Article 1. Definitions

The Operating Company defines the following information as personal information:

1. Data registered on external service accounts;
2. Data registered on service accounts (first and last names, company names, email addresses, postal addresses, telephone numbers and any other data registered by Users upon using the Services);
3. Log data (operating system and browser software data of communication terminals, data related to internet connections, referrers, error logs, IP addresses, URLs browsed and accessed on the Services and the timestamps of the dates and times of such browsing or access, action logs of any clicking, scrolling, input and any other actions performed on the Services, as well as any other server log data); and
4. Cookies and other identifiers (“Cookies, Etc.”).

Article 2. Purposes of Use

The Operating Company shall use personal information for the following purposes:

1. Providing the Services;
2. Providing information and handling inquiries related to the Services;
3. Responding to acts in breach of the applicable terms and policies;
4. Providing notice to Users concerning any changes in the applicable terms and any other important matters;
5. Promoting any businesses related to the Operating Company, including the Services;
6. Improving the Services and developing new services;
7. Preparing statistical data which does not include any personally identifiable data; and
8. Any other purposes incidental to any of the foregoing purposes of use.

Article 3. Acquisition Method

The Operating Company shall acquire Users’ personal information only to the extent input or operated by Users in using the Services and the services of enterprises entrusted by the Operating Company.

Article 4. Personal Information Control

The Operating Company shall endeavor to maintain the accuracy and integrity of personal information and keep it up to date within the scope of the purposes of use as set forth in Article 2, and shall take necessary and appropriate security measures aligned with the current state of the art and rectify the same as necessary in order to prevent any unauthorized access, divulgence, falsification, loss, impairment, etc.

The following are included within the security measures taken by the Operating Company:

1. Establishment of a basic policy

   In order to ensure the proper processing of personal information, the Operating Company has established this Privacy Policy, which shall serve as the basic policy on compliance with the relevant laws, regulations and guidelines, etc., and which sets forth the contact point, etc. for handling questions and complaints.

2. Security measures

   With respect to the organizational control of personal information, the Operating Company has strictly stipulated the method of processing personal information in its internal regulations, thereby ensuring that personal information is processed in accordance with such provisions.

3. Supervision of employees

   The Operating Company ensures, in accordance with its internal regulations, the strict application of its regulations on the processing of personal information.

4. Supervision of entrustees

   When entrusting the processing of personal information to a third party, the Operating Company shall, in accordance with its internal regulations, only entrust such processing to an entrustee which meets the relevant requirements, and shall exercise appropriate control upon such entrustee.

5. Measures to be taken upon the occurrence of divulgence

   In the event of any divulgence, etc. of personal information, the Operating Company shall submit a report to the Personal Information Protection Commission and provide notice to the data subjects in accordance with the applicable laws and regulations.

Article 5. Third-Party Provision

The Operating Company shall not provide Users’ personal information to any third party without the consent of the User; provided, however, that this shall not apply in cases in which the Operating Company:

1. entrusts such information to an enterprise which provides distribution services, for the purpose of distributing emails to Users;
2. entrusts such information to an enterprise which provides authentication and authorization services, for the purpose of conducting User authentication and authorization;
3. entrusts such information to a lawyer for the purpose of carrying out legal affairs;
4. entrusts such information to a tax accountant for the purpose of carrying out tax affairs;
5. receives an inquiry from a credit card company to conduct investigations into any unauthorized use of a User’s credit card; or
6. otherwise entrusts part of its duties to an enterprise for the purpose of performing the operations of the Services.

Article 6. Restrictions on Processing

The Operating Company shall not process personal information beyond the scope necessary for achieving the purposes of use without the consent of the User; provided, however, that this shall not apply in the following cases:

1. Where such processing is based on laws and regulations;
2. Where such processing is necessary for the protection of the life, body or property of an individual, and it is difficult to obtain the User’s consent;
3. Where such processing is particularly necessary for improving public health or promoting the sound growth of children, and it is difficult to obtain the consent of the relevant individual; or
4. Where it is necessary to cooperate with a national government organ, a local government, or a person entrusted thereby, in performing the affairs prescribed by laws and regulations.

