개인정보 보호정책 및 고지사항

Angels Creation Reproductive Center (ACRC Global) Privacy Policy

Last Updated: March 8, 2026
 

1. Introduction

Angels Creation Reproductive Center (“ACRC Global,” “we,” “us,” or “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard your personal information when you engage our services—including, but not limited to, surrogacy arrangements, gamete donation, IVF concierge, gamete/embryo transportation, and local screening coordination (collectively, “Services”). By using our Services or visiting our website, you agree to the collection and use of information as described in this policy.

2. Scope & Applicability

• This policy applies to all personal data we collect, whether in electronic or paper form, from clients, prospective clients, donors, surrogates, embryos, partners, employees, contractors, and website visitors.

• If you are a resident of the European Economic Area (EEA), United Kingdom, Switzerland, California, or other jurisdiction with specific privacy laws, certain sections of this policy highlight rights and obligations under those laws (see Sections 11 and 16).

3. Information We Collect

To provide and improve our Services, we collect and process the following categories of information:

1. Personal Identifiers

• Full name, mailing address, email address (e.g., info@acrc-global.com), phone number, date of birth, gender, and government‐issued identification (e.g., driver’s license, passport).

1. Medical and Health Information (PHI/PII)

• Reproductive health data (e.g., obstetric history, fertility assessments), medical history (including surgeries, chronic conditions), genetic information (e.g., carrier screening results), laboratory reports, psychological evaluations, physician notes, and any other health‐related details necessary for surrogacy, donation, or IVF‐related care.

1. Financial and Payment Information

• Insurance information, billing address, bank account or credit card details, payment history, and any other data required to process fees for Services.

1. Legal and Contractual Documents

• Consents, contracts (e.g., surrogacy agreements, donor contracts), power of attorney documents, notarized affidavits, background check results, and any compliance‐related paperwork.

1. Usage Data and Technical Information

• IP address, browser type, operating system, device identifiers, referring/exit pages, and pages viewed (collected via cookies or similar tracking technologies) when you visit our website or access online portals.

1. Communications and Correspondence

• Emails, voicemail recordings (with your consent), text message logs, chat logs, and any form of communication you share with ACRC Global regarding your Services.

1. Location Data

• General location (e.g., city, state) when you schedule in‐person appointments or screenings.

 

Note on Mobile Information: Under no circumstances will ACRC Global share your mobile phone number or text‐messaging opt‐in data with third parties or affiliates for marketing or promotional purposes. Mobile information will not be shared with third parties/affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

 

4. How We Use Your Information

We use your information for these primary purposes:

1. Service Delivery & Coordination

• Coordinate surrogacy matching and screening.

• Manage donor recruitment, screening, and matching.

• Provide IVF concierge services (e.g., scheduling appointments, coordinating lab tests, medication management).

• Arrange safe, compliant transportation of gametes and embryos, including temperature control and chain‐of‐custody tracking.

• Coordinate local medical screenings (e.g., OB/GYN visits, blood tests, psychological evaluations) with affiliated clinics.

1. Legal & Compliance

• Draft, review, and execute necessary contracts, informed consents, and legal documents.

• Comply with health‐care and reproductive‐medicine regulations (e.g., HIPAA, FDA, state statutes).

• Respond to lawful requests from courts, government agencies, or law enforcement.

1. Communication & Customer Support

• Send appointment reminders, service updates, educational materials, and newsletters (only if you opt in).

• Address questions, concerns, or complaints via phone, email, or chat support.

1. Billing & Fraud Prevention

• Process payments, insurance claims, and refunds.

• Verify identity and payment information to detect and prevent fraudulent activity.

1. Internal Administration & Improvement

• Conduct quality‐assurance reviews, audits, and management reporting.

• Monitor performance metrics to improve processes and client experience.

• Conduct internal surveys or satisfaction assessments (voluntary).

1. Marketing & Promotional Communications (with your explicit consent)

• If you opt in, notify you about ACRC Global events, educational webinars, or new Services.

• You may withdraw marketing consent at any time by emailing info@acrc-global.com or using the “unsubscribe” link.

5. Legal Basis for Processing Your Data

Depending on your jurisdiction and the type of data, we rely on one or more of these legal bases:

• Performance of a Contract: To provide Services you’ve requested (e.g., surrogacy matching, donor screening).

