Overview
Corporate Governance
Financials
Shareholder Services
Corporate Sustainable Development

Personal Data Protection Policy and Implementation Status

Personal Data Protection Policy

UVB places great importance on customer privacy protection. In compliance with the "Personal Data Protection Act", the Company has established a "Privacy Protection Policy", and formulated "Personal Data Protection Management Guidelines" as well as "Personal Data File Security Maintenance Plan and Methods for Handling Personal Data After Business Termination".

The Company provides clear contact channels for privacy-related inquiries, enabling customers to exercise their rights to inquire, access, review, correct, suspend the collection or processing, and request the deletion of personal data, in accordance with applicable laws and regulations.

Through stringent personal data privacy and security management measures, University Eye Center has established a data governance framework, implementing access control mechanisms and data owner review processes to ensure that data access and sharing are properly governed and protected, and that data availability, integrity, and confidentiality are effectively safeguarded.

The scope of application covers the headquarters, operational sites, customers, and suppliers.

With respect to the collection, processing, use, and protection of personal data and privacy involved in its operations, the Company strictly complies with relevant government laws and regulations. Personal data is used solely within the scope permitted by applicable laws and will not be provided, leased, or otherwise disclosed to any third party in any disguised form.

In addition, the Company implements and enforces its Privacy Protection Policy to safeguard customer data security and privacy rights, and is committed to maintaining the confidentiality and protection of personal information.

UVB strictly adheres to customer contracts and confidentiality commitments. All customer-related information, documents, and data deemed to be trade secrets are uploaded to an internal system for strict control and management, only accessible online via login with a username and password.

Personal Data Protection Management Guidelines
Personal Data File Security Maintenance Plan and Methods for Handling Personal Data After Business Termination

Implementation Status of Personal Data Protection

Implementation Status from 2024 to 2025

  • In May 2024, the Company conducted an on-the-job Information Security Training program, total of 292 employees had participated in the training.
  • "Personal Data Protection Act" and " Information Security Awareness " courses were also included in the onboarding program for new employees. As of December 31, 2024, a total of 75 participants had completed the training.
  • In 2024, UVB did not receive any complaints regarding privacy violations.
  • The Company has formulated the Customer Service Handling Procedures to effectively manage customer inquiries and complaints. A customer service hotline and email have been set up on the Company's website to provide channels for consumer inquiries or complaints; all cases have been properly handled and archived. An 0800 toll-free hotline has been set up to enable us to respond to general public inquiries directly. We strictly comply with the Personal Data Protection Act to protect the rights of both parties.
  • In 2024, there were no significant impacts on the Company's finances or operations from reported incidents, nor were there any complaints from customers or regulatory authorities regarding violations of the Personal Data Protection Act, such as data breaches or the loss or theft of customer data.
  • In June 2025, the Company conducted an on-the-job Information Security Training program, total of 320 employees had participated in the training.
  • A designated management officer is appointed to be responsible for the planning, formulation, revision, and implementation of personal data security maintenance measures, as well as the handling of personal data after business termination. An annual budget of approximately NT$200,000 is allocated for implementation purposes.

ISO/IEC 27001 Information Security Management International Standard

  • In August 2023, the Company implemented the ISO/IEC 27001 Information Security Management international standard and obtained third-party certification. This strengthened the Company's capability to respond to information and communications security incidents, ensuring the confidentiality, integrity, availability, and legal compliance of corporate information assets, as well as the protection of customers' personal data.
  • In August 2025, the Company successfully completed the ISO/IEC 27001 certification upgrade. In accordance with the updated requirements, the Company conducted vulnerability and risk assessments for servers, networks, and applications; established a document encryption mechanism; and planned secure cloud services to reduce the risk of sensitive data leakage. The Company also performs regular external system vulnerability assessments, penetration testing, and network risk-scanning to ensure timely remediation and system security. Periodic disaster recovery drills are conducted to strengthen data backup mechanisms and incident response capabilities, thereby ensuring business continuity.
  • The current certificate is valid from August 22, 2025 to October 31, 2026.

Universal Vision Biotechnology Co., Ltd.
Privacy Protection Policy

Article 1 Purpose of This Privacy Policy

Universal Vision Biotechnology Co., Ltd. (hereinafter referred to as the "Company") places great importance on the protection of personal data and privacy rights. In accordance with the Personal Data Protection Act and other applicable laws and regulations, the Company hereby establishes this Privacy Protection Policy (the "Policy") to explain how personal data is collected, processed, used, and protected in the course of the Company's business operations.