Article 7. Disclosure

The Operating Company shall respond to requests from Users for the disclosure (which shall include records of cases in which personal data is provided to, or received from, third parties; the same shall apply hereinafter; a fee of 1,000 yen (excluding consumption tax) per request shall be charged for disclosure), correction, deletion, erasure, suspension of use, suspension of provision to third parties, etc. of such Users’ own personal information. To request the disclosure, correction, deletion, erasure, suspension of use, suspension of provision to third parties, etc. of personal information, please contact the “Point of Contact” set forth in Article 14; provided, however, that the Operating Company may decline to disclose all or part of such information in the following cases:

1. Where the disclosure is likely to violate laws and regulations;
2. Where the disclosure is likely to harm the life, body, property or other rights of the User or a third party; or
3. Where responding to the disclosure would cause significant hindrance to the Operating Company’s performance of its business.

Article 8. Warranty of Accuracy

Users shall warrant to the Operating Company that the contents of their personal information are accurate at all times, and Users shall bear all responsibility for any damage arising from inaccurate personal information.

Article 9. Correction

When a User requests the correction, addition, etc. of his/her personal information, the Operating Company shall confirm that the request has been made by the User him/herself, as well as the accuracy of the contents of the correction, and shall take appropriate measures.

Article 10. Cookies

The Operating Company may use cookies on the Services for the purpose of improving the convenience of the Services and keeping track of the usage status thereof. The information acquired and retained through cookies is as follows:

1. Users' session IDs

Article 11. Collection and Use of Log Data through Data Collection Modules

On the Services, the Operating Company collects and uses log data concerning Users’ usage status, etc. for the purpose of providing, maintaining and improving the Services and conducting security management. In addition, as described in the respective sections below, data collection modules are incorporated into the Services. Accordingly, Users’ information (log data and personal information) is provided to the respective providers of such data collection modules (including those located outside Japan).

Article 12. Privacy

The Operating Company shall not bear any responsibility with respect to the handling of personal information by third parties in the following cases:

1. Where a User has disclosed personal information to a third party by using the functions of the Services or by other means; or
2. Where a third party has disclosed a User’s personal information acquired through external means by using the functions of the Services.

Article 13. Storage Period (Handling after Deletion)

The Operating Company shall only store personal information for the period required for achieving the purposes of use. Even after a User has deleted his/her account, there may be cases in which the Operating Company stores such information for a certain period to the extent necessary to comply with the laws and regulations, handle claims, conduct payment and accounting procedures, prevent unauthorized use, take security measures, etc.

Article 14. Point of Contact

Please contact the Operating Company at the following point of contact for any inquiries regarding this Privacy Policy.

MIERUNE Inc. Personal Information Protection Representative

Contact Information: Inquiry form

Article 15. Amendment

The Operating Company may amend this Privacy Policy without obtaining the consent of Users, by providing appropriate prior notice thereof to Users.

Article 1. Categories of Personal Data Collected by the Operating Company

The Operating Company shall collect and process the following personal data in relation to the Services:

1. Data registered on service accounts (first and last names, company names, email addresses, postal addresses, telephone numbers and any other data registered by Users upon using the Services);
2. Log data (operating system and browser software data of communication terminals, data related to internet connections, referrers, error logs, IP addresses, URLs browsed and accessed on the Services and the timestamps of the dates and times of such browsing or access, action logs of any clicking, scrolling, input and any other actions performed on the Services, as well as any other server log data); and
3. Cookies and other identifiers.

Article 2. Personal Data Controller and Personal Data Protection Manager

Personal Data Controller:

MIERUNE Inc.

Address: 3rd Floor, F-60, 8-1-8 Odori Nishi, Chuo-ku, Sapporo, Hokkaido, Japan

Personal Data Protection Manager:

Address: 3rd Floor, F-60, 8-1-8 Odori Nishi, Chuo-ku, Sapporo, Hokkaido, Japan

Email address: privacy@mierune.co.jp

Article 3. Purposes of Use

The Operating Company shall use personal data for the following purposes, under the legal basis of Users’ consent, performance of contracts between the Operating Company and Users, fulfillment of legal obligations, or the legitimate interest of performing the Operating Company’s business. The Operating Company shall not make any decisions which may have any legal or similarly significant impact on Users based solely on automated processing, including profiling using personal data.