• Consent: When you have given clear authorization for a specific purpose (e.g., marketing emails, optional genetic research). You may withdraw consent at any time.

• Legal Obligation: To comply with laws and regulations (e.g., HIPAA, state medical record retention statutes, FDA rules).

• Legitimate Interests: For internal business operations, risk management, fraud prevention, and service improvement—provided these do not override your privacy rights.

6. Sharing Your Information

We do not sell, rent, or trade your personal data. We share information only in the limited circumstances described below, and only the minimum necessary to accomplish the purpose:

1. Business Associates & Third‐Party Service Providers

• Medical Providers, Clinics & Laboratories
  • To facilitate required medical evaluations, genetic testing, and screening. Example: sharing PHI with a laboratory for carrier‐screening results, under a Business Associate Agreement (BAA).

• Transportation & Storage Vendors
  • To arrange safe shipment of gametes or embryos (e.g., temperature‐controlled couriers). All couriers must sign a BAA if they will receive PHI.

• IT & Hosting Providers
  • Secure data storage, encrypted file‐sharing, and system maintenance. These vendors must sign BAAs and implement administrative, physical, and technical safeguards as required by HIPAA.

• Billing & Payment Processors
  • Credit card networks, insurance payers, and banks that process payments and reimbursements.

1. 2 Legal & Compliance Partners

• Attorneys & Notaries
  • To draft, review, and execute contracts, informed consents, and power of attorney documents.

• Regulatory Authorities
  • To comply with subpoenas, court orders, or official investigations (e.g., FDA, state licensing boards, Department of Health).

1. 3 Business Transfers

• In the event of a merger, acquisition, or sale of substantially all of our assets, your information may be transferred to the acquiring entity. We will require that entity to adhere to this policy or notify you of any changes.

1. 4 Aggregate or De‐Identified Information

• We may share aggregated, de‐identified data for research, reporting, or marketing analyses. Once data is properly de‐identified (so that individuals cannot be re‐identified), HIPAA no longer applies.

 

Business Associate Agreements (BAAs):
Before any third party can access or handle PHI, we require a HIPAA‐compliant BAA. We conduct regular reviews of these agreements to ensure they include appropriate safeguards, breach notification obligations, and “minimum necessary” provisions.

 

7. HIPAA & Your Rights Under the Privacy Rule

Because ACRC Global maintains, transmits, or accesses Protected Health Information (PHI), we abide by the HIPAA Privacy, Security, and Breach Notification Rules.

7.1 Notice of Privacy Practices (NPP)

If you receive any medical or fertility‐related services from us, you will be provided a separate Notice of Privacy Practices (NPP) that describes, in clear language, how we use and disclose your PHI, as well as your specific HIPAA rights. This Privacy Policy supplements the NPP by covering broader business practices.

7.2 Patient Rights Under HIPAA

Under HIPAA, you have the following rights regarding your PHI:

1. 1 Right to Access & Obtain a Copy

• You may request in writing to inspect, review, or receive a paper or electronic copy of your PHI (with some limited exceptions). We must respond within 30 days (or a one‐time 30‐day extension).

1. 2 Right to Request Amendment

• If you believe your PHI is incorrect or incomplete, you may request an amendment. We will respond within 60 days.

1. 3 Right to an Accounting of Disclosures

• You may request a list of certain disclosures of your PHI made by ACRC Global over the past six (6) years (excluding disclosures for treatment, payment, or healthcare operations). We must provide this accounting within 60 days of your request (or a one‐time 30‐day extension).

1. 4 Right to Request Restrictions on Uses & Disclosures

• You may ask us to restrict how we use or disclose your PHI for treatment, payment, or operations. We must honor your request if:
  • The disclosure is to a health plan for purposes of payment or operations, and
  • You (or someone on your behalf) paid in full, out of pocket, for the item or service, and
  • The disclosure is not otherwise required by law.

1. 5 Right to Confidential Communications

• You may request that we communicate with you in a certain way or at a certain location (e.g., “Send all appointment reminders to my work email only”). We will accommodate reasonable requests.

1. 6 Right to Withdraw Authorization

• If you have provided authorization for specific uses or disclosures of PHI (e.g., research), you may revoke that authorization in writing at any time. Revocation does not affect disclosures made prior to the revocation.

1. 7 Right to Receive Paper Copy of NPP

• Even if you agree to receive the NPP electronically, you have the right to request and receive a paper copy at no cost.

