application, and information about the connected device, date of birth, and facial data

2. Nations to which the personal information is transferred: Republic of Korea, Japan, and United States

3. Date and time of transfer and method: Transmission via network at the time of service use

4. Recipient of the personal information

   • Recipient: Amazon Web Service, Inc.

   • Contact: AWS data privacy policy

5. Purpose of the recipient’s use of the personal information: Personal information is stored when entered and used through cubeSOLUTION, and the stored data will not be used without prior consent.

6. Period of retention and use of the personal information by the recipient: Same as what is specified in Paragraph 3 'Period of personal information processing and retention’.

7. Right to refuse consent and consequences associated with the refusal: Users have the right to decline the collection of personal information. However, refusal to provide consent may result in limitations on the use of services.

Zendesk

1. Transferred personal information: Email address

2. Nations to which the personal information is transferred: Japan

3. Date and time of transfer and method: Transmission via network at the time of service use

4. Recipient of the personal information

   • Recipient: Zendesk, Inc.

   • Contact: Zendesk data privacy policy

5. Purpose of the recipient’s use of the personal information: Personal information related to CRScube Help Center service is stored, and the stored data will not be used without prior consent.

6. Period of retention and use of the personal information by the recipient: Same as what is specified in Paragraph 3 'Period of personal information processing and retention’.

7. Right to refuse consent and consequences associated with the refusal: Users have the right to decline the collection of personal information. However, refusal to provide consent may result in limitations on the use of services.

Wix

1. Transferred personal information: Name, email address, phone number, company name, and job title (if entered) collected through HOMEPAGE

2. Nations to which the personal information is transferred: The United States, European Union, Israel

3. Date and time of transfer and method: Transmission via network at the time of service use

4. Recipient of the personal information

   • Recipient: Wix.com , Inc.

   • Contact: Wix Privacy Policy 

5. Purpose of the recipient’s use of the personal information: Personal information is stored in order to provide information requested through HOMEPAGE, and the stored data will not be used without prior consent.

6. Period of retention and use of the personal information by the recipient: Same as what is specified in Paragraph 3 'Period of personal information processing and retention’.

7. Right to refuse consent and consequences associated with the refusal: Users have the right to decline the collection of personal information. However, refusal to provide consent may result in limitations on the use of services.

Hotjar

1. Transferred personal information: Anonymized homepage access and behavioral information (when collection is permitted)

2. Nations to which the personal information is transferred: European Union

3. Date and time of transfer and method: Transmission via network at the time of service use

4. Recipient of the personal information

   • Recipient: Hotjar Ltd.

   • Contact: Hotjar Privacy Policy

5. Purpose of the recipient’s use of the personal information: Personal information is stored only when cookie collection is permitted on the homepage, and stored data will not be used without prior consent.

6. Period of retention and use of the personal information by the recipient: Same as what is specified in Paragraph 3 'Period of personal information processing and retention’.

7. Right to refuse consent and consequences associated with the refusal: Users have the right to refuse data collection. The homepage remains accessible even when consent is declined.

G2.com

1. Transferred personal information: Anonymized data generated based on visitor's IP address, browser information, and page access behavioral information (when collection is permitted)

2. Nations to which the personal information is transferred: United States

3. Date and time of transfer and method: Transmission via network at the time of service use

4. Recipient of the personal information

   • Recipient: G2.com

   • Contact: G2.com Privacy Policy

5. Purpose of the recipient’s use of the personal information: Information is stored only when cookie collection is permitted for collecting and analyzing access and behavioral information on the HOMEPAGE, and stored data will not be used without prior consent.

6. Period of retention and use of the personal information by the recipient: Same as what is specified in Paragraph 3 'Period of personal information processing and retention’.

7. Right to refuse consent and consequences associated with the refusal: Users have the right to refuse collection. The HOMEPAGE can still be used even if consent is refused.

ZoomInfo

1. Transferred personal information: Visitor's corporate IP address and behavioral information (when collection is permitted)

2. Nations to which the personal information is transferred: United States

3. Date and time of transfer and method: Transmission via network at the time of service use

4. Recipient of the personal information

   • Recipient: zoominfo

   • Contact: zoominfo Privacy Policy

5. Purpose of the recipient’s use of the personal information: Information is stored only when cookie collection is permitted for collecting and analyzing access and behavioral information on the HOMEPAGE, and stored data will not be used without prior consent.