1. Providing the Services;
2. Providing information and handling inquiries related to the Services;
3. Responding to acts in breach of the applicable terms and policies;
4. Providing notice to Users concerning any changes in the applicable terms and any other important matters;
5. Promoting any businesses related to the Operating Company, including the Services;
6. Improving the Services and developing new services;
7. Preparing statistical data which does not include any personally identifiable data;
8. Conducting necessary processing to comply with legal obligations to which the Operating Company is subject; and
9. Any other purposes incidental to any of the foregoing purposes of use.

Article 4. Personal Data Acquisition Method

The Operating Company shall acquire Users’ personal data from the following sources:

1. Users themselves;
2. Enterprises entrusted by the Operating Company;
3. Google Analytics, a service provided by Google LLC;
4. Wicle, a service provided by PLAID, Inc.;
5. Sentry, a service provided by Functional Software, Inc.; and
6. Stripe, a service provided by Stripe, LLC.

Article 5. Third-Party Provision

The Operating Company shall not provide Users’ personal data to any third party, excluding cases in which the Operating Company:

1. entrusts such data to an enterprise with a data collection module, for the purpose of improving the convenience of the Services, keeping track of the usage status thereof, and conducting operational management thereof;
2. entrusts such data to an enterprise which provides payment services, for the purpose of conducting payment processing associated with Users’ online purchase of paid subscriptions;
3. entrusts such data to an enterprise which provides distribution services, for the purpose of distributing emails to Users;
4. entrusts such data to an enterprise which provides authentication services, for the purpose of conducting User authentication;
5. entrusts such data to a lawyer for the purpose of carrying out legal affairs;
6. entrusts such data to a tax accountant for the purpose of carrying out tax affairs;
7. receives an inquiry from a credit card company to conduct investigations into any unauthorized use of a User’s credit card; or
8. otherwise entrusts part of its duties to an enterprise in order to achieve the purposes of use as set forth in Article 3.

Article 6. Transfer of Personal Data to Enterprises in Third Countries

There may be cases in which the Operating Company transfers Users’ personal data to a third country (such as Japan) other than Users’ country of habitual residence (or outside the EEA for any Users residing within the EEA) in order to achieve the purposes of use as set forth in Article 3 (each such transfer, an “Extraterritorial Transfer”). When conducting an Extraterritorial Transfer of Users’ personal data to a third country, the Operating Company shall transfer the same upon having implemented the safeguards required under the applicable laws and regulations. For example, if a User resides within the EEA, such User’s personal data shall, as a general rule, be transferred upon having executed a set of standard data protection clauses with the receiving party, which shall serve as an appropriate safeguard, in accordance with the GDPR and other applicable laws and regulations of EU/EEA member states, unless the European Commission has decided that the third country ensures an adequate level of data protection. For further information, please contact the Operating Company via the inquiry form provided in Article 13.

Article 7. Storage Period

The Operating Company shall only store personal data for the period required for achieving the purposes of use as set forth in Article 3.

The period for storing the personal data is determined based on: (i) whether the Operating Company has a continuous relationship with the relevant User; (ii) whether the Operating Company is subject to the obligation to archive such personal data under the applicable laws and regulations; and (iii) whether there is a contract which must be performed between the Operating Company and the relevant User.

Even after a User has deleted his/her account, there may be cases in which the Operating Company continues to store such User’s personal data to the extent necessary to comply with the laws and regulations, handle claims, conduct payment and accounting procedures, and to perform analysis in order to prevent unauthorized use and take security measures, etc.

Article 8. Personal Data Control

The Operating Company shall maintain the accuracy and integrity of personal data and keep it up to date within the scope of the purposes of use as set forth in Article 3, and shall take necessary and appropriate security measures aligned with the current state of the art and rectify the same as necessary in order to prevent any unauthorized access, divulgence, falsification, loss or impairment (collectively, “Divulgence, Etc.”).

The following are included within the security measures taken by the Operating Company:

1. Establishment of a basic policy In order to ensure the proper processing of personal data, the Operating Company has established this Global Privacy Policy, which shall serve as the basic policy on compliance with the relevant laws, regulations and guidelines, etc., and which sets forth the contact point, etc. for handling questions and complaints.

2. Security measures With respect to the organizational control of personal data, the Operating Company has strictly stipulated the method of processing personal data in its internal regulations, thereby ensuring that personal data is processed in accordance with such provisions.

3. Supervision of employees

   • The Operating Company ensures that personal data is processed strictly in accordance with its internal regulations.