To exercise any of these rights, contact our HIPAA Privacy Officer (see Section 10). We may require you to complete a written form and verify your identity prior to fulfilling the request.

8. HIPAA Minimum Necessary Standard

Whenever we use or disclose PHI (except for treatment purposes), we will limit such use or disclosure to the minimum necessary to accomplish the intended purpose. Examples:

• When sending genetic carrier screening results to a third‐party lab, we share only the relevant test results, not your full medical history.

• When billing insurance for IVF concierge services, we include only the codes and diagnosis information necessary for payment.

9. HIPAA Breach Notification Procedures

In the event that any unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted by HIPAA, we will:

1. 1 Report & Investigate

• All workforce members must immediately inform the Privacy Officer of any suspected breach. We will conduct a risk assessment within 60 days of discovery to determine if a breach occurred and whether there is a significant risk of PHI compromise.

1. 2 Notification to Affected Individuals

• If a breach is confirmed, we will provide written notification to each affected individual no later than 60 days after discovery. The notice will include:
  • Brief description of what happened and date of breach discovery.
  • Types of PHI involved.
  • Steps individuals can take to protect themselves (e.g., request credit monitoring).
  • What ACRC Global is doing to investigate, mitigate, and prevent further breaches.
  • Contact information for questions or more information (HIPAA Privacy Officer’s email/phone).

1. 3 Notification to OCR

• If 500 or more individuals are affected, we will notify the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) immediately (no later than 60 days). For fewer than 500 individuals, we will maintain a log and submit notification to OCR no later than 60 days after the end of the calendar year.

1. 4 Media Notification

• If a breach affects more than 500 residents of a state or jurisdiction, we will notify prominent media outlets in that state without unreasonable delay (no later than 60 days after discovery).

1. 5 Documentation & Corrective Actions

• We will maintain documentation of all breaches and actions taken. Lessons learned from each breach will feed into our Risk Management Plan to prevent recurrence.

10. Data Security & Safeguards

ACRC Global implements reasonable administrative, technical, and physical safeguards to protect PHI and other personal data from unauthorized access, disclosure, alteration, or destruction.

10.1 Administrative Safeguards

• Security Officer & Risk Management
  • We have designated a HIPAA Security Officer who oversees the implementation of the Security Rule.
  • We conduct an annual risk analysis to identify vulnerabilities to the confidentiality, integrity, and availability of PHI. Risks are addressed through a Risk Management Plan, with mitigation strategies documented and updated.

• Workforce Training & Sanctions
  • All employees, contractors, volunteers, and interns who have access to PHI must sign confidentiality agreements and undergo HIPAA training upon hire and annually thereafter.
  • We maintain a sanctions policy: intentional misuse or unauthorized disclosure of PHI may result in disciplinary action, up to and including termination or contract termination.

• Policies & Procedures
  • We maintain written policies for incident response, data retention, data destruction, and access controls. All policies are reviewed at least annually or whenever significant operational changes occur.

10.2 Technical Safeguards

• Access Controls
  • Role-based access control ensures each user can access only the PHI necessary for their job function.
  • Unique user IDs and multi‐factor authentication are required for all systems that store or process PHI.

• Audit Controls & Monitoring
  • System logs capture access to ePHI, including date/time, user ID, and actions taken. Logs are reviewed regularly for suspicious activity.

• Encryption
  • PHI is encrypted at rest (AES-256) and in transit (TLS 1.2 or higher). All mobile devices and removable media (e.g., laptops, USB drives) containing PHI are encrypted and password‐protected.

• Integrity Controls
  • We use checksums and digital signatures to detect unauthorized alteration of PHI.

• Transmission Security
  • Data transmitted over public networks is encrypted. Remote access requires a secure VPN connection.

10.3 Physical Safeguards

• Facility Access Controls
  • Access to areas where PHI is stored (on‐site servers or paper files) is restricted to authorized personnel via keycard, code, or security badge. Visitor logs are maintained.

• Workstations & Devices
  • Workstations processing PHI are located in secure areas, away from public view.
  • Employees must lock screens when away from their desks.

• Media Disposal & Re-Use
  • Before disposing of or re‐using devices (e.g., hard drives, tapes), we securely erase all PHI in accordance with NIST guidelines. Paper records containing PHI are shredded using cross‐cut shredders or incinerated.

