Privacy Policy(MUAH Website)
2026.07.14

Privacy Policy

Article 1 [Purpose]

MUAH (the "Product") and NP Inc. (the "Company") protect and respect users' personal information and comply with applicable laws and regulations.

This Privacy Policy is intended to inform users of, and obtain their consent to, the collection, storage, and use of user data, including sensitive information (such as biometric data and emotional data) for the purpose of providing personalized XR wellness experiences while users use the app in a specific space. In particular, the Company processes sensitive information only with the user's separate consent in accordance with applicable laws and regulations.

This Privacy Policy explains how the Company processes personal information collected from users or provided by users to the Company. If a user does not agree to this Privacy Policy, use of the service may be restricted.

If the Company's service is used in a clinical setting, the user may receive a separate privacy notice from the relevant healthcare provider or clinical research sponsor, and such notice will apply to the relevant activities.

Article 2 [Categories of Information collected]

Due to the nature of wellness services provided in an XR-based environment, the Company provides personalized experiences based on users' biometric data and emotional states. Personal information that users may provide to MUAH includes the following:

  1. Personal Information
  • Profile information generated during service registration and use, (such as username, phone number, email address, address, ID, department, etc).
  • Information voluntarily provided by users through surveys, inquiries, feedback, etc.
  1. Sensitive Information

The Company may collect and process the following sensitive information:

  • Biometric data: biometric data analyzed through the camera (including heart rate, heart rate variability, blood pressure, stress index, and fatigue index)
  • Emotional data: emotional states selected directly by the user or analyzed based on biometric data (ex. calm, amused, happy, etc).
  • Gender and age entered by the user
  • Facial images and facial feature information for user authentication

The Company analyzes the user's face in real time for user authentication and does not separately store original facial video. However, in order to provide the facial recognition function, the Company may encrypt and retain the user's facial feature information (images and numerical values) extracted for the period necessary for user identification, and such information is processed as biometric identification data with the user's consent.
*The Company does not separately store facial video while analyzing biometric signals for emotion inference.

 

Biometric data collected through the camera is used for the following purposes:

  • User registration and login, and reservation confirmation
  • Provision of personalized wellness services through biometric data analysis

Such information is securely encrypted and processed in accordance with applicable laws and regulations, and may be stored on the server only to the minimum extent necessary to provide the service.
The biometric data, emotional data, and biometric identification data above constitute sensitive information that may identify the user's health status and identity, and the Company collects and processes such information with the user's separate consent in accordance with applicable laws and regulations.

  1. Service Usage Information
    The Company may automatically collect the following information in the course of service use:
  • Interaction data such as the time and frequency of use of content and functions executed on the VR headset
  • Technical information such as system logs and error records
  • User emotional data collected through the tablet
  1. Information Linked from Third-Party Services
    If a user links an account with an external service, the following information may be provided by that service:
  • User ID, email address, and department
  • User biometric data
  • Other information that the user has made public through the relevant service or has consented to provide

Article 3 [Purpose of Collection and Use of Personal Information]

The Company collects and uses users' personal information for the following purposes and uses it within the scope of such purposes at the time of collection.

  • Service provision and operation, business execution such as function improvement
  • Support for user invitations and service expansion
  • Communication with users, including notices, notification of changes to terms, security alerts, customer support, and management
  • Provision of personalized experiences reflecting users' preferences, usage patterns, biometric data, and emotional state
  • Response to users' inquiries, requests, and feedback
  • Provision of personalized wellness content and state analysis based on biometric data and emotional data analysis
  • User identity verification and authentication procedures (using biometric identification data)

The Company may use collected data for research and development purposes to improve service quality and develop new features. In such cases, the data will, in principle, be processed in a de-identified or anonymized form. If data in an identifiable form is used for research, it will be processed only with the user's separate consent.

Users have the right to refuse consent to the processing of personal information and sensitive information. However, if a user refuses consent to required items, use of the service may be restricted.

Article 4 [Data Ownership]

Rights to personal information and data provided by users belong to the users. The Company uses such data only within the scope necessary to provide and improve the service.

Except as permitted by applicable laws and regulations, the Company does not provide personal information to third parties or use it beyond the purposes of collection without the user's prior consent.

Article 5 [Retention of Personal Information]

In principle, the Company retains personal information to fulfill the purposes for which it was collected. General personal information collected for service operation and customer management is retained until the user terminates use of the service. If retention is required even after termination of use pursuant to applicable laws and regulations, the information will be retained for the period prescribed by such laws and regulations. This may include purposes such as satisfying legal accounting or reporting requirements, establishing or defending legal claims, and preventing fraud.

If laws and regulations such as the Act on the Consumer Protection in Electronic Commerce, the Framework Act on Electronic Documents and Transactions, and the Protection of Communications Secrets Act require the retention of information for a certain period, the Company retains personal information accordingly and does not use such information for any purpose other than those prescribed by the relevant laws and regulations.

