Privacy Policy

Article 1 (Basic Policy)

1. The Company shall comply with the Act on the Protection of Personal Information (the “APPI”) and other related laws and regulations, and endeavor to handle personal information appropriately.
2. The Company shall establish internal rules concerning the handling of personal information, provide training to its officers and employees, and require its contractors that handle personal information to maintain a level of handling equivalent to this Policy.
3. The Company shall continuously review and improve this Policy. Any amendment to this Policy shall be notified in the manner set forth in Article 11.

Article 2 (Items of Personal Information Collected)

The Company collects the following personal information to the extent necessary to provide the Service.

2.1 Information collected from general users (prior to member registration)

• Browsing history (cookies, IP address, user agent, referrer URL)
• Anonymous session ID (stored in cookies for 30 days for the purpose of rate-limiting when submitting reviews)

2.2 Information collected from members (registered users)

• Email address (required at member registration; in case of registration via a Google account, the public profile information of that account)
• Display name (nickname; optional)
• Areas of interest (optional; prefectures and municipalities within the Kansai region)
• Age band (optional; one of the five bands 18-24 / 25-34 / 35-44 / 45-54 / 55+; specific date of birth is not collected)
• Preferred therapist types (optional; multiple selectable)
• Preferred service types (optional; multiple selectable)
• Notification preferences (in-app, email, and browser web push notification settings)
• Submitted content (reviews, favorites history, browsing history)

2.3 Information collected from Listed Shops

• Name, email address, and phone number of the shop representative (required upon application for a listing contract)
• Shop location and operating information (business establishment information displayed on the Service)
• Billing information (invoice recipient, source bank account for transfers, payment history)
• Listing contract documents (PDFs, scanned images of paper documents, etc.)
• Content of communications submitted via the contact form
• Operation history on the Company’s administrative dashboard (login history, listing-information update history)

2.4 Information not collected (expressly out of scope)

The Company does not collect the following information from general users or members.

• Legal name (name as recorded in the family register)
• Specific residential address
• Specific date of birth (only the five-band age range is collected; month and day are not needed)
• Phone number
• Identification documents (driver’s license, health insurance card, My Number card, etc.)
• Credit card information
• LINE user ID (the Service does not provide LINE integration)

However, for shop representatives of Listed Shops, the contact information described in § 2.3 is collected for the purpose of performing operational duties.

Article 3 (Purposes of Use of Personal Information)

— In accordance with Article 17 of the APPI

The Company uses the personal information collected for the following purposes.

3.1 Purposes of use for general users and members

• (1) Provision of the Service (searching shop information, submitting reviews, registering favorites, viewing standby displays, etc.)
• (2) Member management, including registration, authentication, and withdrawal
• (3) Delivery of notifications based on notification preferences (in-app notifications, email notifications, web push notifications)
• (4) Analysis of Service usage, creation of statistical data for service improvement and the development of new features (used after anonymization or processing into a form that does not allow identification of individuals)
• (5) Detection and prevention of unauthorized access and misuse (rate-limiting, bot detection, log analysis)
• (6) Responding to inquiries received via the contact form
• (7) Responses required by law (responses to inquiries from relevant government agencies, litigation responses, etc.)

3.2 Purposes of use for Listed Shops

• (1) Operations relating to the conclusion, performance, renewal, and termination of listing contracts (listing review, publication of listing information, billing, payment management, etc.)
• (2) Business communications from the Company to Listed Shops (system fault notifications, maintenance announcements, fee revision notices, terms-amendment notices, etc.)
• (3) Improvement of services for Listed Shops and development of new features
• (4) Management of business records the retention of which is required by law (invoices, payment records, contract documents, etc.) (in accordance with Article 126 of the Corporation Tax Act, Article 19 of the Commercial Code, and other related laws and regulations)
• (5) Investigation of and response to misuse, violation of these terms, and suspected anti-social affiliations
• (6) Responding to inquiries received via the contact form
• (7) Responses required by law

3.3 Change of Purposes of Use

If the Company changes the purposes of use described above, the Company shall post the change on the Service and notify members and Listed Shops by email at their registered email addresses.

Article 4 (Provision of Personal Information to Third Parties)

— In accordance with Article 27 of the APPI

1. Except in any of the following cases, the Company shall not provide collected personal information to a third party without obtaining the prior consent of the individual.
   • (1) Where required by law (court warrant, inquiry from a relevant government agency, etc.)
   • (2) Where necessary for the protection of the life, body, or property of a person, and it is difficult to obtain the consent of the individual
   • (3) Where particularly necessary for improving public health or promoting the sound growth of children, and it is difficult to obtain the consent of the individual
   • (4) Where it is necessary to cooperate with a national authority or local government, or a person entrusted by such an authority, in performing duties prescribed by law
2. Where the Company provides personal information to a third party, the Company shall confirm that the recipient maintains safety management measures equivalent to or higher than those set forth in this Policy.
3. The Company publishes listing information of the Service (shop location, opening hours, prices, service content, etc.) as publicly available information on the Service. This does not constitute provision of personal information to a third party (because listing information is business operator information that Listed Shops have provided to the Company and consented to publish).

Article 5 (Joint Use of Personal Information)

— In accordance with Article 27, Paragraph 5 of the APPI

The Company does not currently jointly use personal information with any third party. If the Company commences joint use of personal information in the future, it will give prior notice via an amendment to this Policy of the items of personal information to be jointly used, the scope of joint users, the purposes of joint use, and the name of the person responsible for management of the jointly used information.