4. Supervision of entrustees When entrusting the processing of personal data to a third party, the Operating Company shall only entrust such processing to an entrustee which meets the requirements under the applicable laws and regulations, such as through supervision and/or the execution of a contract, and shall exercise appropriate control upon such entrustee.

5. Measures to be taken upon the occurrence of Divulgence, Etc. In the event of any Divulgence, Etc. of personal data, the Operating Company shall submit a report to the relevant supervisory authorities and provide notice to the data subjects in accordance with the applicable laws and regulations.

Article 9. Users’ Personal Data Rights

Under the applicable laws and regulations, Users may have the following rights with respect to their personal data; provided, however, that if any derogations of rights are established under the applicable laws and regulations, the User’s exercise of such rights may be restricted. Please contact the Operating Company via the inquiry form provided in Article 13 to exercise any of these rights.

1. The right to request access to their personal data (including copies thereof);
2. The right to request rectification of their personal data;
3. The right to request erasure of their personal data (right to be forgotten);
4. The right to request restriction (or suspension) of processing of their personal data; and/or
5. The right to receive their personal data in a structured and machine-readable format (right to data portability).

Article 10. Right to Object to Personal Data Processing

In accordance with the applicable laws and regulations, Users may have the right to object to the processing of their personal data at any time. If a User’s personal data is processed for the purpose of direct marketing, such User may have the absolute right to refuse such direct marketing under the applicable laws and regulations. Please contact the Operating Company via the inquiry form provided in Article 13 to exercise this right.

Article 11. Right to Withdraw Consent

Under the applicable laws and regulations, Users may have the right to withdraw their consent regarding the processing of their personal data at any time. A User’s withdrawal of consent shall not affect the lawfulness of the processing of such User’s personal data which was conducted based on consent before its withdrawal. Please contact the Operating Company via the inquiry form provided in Article 13 to exercise this right.

Article 12. Right to Lodge a Complaint with a Supervisory Authority

Users may have the right to lodge a complaint with a supervisory authority in the country of their habitual residence with respect to the Operating Company’s processing of their personal data under the applicable laws and regulations. Users should inquire with the respective supervisory authorities for further information on the applicable procedures.

Article 13. Point of Contact

Please contact the Operating Company at the following point of contact for any inquiries regarding this Global Privacy Policy.

MIERUNE Inc. Personal Data Protection Representative

Point of contact: Inquiry form (Japanese page only)

Article 1. Definitions

The terms used in these Supplementary Provisions shall have the meanings provided thereto under the Global Privacy Policy and as defined under the CCPA. For the purpose of these Supplementary Provisions, the following terms shall have the following meanings in particular:

1. “Sell,” “selling,” “sale” or “sold” means a business selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating, Users’ personal information to a third party (the term “Third Party” as used in these Supplementary Provisions means any person/entity other than the Operating Company, excluding businesses such as the Operating Company’s entrustees) for monetary or other valuable consideration;
2. “Share,” “shared,” or “sharing” means a business sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating, Users’ personal information to a third party for cross-context behavioral advertising.

Article 2. Notice upon Collection

The Operating Company has collected the following categories of personal information about Users from the sources set forth in Article 4 of the Global Privacy Policy during the past twelve (12) months, and shall continue to collect such categories of personal information in the future. The Operating Company shall use the collected personal information for the purposes set forth in Article 3 of the Global Privacy Policy, and shall store the same for the period set forth in Article 7 of the Global Privacy Policy. During the past twelve (12) months, the Operating Company has disclosed Users’ personal information to entrustees for the business purposes set forth in Article 5 of the Global Privacy Policy, and plans to disclose the same to entrustees for business purposes in the future as well; provided, however, that the Operating Company has not sold or shared any personal information collected from Users to date, and shall not sell or share the same in the future.

Article 3. Rights under CCPA

Under the CCPA, individual rights are granted to each User in relation to their personal information. Users’ rights under the CCPA and how to exercise such rights are as described below.

1. Right to request disclosure Users shall have the right to request that the Operating Company disclose certain information to them related to the collection, sharing, disclosure, or use of their personal information. Upon having received and confirmed any request from a User, through which the relevant individual may be identified, the Operating Company shall disclose all or part of the following information to such User:

   • The categories of personal information that the Operating Company collected about the User;
   • The categories of sources from which the Operating Company collected personal information about the User;
   • The Operating Company’s business or commercial purpose for collecting, selling, or sharing personal information;
   • The categories of third parties with whom the Operating Company shares personal information;
   • The categories of personal information that the Operating Company sold and the categories of third parties to whom each category of personal information was sold;
   • The categories of personal information that the Operating Company disclosed for a business purpose and the categories of third parties to whom each category of personal information was disclosed; and/or
   • The individual personal information items that the Operating Company collected about the User.