  1. Act on the Consumer Protection in Electronic Commerce, etc.

: Records on contracts or withdrawal of subscription: retained for 5 years

: Records on payment and supply of goods, etc.: retained for 5 years

: Records on user complaints and dispute resolution: retained for 3 years

  1. Framework Act on Electronic Documents and Transactions

: Records on electronic document distribution through certified electronic addresses: retained for 10 years

  1. Framework Act on National Taxes

: Books and evidentiary documents concerning all transactions prescribed by tax laws: retained for 5 years

  1. Protection of Communications Secrets Act

: Login records: retained for 3 months

  1. Other

: Biometric data for emotion inference and user-recommended content generation in MUAH: retained for 3 years

Article 6 [Deletion of Personal Information]

When the purposes of collection and use of personal information have been achieved, or when a user withdraws from the service or the service is terminated, the Company destroys the relevant personal information without delay by a method that makes restoration impossible. However, personal information collected for service operation and customer management may be retained for up to three years from the date of collection. If retention is required for a certain period under applicable laws and regulations, the information will be retained for that period and then destroyed without delay.

Personal information in electronic file format is securely deleted using technical methods that make recovery and restoration impossible, and personal information in paper or other printed form is destroyed by shredding or incineration.

Users may request correction or deletion of their personal information at any time by email to muacs@npinc.co.kr. Upon receiving a user's request, the Company will verify the relevant personal information without delay, take necessary measures such as correction or deletion, and inform the user of the result. However, if other laws and regulations require the retention of such personal information, the Company will comply with those laws and regulations.

Article 7 [Provision and Sharing of Personal Information]

In principle, the Company does not provide users' personal information to external parties. However, the Company may provide or share users' personal information only in the following cases, within the scope specified in this Privacy Policy or the scope notified at the time of collection.

    • Professional advisors: If necessary in the course of providing professional services such as legal, accounting, or insurance services, personal information may be provided to attorneys, accountants, insurers, etc.
    • Provision upon legal request: If required under applicable laws and regulations, or if requested by investigative agencies or other law enforcement agencies, personal information may be provided in accordance with the procedures prescribed by law.
    • Business transfer: If all or part of the Company's business, assets, or equity is transferred through assignment, merger, acquisition, restructuring, or similar transaction, personal information may be transferred to the counterparty and relevant participants in such transaction.
    • User-disclosed information: Due to the nature of the service, users' profiles and content may be disclosed to other users. When the service is used in a multi-user environment, other users may access such information. However, the Company's liability may be limited with respect to any collection or use by a third party of information voluntarily disclosed by a user.
    • Provision of organizational administrator member functions: If a user uses the service through a company, institution, or organization, the Company may provide aggregated and de-identified statistical data at the organizational level to organizational administrator members, such as HR managers, in order to provide organizational operation and wellness management functions.

Article 8 [Outsourcing of Personal Information Processing]

The Company may outsource part of the processing of users' personal information to external professional service providers when necessary to provide the service.
When outsourcing personal information processing, the Company enters into an outsourcing agreement in accordance with applicable laws and regulations and prescribes, manages, and supervises the matters necessary to ensure that personal information is processed safely.
The Company provides personal information only to the extent necessary to perform the outsourced work, and the outsourced service provider may process personal information only within the scope of the relevant outsourced purpose.
When the purpose of outsourcing is achieved or the agreement is terminated, the outsourced service provider destroys the relevant personal information without delay. If there is any change in the status of outsourced service providers, the Company will provide notice through this Privacy Policy.

Article 9 [Management for Protection of Personal Information]

The Company implements technical and managerial safeguards in accordance with applicable laws and regulations to safely protect users' personal information. The Company also restricts access to personal information to the minimum necessary personnel.

1. Technical Safeguards

    • Operation of security systems and access controls to protect against hacking and other external intrusions
    • Encrypted storage of personal information and protection during transmission
    • Retention of access logs for personal information processing systems and prevention of forgery or alteration
    • Installation of security programs and regular inspection and updates

2. Managerial Safeguards

    • Establishment and implementation of an internal management plan for personal information protection
    • Granting minimum access rights to personnel who process personal information and conducting regular training
    • Appointment and operation of a personal information protection officer and designated personnel
    • Implementation of other managerial measures necessary to protect personal information

Article 10 [Use of Service by Minors]

The Company does not collect or use personal information of children under the age of 14, and accordingly children under the age of 14 are restricted from registering for and using the service. If the Company becomes aware that personal information of a child under the age of 14 has been collected, it will delete such information without delay.

Minors aged 14 or older and under 19 must use the service with the consent of their legal representative in accordance with applicable laws and regulations.

Article 11 [Changes to the Privacy Policy]

The Company reserves the right to revise this Privacy Policy at any time. If the Company makes a material change to this Privacy Policy, it will update the date and notify users by posting it on the site or through other appropriate means. When the Company changes this Privacy Policy, it will notify users through an in-app notice or email at least 7 days before the effective date (30 days before the effective date in the case of changes unfavorable to users). The amended Privacy Policy will take effect from the notified effective date. However, matters requiring separate consent will be processed only after obtaining individual consent. In all cases, if a user continues to use the service after 30 days have passed from the effective date of the amended Privacy Policy, the user may be deemed to have agreed to the changes. However, for matters requiring separate consent, the Company will obtain separate consent from the user.

Article 12 [Contact]

For inquiries regarding the Company's Privacy Policy, please contact us at the information below.

[Personal Information Processing and Protection Officer]

  • Officer: Changjun Park / cjpark@npinc.co.kr
  • Responsible Department: VUE Division

 

List