Privacy Policy

Organization Name Document Name Document Owner
AIRS Medical Inc. Privacy Policy Jonghyeng Park, CPO
Effective Date Version Document Approver
May 14, 2026 2.0 Jangsoon Park, CEO

NOTICE TO UK RESIDENTS

This section provides additional information for individuals located in the United Kingdom, in accordance with the UK GDPR and Data Protection Act 2018 (DPA 2018), Data (Use and Access) Act 2025

DATA CONTROLLER

For processing activities related to the UK, the data controller is:

  • AIRS Medical Europe GmbH
  • Postal Address: Oskar-von-Miller-Ring 2080333 Munich, Germany

AIRS Medical Europe GmbH is a subsidiary of AIRS Medical Inc. and is responsible for determining the purposes and means of processing personal data of individuals in the UK.

For inquiries regarding personal data processing that fall outside the scope of UK operations, please refer to the global contact information provided in our Privacy Policy.

Legal Basis For Processing Personal Data

AIRS Medical collects and processes personal data for the following purposes and on the following legal bases.

(a) Employment

For processing the personal data of our employees, applicants, and contractors, we rely on:

  • Performance of a Contract (UK GDPR Article 6(1)(b)): To manage the recruitment process, establish the employment relationship, administer payroll, and provide employee benefits.
  • Legal Obligation (UK GDPR Article 6(1)(c)): To comply with applicable UK labour, health and safety, tax, and social security laws.
  • Legitimate Interest (UK GDPR Article 6(1)(f)): To manage IT infrastructure, ensure network security, conduct performance evaluations, and maintain internal directories.

(b) Customer (e.g., Healthcare Institutions)

For processing the personal data of healthcare professionals and administrative staff at the healthcare institutions we serve, we rely on:

  • Performance of a Contract (UK GDPR Article 6(1)(b)): To set up user accounts, deliver our software services, provide technical support, and manage billing and invoicing.
  • Legitimate Interest (UK GDPR Article 6(1)(f)): To manage our client relationships, improve the user experience of our products, conduct security monitoring, and send service updates.
  • Consent (UK GDPR Article 6(1)(a)): To send promotional materials or newsletters, where explicit consent is required under the Privacy and Electronic Communications Regulations 2003 (PECR).

(c) Business Partners / Vendors

For processing the personal data of our suppliers, consultants, and business partners, we rely on:

  • Performance of a Contract (UK GDPR Article 6(1)(b)): To manage procurement, negotiate and execute agreements, and process payments.
  • Legal Obligation (UK GDPR Article 6(1)(c)): To maintain accurate corporate accounting, audit, and tax records.
  • Legitimate Interest (UK GDPR Article 6(1)(f)): To conduct due diligence, assess vendor performance, and manage our general business operations and communications.

(d) Health Data

Health data constitutes a special category of personal data under Article 9 of the UK GDPR. AIRS Medical processes health data in the course of the usage of our AI-powered solutions on the following legal bases, as applicable:

Where AIRS Medical acts as a Data Processor: In most cases, AIRS Medical processes patient data on behalf of healthcare institutions under a Data Processing Agreement. The healthcare institution, as the Data Controller, is responsible for establishing the appropriate legal basis for the initial collection and processing of patient data, which may include:

  • Explicit consent of the data subject (UK GDPR Article 9(2)(a)); or
  • Necessity for the provision of healthcare under UK GDPR Article 9(2)(h), read together with Schedule 1, Part 1, Paragraph 2 of the DPA 2018, where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, or the management of health systems and services.

Where AIRS Medical acts as a Data Controller (e.g., product improvement, algorithm training using anonymised or pseudonymised data), the applicable legal bases may include:

  • Explicit consent of the data subject (UK GDPR Article 9(2)(a)); or
  • Legitimate interest (UK GDPR Article 6(1)(f)) paired with scientific research purposes (UK GDPR Article 9(2)(j), read together with Schedule 1, Part 1, Paragraph 4 of the DPA 2018). This processing is subject to appropriate safeguards, including data minimisation and pseudonymisation.
Cross-border Transfers of Personal Data

As our business operates globally, your personal data may be transferred to, stored, and processed in countries outside the United Kingdom, including to our headquarters in the Republic of Korea, other subsidiaries of AIRS Medical, and our trusted third-party service providers.