2. Right to request deletion Users shall have the right to request that the Operating Company delete any personal information about them which the Operating Company has collected and maintains, except where certain exceptions apply. Upon having received and confirmed any request from a User, through which the relevant individual may be identified, the Operating Company shall delete (and request its entrustees, etc. to delete) such User’s personal information from its records, unless any exceptions apply. The Operating Company may deny a User’s request for deletion if it is necessary for the Operating Company or its entrustees, etc. to maintain such information in order to:

   • complete the transaction for which the Operating Company has collected the personal information, fulfill the terms of a written warranty or product recall conducted in accordance with U.S. federal law, provide a good or service requested by the User, take certain measures as reasonably anticipated within the context of the Operating Company’s ongoing business relationship with the User, or otherwise perform a contract between the Operating Company and the User;
   • help to ensure security and integrity to the extent the use of the User’s personal information is reasonably necessary and proportionate for those purposes;
   • debug the product to identify and repair errors that impair existing intended functionality;
   • exercise free speech, ensure the right of another consumer to exercise that consumer's right of free speech, or exercise another right provided for by law;
   • comply with the California Electronic Communications Privacy Act (commencing with Section 1546 of the California Penal Code);
   • engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if the User has provided prior informed consent;
   • enable solely internal uses that are reasonably aligned with the expectations of the User based on their relationship with the Operating Company and that are compatible with the context in which the User provided the information; and/or
   • comply with a legal obligation.

3. Right to request correction Users shall have the right to request that the Operating Company correct any inaccurate personal information about them which the Operating Company has collected and maintains. Upon having received and confirmed any request from a User, through which the relevant individual may be identified, the Operating Company shall correct (and request its entrustees, etc. to correct) such inaccurate personal information about such User from within its records. The Operating Company may deny a User’s request for correction if it has decided, by evaluating the situation in a holistic manner, that it is more likely that the personal information subject to such request is actually accurate.

4. Use of sensitive personal information Sensitive personal information which the Operating Company collects (login data of Users’ accounts in combination with credentials such as passwords) is only used or disclosed within the scope of the permissible purposes, such as identity verification and ensuring security. Therefore, the Operating Company does not provide any dedicated link that enables Users to limit the use or disclosure of sensitive personal information.

Article 4. Right to Opt-out of Sale or Sharing of Personal Information

The Operating Company has not sold or shared Users’ personal information within the past twelve (12) months, and does not plan to sell or share such information in the future. The Services are only targeted for Users who are at least sixteen (16) years of age, and therefore the Operating Company does not plan to sell or share any personal information of any persons regarding whom it has actual knowledge that they are less than sixteen (16) years of age.

Article 5. Right Not to be Discriminated Against

The Operating Company shall not discriminate against a User because such User exercised any of their rights under the CCPA. In addition, the Operating Company shall not engage in any of the following acts due to a User’s exercise of such rights, unless otherwise permitted by the CCPA:

• Denying goods or services to a User;
• Charging different prices or rates for the same goods or services, depending on the User;
• Providing a different level or quality of goods or services, depending on the User;
• Suggesting that a User will receive a different price or rate for goods or services or a different level or quality of goods or services;
• Retaliating against a User who is an employee, applicant for employment, or independent contractor of the Operating Company.

Article 6. How to Exercise Rights

Users are requested to contact the Operating Company via the inquiry for provided in Article 13 of the Global Privacy Policy or email address（support@kumoy.io) in order to exercise any of the rights under the CCPA. When making any request to the Operating Company based on any of such rights, a User must provide sufficiently detailed explanations on the subject matter so that the Operating Company can appropriately understand, evaluate, and handle, the request.

Only Users themselves, any persons who are authorized by Users to act on their behalf or who are registered with the Secretary of State of California as their proxies, Users’ entrustees, or Users’ property guardians can make a request regarding Users’ personal information. If permitted under the CCPA, the Operating Company may conduct the procedures for verification of identity and proxy authority required under the CCPA.