11. Data Retention & Deletion

We retain personal data only as long as necessary to fulfill the purposes outlined in this policy and to comply with legal obligations:

Data CategoryRetention PeriodReason

Medical Records (PHI)Minimum 10 years from the date of last serviceState medical record retention laws; clinical best practices

Billing & Financial Records7 yearsIRS and audit requirements

Legal & Contractual Documents10 years (or longer if required by law)Statute of limitations; contractual obligations

Website Usage Logs (anonymized)Indefinite (aggregated form)Analytics and service improvements

Marketing Consent RecordsUntil consent withdrawal or 3 years after collectionProof of opt‐in; regulatory compliance

PHI Audit Logs & Incident Records6 yearsHIPAA requires retention of audit logs and breach documentation for 6 years

After the applicable retention period expires, we will securely delete or de‐identify your personal data. If you request deletion of your personal data (where permitted by law), we will comply, except for data we must retain for legal, regulatory, or legitimate business reasons.

12. Cookies & Tracking Technologies

When you visit our website (e.g., www.acrc-global.com), we may use cookies, web beacons, pixel tags, and similar technologies to:

1. Enable Website Functionality

• Maintain user sessions, remember language preferences, and support secure login.

1. Analytics & Performance

• Collect aggregated, anonymous information about site usage (e.g., Google Analytics).

1. Marketing (with consent)

• If you opt in, track behavior across sites for targeted advertising or retargeting.

You can manage or block cookies through your browser settings. However, disabling certain cookies may impact site functionality.

13. International Data Transfers

If you reside outside the United States, please note that when you provide information to ACRC Global, we may transfer, store, or process it in the U.S. or other countries where our service providers operate. These countries may have privacy laws that differ from your jurisdiction. In such cases, we implement appropriate safeguards—such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)—to ensure your data remains protected in accordance with this policy and applicable laws (e.g., GDPR).

14. Children’s Privacy

Our Services, including the website and related platforms, are intended for adults (age 18 and older). We do not knowingly collect personal information from minors. If we discover that a minor’s personal data has been provided without verifiable parental consent, we will delete it promptly. If you believe that a minor has provided us with personal information, please contact our Privacy Officer immediately at info@acrc-global.com.

15. Your Privacy Rights & Choices

Depending on where you live, you may have the following rights regarding your personal data:

1. Right to Access

• Request a copy of the personal data we hold about you.

1. Right to Rectification

• Request correction of inaccurate or incomplete data.

1. Right to Deletion

• Request deletion of your data, subject to legal retention requirements (e.g., PHI retention).

1. Right to Restrict Processing

• Request that we limit how we process your data (e.g., if you contest its accuracy).

1. Right to Data Portability

• Obtain your data in a structured, machine‐readable format, or request that we transfer it to another data controller (where technically feasible).

1. Right to Object

• Object to processing based on legitimate interests (e.g., internal analytics) or direct marketing at any time.

1. Right to Withdraw Consent

• If we rely on your consent for certain processing (e.g., marketing emails, optional health research), you may withdraw consent at any time without affecting lawful processing prior to withdrawal.

To exercise any of these rights, please email us at info@acrc-global.com with the subject line “Privacy Rights Request.” We may require you to verify your identity before fulfilling your request. We will respond to your request within the time frames required by applicable law.

16. California Residents (CCPA/CPRA Rights)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal data we have collected, the sources, purposes, and categories of third parties with whom we share your data.

• Right to Delete: You may request deletion of your personal data, unless an exception applies (e.g., legal retention requirement).

• Right to Correct: You may request correction of inaccurate personal data.

• Right to Opt Out of Sale/Sharing: ACRC Global does not sell personal data; however, if that changes, you may opt out.

• Right to Limit Use & Disclosure of Sensitive Personal Information: You may request that we limit sharing of sensitive data (e.g., genetic information).

• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a CCPA/CPRA request, email info@acrc-global.com with “CCPA Request” in the subject line. We will verify your identity in accordance with California law before processing your request.

17. European Residents (GDPR Rights)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) may apply:

• Lawful Basis: We rely on performance of a contract, compliance with a legal obligation, consent, and legitimate interests as lawful bases for processing.

• Rights Under GDPR:
  • Right of access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, and objection.
  • Right to withdraw consent at any time.
  • Right to lodge a complaint with a supervisory authority if you believe processing violates GDPR.