When we transfer your personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with the UK GDPR:

  • UK Adequacy Regulations: We may transfer personal data to countries that the UK Secretary of State has determined provide an adequate level of protection for personal data. Transfers to the European Economic Area (EEA) are covered by UK adequacy regulations. Transfers to our headquarters in the Republic of Korea are based on the UK Secretary of State’s Adequacy Decision for the Republic of Korea as of December 2022.
  • International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs: Where we transfer data to countries that are not covered by UK adequacy regulations, we rely on the UK International Data Transfer Agreement (IDTA) approved by the ICO, or the UK Addendum to the EU Standard Contractual Clauses, as appropriate.
  • UK Extension to the EU-US Data Privacy Framework: For certain transfers to the United States, we may rely on service providers who are certified under the UK Extension to the EU-US Data Privacy Framework.

A Transfer Risk Assessment (“TRA”, Data Protection Test under Data (Use and Access) Act) is conducted for transfers relying on the IDTA or UK Addendum to ensure that the standard of protection for your personal data is not materially lower after transfer.

Health data processed through our products for UK customers is primarily processed and stored within the UK or EEA. Where strictly necessary for product development or technical support, health data may be transferred to our headquarters under strict technical measures, including pseudonymisation and encryption.

Destination Country Purposes Legal Safeguard
Republic of Korea (HQ) Group-internal administration, product development UK Adequacy Regulations
Germany Group-internal administration, UK Adequacy Regulations
Japan Group-internal administration UK Adequacy Regulations
United States Group-internal administration, customer support,SaaS service providers (CRM tool) IDTA or UK Addendum or UK Extension to EU-US DPF
Retention Period

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable UK law. The following general retention periods apply:

  • Employment data: For the duration of the employment relationship, and thereafter as required by applicable UK labour, tax, and social security laws.
  • Customer and business partner data: For the duration of the contractual relationship, plus any applicable statutory limitation period under UK law.
  • Health data processed as a Data Processor: In accordance with the retention schedule defined by the relevant healthcare institution (Data Controller). AIRS Medical does not independently determine retention periods for data processed on behalf of its customers.
  • Health data processed as a Data Controller (e.g., for product improvement or research): Retained in pseudonymised or anonymised form only for as long as necessary to achieve the stated research or development purpose, subject to periodic review.
  • Marketing and consent records: Until consent is withdrawn, or as otherwise required to demonstrate compliance.

When personal data is no longer required, it is securely deleted or anonymised in accordance with our internal data retention and disposal procedures.

Data Breach Notification

Where AIRS Medical acts as a Data Controller:

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify the affected data subjects without undue delay.

Where AIRS Medical acts as a Data Processor:

We will notify the relevant data controller without undue delay upon becoming aware of a personal data breach, providing sufficient information to enable the controller to fulfil its notification obligations under UK GDPR Articles 33 and 34.

In all cases, we document the facts of any personal data breach, its effects, and the remedial actions taken, in accordance with UK GDPR Article 33(5).

AI-Assisted Processing

1. How Our AI-Powered Products Work

AIRS Medical develops AI-powered software solutions designed to assist healthcare professionals in their clinical workflows, including medical image analysis and enhancement (e.g., MRI reconstruction) and generating patient-friendly reports. Our AI products function as clinical decision-support tools and they do not make autonomous diagnostic or treatment decisions.

Our AI systems process the following categories of health-related data:

  • MRI scans provided by healthcare institutions
  • Associated metadata: patient identifiers (as provided by the healthcare institution), imaging parameters, scan dates, and device information necessary for processing

Our AI algorithms analyse this data to generate enhanced or reconstructed images, annotations, or other outputs intended solely to support the clinical judgment of a qualified healthcare professional.