6. Period of retention and use of the personal information by the recipient: Same as what is specified in Paragraph 3 'Period of personal information processing and retention’.

7. Right to refuse consent and consequences associated with the refusal: Users have the right to refuse collection. The HOMEPAGE can still be used even if consent is refused.

7. Measures to ensure the security of personal information

CRScube takes the following measures to ensure the security of personal information, in accordance with Article 32 of the EU General Data Protection Regulation [GDPR]

• Administrative measures: Establishment and implementation of an internal management plan, regular training for employees, etc.

• Technical measures: Management of access authority for personal information management system, installation of an access control system, encryption of personal information, installation of security programs, etc.

• Physical measures: Not applicable (Cloud service in use)

8. Installation and operation of an automatic personal information collection system, and refusal options

1. CRScube uses "cookies" to store and retrieve usage information periodically to provide personalized services to users.

   • Purpose of using cookies: Cookies are used to provide optimized services to the user by identifying things such as the user's visit and usage patterns for each service and website, and whether secure access was used.

2. Cookies are small pieces of information sent by the server (http) operating the website to the user's computer browser and may also be stored on users' PCs or mobile devices.

3. Users can adjust their web browser settings to allow or block cookies. However, refusing to store cookies may lead to difficulties in using personalized services.

9. Rights, duties, and methods of exercising the rights of the data subject and their legal representatives

1. Data subjects have the right to exercise various rights regarding their personal information at CRScube, including access, correction, deletion, and suspension of processing and withdrawal at any time.

   • Request to access personal information: Data subjects may regularly check their personal information by logging into CRScube solutions.

   • Request to correct or delete personal information: Data subjects may send a request to help@crscube.io via their email address registered in CRScube solutions.

   • Request to suspend the processing of personal information: Data subjects may send a request to help@crscube.io via their email address registered in CRScube solutions.

2. The rights pursuant to Paragraph 9.1 can be exercised via email to CRScube, and CRScube will take necessary measures after verification.

3. The exercise of rights pursuant to Paragraph 9.1 can be carried out through a legal representative or an authorized delegate, provided that a valid power of attorney is submitted.

4. The right of the data subjects to request access to and suspension of processing of personal information may be restricted in the following cases:

   • When access is prohibited or restricted by law

   • When there is a risk of harm to another person's life or physical safety, or when there is a risk of unjustly infringing upon another person's property or other interests

5. When personal information is required to be retained under applicable laws and regulations, the deletion of such personal information cannot be requested.

10. Personal Information Protection Officer and handling of complaints

1. CRScube assumes overall responsibility for the processing of personal information and appoints a Personal Information Protection Officer to handle complaints, grievances, and other matters related to personal information processing, as outlined below.

   • Gidae Yeo, CTO

     • Email: help@crscube.io

     • Phone: +82-2-722-7275

2. A data subject may contact the personal information protection officer for any inquiries, handling of complaints, and remedies for damages related to personal information protection arising from the use of CRScube's services. CRScube will respond to and address the inquiries from subjects of information promptly.

11. Remedies for infringement of the rights of the data subject

1. Subjects of information may seek remedies for personal information infringements by applying for dispute resolution or consultation with organizations with relevant authorities.

2. CRScube is committed to protecting the rights of the subject of information to self-determination regarding personal information and strives to provide consultation and remedies for damages caused by personal information infringement. If you require assistance or consultation, please contact the Personal Information Protection Officer listed in Paragraph 10, 'Personal Information Protection Officer and handling of complaints'.

12. Additional efforts to protect personal information

1. CRScube endeavors to safely manage users' personal information, making additional efforts to enhance privacy protection beyond the security measures stipulated by laws and regulations.

2. CRScube has obtained ISO/IEC 27001 certification, an international standard for Information Security Management Systems, covering the entire scope of the cubeSOLUTION service.

3. Information related to GDPR can be found on the page below.

   • EU GDPR Chapter 5

13. Changes to the Privacy Policy

1. This privacy policy will take effect starting from November 10, 2025.

2. Previous versions of the privacy policy can be requested by contacting help@crscube.io.