Privacy Policy

1. Operator information

• Trade name: Bookyou Inc. (Bookyou Kabushiki Kaisha)
• Corporate number (法人番号): 8010001213708
• Qualified invoice issuer registration number (適格請求書発行事業者登録番号): T8010001213708
• Representative: Shigetoshi Umeda
• Address: 2-22-1 Kohinata, Bunkyo-ku, Tokyo 112-0006, Japan
• Personal information inquiries: [email protected]

2. Personal information we collect

We collect the following categories of personal information to the extent necessary for providing the Service.

• Email address
• Name (optional)
• Payment information (credit-card details processed via Stripe, Inc.; the Company does not retain card numbers, expiration dates, or security codes)
• IP address
• API access logs (request timestamp, endpoint, response status, credits consumed, etc.)
• User-Agent information
• Cookies and other identifiers
• Content provided through the contact form or by email

3. Purposes of use

We use personal information collected only within the scope of the following purposes.

• (a) Providing the Service, authenticating users, and processing payments
• (b) Incident response, fraud detection and prevention, and maintaining security
• (c) Generating usage statistics and improving the quality and features of the Service
• (d) Compliance with laws and regulations, response to supervisory authorities, dispute response, and the exercise or performance of rights and obligations
• (e) Sending notices and updates concerning the Service (users may opt out at any time by following the instructions contained in the email)

4. Provision to third parties

Except as required by laws or regulations, we will not provide personal information to any third party without obtaining the prior consent of the data subject. Provided, however, that we may entrust the handling of personal information to the outsourcing service providers enumerated in the next section to the extent necessary for providing the Service; such entrustment does not constitute "provision to a third party" pursuant to APPI Article 27, paragraph 5, item 1.

5. Outsourcing and provision to third parties located in foreign countries (APPI Article 28)

For the operation of the Service, we entrust the handling of personal information to the following third parties located in foreign countries. The data subject's consent to this clause is obtained as part of consent to this Policy at the time of registration for the Service.

5.1 Stripe, Inc. (United States)

• Scope of entrustment: Payment processing, invoice issuance, and provision of the Customer Portal
• Country: United States of America
• Personal-data protection regime in the country: The United States has no comprehensive federal data-protection statute. The framework is a patchwork of state-level laws (e.g., California CCPA / CPRA, Virginia VCDPA) combined with sectoral federal laws (e.g., HIPAA, GLBA).
• Reasonable and appropriate safeguards: Stripe self-certifies under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework, ensuring an appropriate level of protection. We have entered into a separate agreement with Stripe and have implemented safeguards equivalent to the Standard Contractual Clauses (SCC).

* Our payment-processing contract is with Stripe Payments Japan KK (the Japanese subsidiary). Payment data is processed by its US parent, Stripe, Inc., via that subsidiary.

5.2 Fly.io, Inc. (United States)

• Scope of entrustment: Application hosting for the Service (Tokyo region "nrt")
• Country: United States of America (data is stored in the Tokyo data center, but because the operating company is a U.S. corporation, APPI Article 28 applies)
• Personal-data protection regime in the country: As stated in section 5.1 above
• Reasonable and appropriate safeguards: Through a separate agreement with Fly.io we have implemented safeguards equivalent to the Standard Contractual Clauses (SCC). Encryption at rest and TLS 1.2 or higher for in-transit communication are applied.

5.3 Cloudflare, Inc. (United States)

• Scope of entrustment: DNS, CDN, Cloudflare Pages (static site delivery), and Cloudflare Web Analytics
• Country: United States of America
• Personal-data protection regime in the country: As stated in section 5.1 above
• Reasonable and appropriate safeguards: Cloudflare self-certifies under the EU-U.S. Data Privacy Framework. We have entered into a separate agreement with Cloudflare and have implemented appropriate safeguards based on the Standard Contractual Clauses (SCC) or the DPF.