To exercise your GDPR rights, email info@acrc-global.com with “GDPR Request” in the subject line. We will respond within one month (or, if complex, up to three months with notice).

18. Third‐Party Links & Services

Our website may contain links to third‐party websites, such as partner clinics, research institutions, or educational resources. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third party you visit. If a third party collects personal information via our website (for example, through an embedded payment form), they are responsible for their own privacy practices.

19. Employee & Contractor Obligations

All ACRC Global employees, contractors, volunteers, and interns who have access to PHI or personal data must:

• Sign a confidentiality agreement upon hire or contract.

• Complete HIPAA and data privacy training within 30 days of onboarding and annually thereafter.

• Report any suspected privacy or security incidents to the Privacy Officer immediately.

• Comply with disciplinary measures for intentional misuse or unauthorized disclosure of PHI, up to and including termination or contract termination.

20. Incident Response & Breach Drills

• We maintain an Incident Response Plan that outlines procedures for identifying, reporting, investigating, and mitigating security incidents.

• We conduct breach response drills (tabletop exercises) at least once per year to test our readiness.

• All incidents are logged, and lessons learned feed back into our Risk Management Plan.

21. Contact Information & Data Protection Officers

If you have questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact:

• General Privacy Inquiries: info@acrc-global.com

• For U.S. clients: U.S. Department of Health and Human Services, Office for Civil Rights (OCR).
• For EU/EEA clients: Your local Data Protection Authority.
• For California clients: California Privacy Protection Agency (CPPA).

22. Policy Updates & Revisions

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable laws, or regulatory requirements. When we make material changes, we will post the revised policy on our website with an updated “Last Updated” date. If changes are significant, we will notify you via email or a prominent notice on our homepage before the changes take effect.

Appendix A: Glossary of Key Terms

• PHI (Protected Health Information): Individually identifiable health information, including demographics, that relates to physical or mental health, healthcare provision, or payment for healthcare.

• PII (Personally Identifiable Information): Any information that can be used to identify an individual (e.g., name, address, email, phone).

• HIPAA (Health Insurance Portability and Accountability Act): U.S. federal law governing the privacy and security of PHI.

• NPP (Notice of Privacy Practices): A document that covered entities must provide to individuals, outlining how their PHI may be used or disclosed and describing their rights under HIPAA.

• CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act): California state laws granting residents specific rights over their personal data.

• GDPR (General Data Protection Regulation): European Union regulation governing data protection and privacy in the EEA, UK, and Switzerland.

• Minimum Necessary: HIPAA requirement to limit PHI disclosures to only what is needed to perform the intended task.

• Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA, which compromises the security or privacy of the information.

Appendix B: Data Retention Schedule (Illustrative)

Data Category Retention Period Legal/Business Basis

Medical Records (Surrogacy/Donor)Minimum 10 years from date of last service, State medical record laws; HIPAA best practices

Billing & Financial Records 7 years IRS and audit requirements

Legal & Contractual Documents 10 years (or longer if required)Statute of limitations; contractual obligations

Audit Logs & Security Incident Records6 yearsHIPAA Breach Notification Rule; HIPAA Security Rule

Website Usage Logs (anonymized)Indefinite (aggregated form)Analytics and service improvement

Marketing Consent Records Until consent withdrawal or 3 years after collection Proof of consent; regulatory compliance (e.g., CAN-SPAM, GDPR)

Acknowledgment
By engaging our Services or visiting our website, you acknowledge that you have read and understood this Privacy Policy and consent to our collection, use, and disclosure of your personal information as described herein. If you do not agree with this policy or any updates to it, please discontinue use of our Services and contact us at info@acrc-global.com for assistance.

Thank you for entrusting ACRC Global with your privacy and the sensitive information essential to your reproductive care.

 

SMS Disclosure & Opt-In Policy

Mobile Information Collection By providing your phone number and opting in to receive text messages from Angels Creation Reproductive Center (ACRC), you consent to receive programmed or one-on-one messages regarding your application status, appointments, and center updates.

Privacy of Mobile Data

• Non-Sharing Agreement: Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes.

• Opt-in Exclusion: All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

• Usage: Phone numbers collected for SMS purposes are used exclusively for communication between the applicant and ACRC Global Fertility Holding Group.

Opt-Out & Support

• You may opt out of text messaging at any time by replying STOP to any message you receive.

• For assistance, you may reply HELP or contact our support team directly.

• Message and data rates may apply.