This Policy applies to personal data involved in the Company's business activities, including but not limited to data relating to customers, employees, suppliers, business partners, job applicants, and other individuals who interact with the Company. The Company may revise this Policy from time to time in response to legal amendments or operational needs, and any updates will be announced on the Company's official website.

Article 2 Collection of Personal Data

The Company may lawfully collect or obtain your personal data under the following circumstances:

  1. When you voluntarily provide personal data to the Company, such as through membership registration, applications for products or services, online reservations, inquiries, or other communications.
  2. When personal data is obtained based on contractual, legal, or business relationships between you and the Company.
  3. When personal data is obtained from publicly available sources or lawful third parties in accordance with applicable laws.
  4. When necessary technical data is generated through your use of or access to the Company's websites, systems, or related services.

The Company collects personal data only within the scope necessary for specific purposes, in good faith, and provides the required disclosures to data subjects in accordance with applicable laws.

Article 3 Personal Data Established by the Company

Under certain circumstances, the Company may establish or retain personal data arising from interactions, transactions, or service records between you and the Company. Such data shall be used solely for the original purposes of collection or other purposes permitted by law, and shall be properly safeguarded and managed in accordance with the Company's internal management systems.

Article 4 Categories of Personal Data Processed by the Company

Within the scope necessary for business operations, the Company may process personal data including, but not limited to, the following categories:

  1. Identification data (such as name, contact information, and membership number).
  2. Transaction or service-related data (such as purchase records, reservations, and service history).
  3. Financial or payment-related information.
  4. Website usage and technical data.
  5. Other personal data collected in accordance with legal requirements or business needs.

The specific categories of personal data collected will depend on the nature of the relevant business activities.

Article 5 Sensitive Personal Data

As a general principle, the Company does not proactively collect or process sensitive personal data. Where the collection or processing of sensitive personal data is necessary due to legal requirements, public interest, the exercise of legal rights, or with the explicit consent of the data subject, the Company shall handle such data in accordance with applicable laws and implement appropriate protective measures.

Article 6 Purposes and Legal Basis for Processing Personal Data

The purposes for which the Company processes personal data include, but are not limited to, the following:

  1. Providing products or services and fulfilling contractual obligations.
  2. Membership or customer management, marketing, and customer service.
  3. Operational management, internal administration, and information security management.
  4. Compliance with laws and regulations, requests from competent authorities, or judicial investigations.
  5. Recruitment and human resources management.
  6. Risk management, dispute resolution, and the establishment, exercise, or defense of legal rights.

The Company processes personal data based on lawful grounds and in compliance with applicable laws and regulations.

Article 7 Parties with Whom the Company May Share Personal Data

Where permitted by law and necessary for business purposes, the Company may provide personal data to the following parties:

  1. Competent authorities that have investigative or supervisory authority under applicable laws.
  2. Service providers or business partners engaged by the Company as necessary for the provision of services.
  3. Third parties where disclosure is required for legal obligations, litigation, dispute resolution, or the assertion or protection of legal rights.

When entrusting third parties to process personal data, the Company shall exercise appropriate supervision in accordance with applicable laws to ensure the security of such data.

Article 8 Your Rights as a Data Subject

Pursuant to the Personal Data Protection Act, you may exercise the following rights with respect to your personal data:

  1. The right to inquire about or request access to your personal data.
  2. The right to request copies of your personal data.
  3. The right to request supplementation or correction of your personal data.
  4. The right to request the cessation of collection, processing, or use of your personal data.
  5. The right to request the deletion of your personal data.

You may submit your request through the contact channels provided by the Company. The Company shall process and respond to such requests within the statutory time limits.

Article 9 Use of Personal Data Beyond the Original Purpose

The Company will not use collected personal data for purposes beyond those specified in this Policy, unless otherwise permitted by applicable laws or with the separate consent of the data subject.

Article 10 Contact Information

If you have any questions regarding this Policy or matters related to personal data protection, or if you wish to exercise your rights, please contact the Company through the following channels:

  • Customer Service Hotline: 0800-747-474
  • Personal Data Protection Contact Email: privacy@eyecenter.com.tw
  • Or submit an inquiry via the "Contact Us" section on the Company's official website:
    https://www.uvb.com.tw/contact/
    The Company will handle your requests appropriately in accordance with applicable laws and regulations.