2. Human Oversight and the Role of Healthcare Professionals

AIRS Medical does not engage in solely automated decision-making as defined under Article 22 of the UK GDPR. All AI-generated outputs are designed to be reviewed and validated by a qualified healthcare professional before any clinical action is taken. This means:

  • Clinical authority remains with the healthcare professional. The treating physician or radiologist retains full authority to accept, modify, or disregard any AI-generated output based on their independent clinical judgment and the patient's individual circumstances.
  • AI outputs are recommendations, not decisions. Our products present findings or enhanced images as supplementary information. They do not issue diagnoses, prescribe treatments, or trigger clinical actions without human intervention.
  • Healthcare professionals using our products are expected to exercise genuine clinical judgment. Healthcare professionals retain full clinical authority over all AI-generated outputs, including the ability to: (i) access the underlying source data alongside AI outputs; (ii) override, modify, or disregard any AI-generated result; (iii) consider additional clinical information not processed by the AI system; and (iv) discontinue use of the AI system entirely in any particular case.
Your Rights

In addition to the rights described in our Global Privacy Policy, you have the following rights under the UK GDPR:

(a) Rights in relation to AI-assisted processing (UK GDPR Article 22) As described in the "AI-Assisted Processing" section above, our products do not engage in solely automated decision-making. Should you believe that a decision affecting you has been made without meaningful human involvement, you have the right to request human intervention, express your point of view, and contest the decision. Because clinical decisions are ultimately made by your healthcare provider (the Data Controller), requests regarding specific medical outcomes will be directed to the relevant healthcare institution.

(b) Right to make a data protection complaint If you believe that we have infringed data protection legislation in the way we have handled your personal data, you have the right to lodge a complaint directly with us. You may submit your complaint to our Data Protection Officer(DPO) or our UK Representative using the contact details provided below. We will acknowledge your complaint within 30 days of receipt, investigate without undue delay, and inform you of the outcome.

(c) Right to lodge a complaint If you are not satisfied with our response to your complaint, or at any time, you may lodge a complaint with the Information Commissioner's Office (ICO).

How To Exercise Your Rights

If you wish to exercise any of the above rights, or if you have questions about how our AI systems process your data, you may contact us at the Data Protection Officer as stated below.

If your data has been provided to AIRS Medical by a healthcare institution, we may direct your request to the relevant Data Controller, as they are responsible for managing your rights in respect of the data they have collected.

We will respond to your request without undue delay and in any event within one (1) month of receipt, in accordance with UK GDPR Article 12.

Data Protection Officer (DPO)

AIRS Medical has designated a Data Protection Officer (DPO) for the processing of personal data of individuals in the United Kingdom. Our DPO can be contacted directly:

  • Attn: Data Protection Officer
  • Email Address: [email protected]
  • Postal Address: Oskar-von-Miller-Ring 20, 80333 Munich, Germany
Our Appointed UK Representative

In accordance with Article 27 of the UK GDPR, AIRS Medical has appointed the following representative in the United Kingdom:

If you have any data access requests, further questions, or wish to lodge a formal complaint regarding our data processing activities, please contact our UK-based representative below:

  • Email Address: [email protected]
  • Postal Address: 167-169 Great Portland Street, London, England, W1W 5PF
Supervisory Authority

The competent data protection authority for individuals in the United Kingdom is:

Information Commissioner's Office (ICO)

  • Address : Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Telephone: 0303 123 1113
  • Website: https://ico.org.uk

You have the right to lodge a complaint with the ICO if you believe that your personal data has been processed in a manner that does not comply with the UK GDPR.

Date Version Description of Change(s) Reason for Change(s) Change(s) Made by
May 14, 2026 2.0 Comprehensive update including UK GDPR-compliant sections Specific obligations under UK GDPR and DPAA 2025 Hyejun Yoon
November 13, 2024 1.0 Initial Release Enactment Gyuyeon Jung

Language

KR
Global (EN)
EMEA (EN)
JP
DE