Information Security Protection Policy

Universal Medical has formulated policies such as the Cybersecurity Management Measures and the Cybersecurity and Information Security Emergency Response Plan, which set forth information security and privacy protection requirements for all relevant business lines, subsidiaries, and suppliers. We are committed to continuously improving the information security management system, monitoring and responding to potential information security threats, and developing information security response plans to ensure the security and reliability of data and information, as well as effectively protect the integrity of the collected medical data. Additionally, we have updated cybersecurity management provisions into the employee handbook, making them one of the basic requirements for the management of all employees. To safeguard the rights to access, correct, and delete personal data, we have formulated and issued the Medical Data Security Management Measures and the Data Security Management Measures to further regulate the processing of personal information and the management of information security.

Emergency Response to Cybersecurity Incidents

The group has formulated the Genertec Universal Medical Group Limited Network and Information Security Emergency Plan specifically for emergency response to cybersecurity incidents. Each year, it participates in cybersecurity drills organized by the Ministry of Public Security, where it responds to external attacks and various information security incidents received during the drills and produces a Security Incident Report. The report requires the closure of each security incident by rectifying it within a specified time frame.

Customer Privacy Protection Policy

Universal Medical attaches great importance to privacy security, respecting and protecting the personal privacy rights of all users of its services, and treating all personal information with caution. The group has integrated its "Privacy Policy" into risk and compliance management, formulated privacy agreements, and standardized procedures for information collection, use, disclosure, storage and exchange, as well as information security assurance. For detailed information, please refer to our Privacy Agreement, which includes the methods of information collection, purposes of information use, disclosure, storage and exchange rules, among other contents.It explicitly states that customers have the right to decide how their personal data is collected, used, retained, and processed, including the option to opt out, require opt-in consent, request access to data held by the Group, request the transfer of customer data to other service providers, and update or delete data. Additionally, customers are clearly informed of the expected retention period for the information collected and used (personal information is retained only for the period necessary to achieve the purposes stated in this privacy policy and within the time limits required by laws and regulations). When disclosing customer information to third parties, prior consent from the customer is obtained, ensuring customers have full data access and control rights, and effectively preventing and addressing data security risks.