Article 6 (Handling of Personal Information by Contractors)

— In accordance with Article 25 of the APPI

1. The Company may entrust part of its operations necessary for running the Service (system operations, hosting, email delivery, payment processing, data analysis, etc.) to external business operators (each a “Contractor”).
2. Where the Company provides personal information to a Contractor, the Company shall enter into a contract with the Contractor concerning the handling of personal information, confirm the Contractor’s safety management measures, and exercise necessary and appropriate supervision.
3. The main categories of Contractors are as follows. Specific business operator names shall be disclosed via the contact form to those who make an inquiry.
   • Infrastructure / hosting providers (server operations for the Service)
   • Email delivery providers (delivery of notification emails to members and business emails to Listed Shops)
   • Error monitoring SaaS providers (detection of system faults)
   • Authentication federation providers (authentication for member registration via a Google account)

Article 7 (Retention Period of Personal Information)

The Company shall not retain personal information beyond the extent necessary to achieve the purposes of use. Specific retention periods are as follows.

Article 8 (Requests for Disclosure, Correction, Deletion, and Cessation of Use of Personal Information)

— In accordance with Articles 33-35 and 37 of the APPI

1. An individual may make the following requests to the Company with respect to his or her personal information.
   • (1) Notification of purposes of use
   • (2) Disclosure (disclosure of the content of retained personal data)
   • (3) Correction, addition, or deletion
   • (4) Cessation of use or erasure
   • (5) Cessation of provision to third parties
2. The requests in the preceding paragraph shall be made via the contact form on the Service. The Company shall respond within a reasonable period after confirming the identity of the individual (by methods such as sending a verification code to the registered email address).
3. With respect to information for which retention is required by law (the Corporation Tax Act, the Commercial Code, and other related laws and regulations), the Company may be unable to respond to deletion requests during the relevant retention period. In such cases, the Company shall notify the individual of the reason.
4. No fee shall be charged for disclosure requests. However, with respect to excessively frequent requests or unreasonable requests, the Company may decline to respond within a reasonable scope.

Article 9 (Safety Management Measures for Personal Information)

In order to prevent leakage, loss, or damage of the personal information that the Company handles, the Company shall implement the following safety management measures.

9.1 Organizational safety management measures

• Maintenance of internal rules concerning personal information protection
• Clarification of the roles and responsibilities of officers and employees who handle personal information
• Periodic inspection and audit of the status of handling of personal information

9.2 Personnel safety management measures

• Provision of training on personal information protection to officers and employees
• Confidentiality undertakings entered into with officers and employees

9.3 Physical safety management measures

• Entry and exit management of areas where personal information is handled
• Prevention of theft, loss, etc. of equipment and documents containing personal information

9.4 Technical safety management measures

• Management of access privileges to personal information (only officers and employees within the scope necessary for their duties may access the personal information of members)
• Recording and periodic monitoring of access logs
• Encryption of communication paths (HTTPS communications using TLS 1.2 or higher)
• Hashed storage of authentication information (passwords, etc.)
• Rate-limiting and bot detection for detection of unauthorized access
• Periodic backups and maintenance of disaster recovery procedures

However, the Company does not guarantee that by implementing the safety management measures described in this Policy, all unauthorized access and information leakage will be entirely prevented. In the unlikely event of a leak of personal information, the Company shall promptly take necessary measures, including reporting to the relevant government agencies and notifying the individuals concerned, in accordance with applicable law.

Article 10 (Handling of Cookies and Other Identifiers)

1. The Service may use identifiers such as cookies and web storage for the purposes of improving user convenience, analyzing usage, and preventing unauthorized access.
2. Users may refuse the sending and receiving of cookies by configuring their browser settings. However, if cookies are refused, certain functions of the Service (maintenance of member login, rate-limiting at the time of submitting reviews, etc.) may not operate properly.
3. The Service does not currently use third-party cookies for the purpose of ad delivery. If the Service introduces third-party cookies for ad-delivery purposes in the future, prior notice will be given by means of an amendment to this Policy.

Article 11 (Amendment of this Policy)

1. The Company may amend this Policy due to amendments to related laws, changes in the functions of the Service, or other reasons.
2. Where the Company amends this Policy, the Company shall post the amended Policy and the effective date on the Service, and notify registered members and Listed Shops at their registered email addresses.
3. In principle, for amendments involving material changes (additions to the items of personal information collected, material changes to the purposes of use, commencement of third-party provision, commencement of joint use, etc.), notice shall be given 30 days in advance of the effective date.
4. If a User or Listed Shop uses the Service on or after the effective date of the amended Policy, the User or Listed Shop shall be deemed to have agreed to the amended Policy.

Article 12 (Inquiries)

— In accordance with Article 40 of the APPI

For inquiries regarding this Policy, complaints relating to the handling of personal information, or requests for disclosure, correction, deletion, cessation of use, etc. under Article 8, please contact the following.

Personal Information Complaints Window (Personal Information Protection Manager)

Contact route: the contact form within the Service (accessible via the inquiries page on https://es-navi55.jp/)

The trade name, head office location, name of representative, name of the Personal Information Protection Manager, and other business operator information of the Company that operates the Service shall be disclosed via the contact form to those who make an inquiry.

If you are not satisfied with the Company’s response, you may file a complaint with the Personal Information Protection Commission or any other accredited personal information protection organization for resolution.