5.4 Sentry (Functional Software, Inc.) (United States)

• Scope of entrustment: Error monitoring and exception alerting
• Country: United States of America
• Personal-data protection regime in the country: As stated in section 5.1 above
• Reasonable and appropriate safeguards: Through a separate agreement with Sentry we have implemented safeguards equivalent to the Standard Contractual Clauses (SCC). Strings that may identify a data subject (email addresses, API keys, names, etc.) included in error messages are anonymised or masked at the application layer before transmission.

6. Notification of data breaches (APPI Article 26)

If we detect any leakage, loss, or damage of personal information (hereinafter, "data breach"), we will respond as follows in accordance with APPI Article 26 and the rules of the Personal Information Protection Commission.

• Initial report: We will submit an initial report to the Personal Information Protection Commission within approximately three (3) to five (5) days from the date on which we become aware of the occurrence.
• Final report: We will submit a final (definitive) report to the Personal Information Protection Commission within thirty (30) days from the date on which we became aware of the occurrence (or sixty (60) days for breaches that may have been committed with fraudulent intent).
• Notification to data subjects: We will notify affected data subjects by email, targeting within seventy-two (72) hours of becoming aware of the occurrence. Where notification to data subjects is difficult, we will publish a notice on our website or take other equivalent measures pursuant to the proviso of APPI Article 26, paragraph 2.
• Public postmortem: Within seven (7) business days of the occurrence, we will, on a target basis, publish a summary of the incident, its root cause, and recurrence-prevention measures on our blog or equivalent channel.

7. Handling of names of sole proprietors included in adoption / award case studies

When introducing case studies of adoption / award decisions for subsidies and similar programs on the Service or our website, we will only re-publish information that has already been disclosed by official sources such as J-Grants, ministries, local governments, and affiliated public bodies. The legal basis for such re-publication is APPI Article 27, paragraph 5, item 7 (where, in light of the circumstances of acquisition and other factors, there is no risk of unjustly harming the rights and interests of the data subject — namely, the case of providing to a third party information that has been lawfully obtained from public sources). Such re-publication is conducted to the minimum extent necessary in light of the public-information purpose of the Service (dissemination and verification of public programs).

Upon receipt of a deletion request from a data subject, we will complete deletion within seven (7) business days. We also offer a masking option for data subjects who prefer privacy: name and trade name are hidden, leaving only the industry sector and the prefecture name. To request masking, please email [email protected] with information identifying the relevant case study (URL, fiscal year of adoption, project name, etc.).

Note that the trade name of a juridical person, the name of its representative as a juridical-person representative, and the address of a juridical person do not constitute "personal information" under APPI (which protects information relating to a living individual), and are therefore outside the scope of the deletion / masking process described in this section. However, where (i) the representative of a juridical person personally requests deletion as an individual, or (ii) the trade name and the personal name of a sole proprietor coincide, such requests will be accepted under this section.

7-2. Handling of names included in administrative-disposition and case-law information

When the Service provides information on administrative dispositions (e.g., procurement debarment, business suspension, registration revocation by administrative agencies) and court decisions, we obtain information only from primary sources that have already been broadly disclosed to the public, including official publications of the supervising authorities, the Official Gazette, and court websites (case-law search), and we publish such information, as a rule, within the same scope as the original source.

Where a data subject or their authorised representative requests deletion or correction, we will determine on a case-by-case basis after performing a balancing test between the public interest (purpose of disclosing administrative-disposition information) and the rights and interests of the data subject (right to honour, right to privacy). Where the primary source has already deleted or corrected the information, we will promptly follow suit. Requests should be sent to [email protected].

8. Safeguards

We have implemented the following safeguards to prevent leakage, loss, or damage of personal information and otherwise to ensure its safe management.

• Organisational safeguards: One Personal Information Protection Officer is appointed, and the chain of responsibility for the handling of personal information is clearly defined.
• Personnel safeguards: Only the representative of the Company holds production-database access privileges; no other personnel have access privileges. When the representative steps down from such position, access privileges are revoked simultaneously with departure.
• Physical safeguards: Data containing personal information is stored in the Tokyo data center (region "nrt") provided by Fly.io, Inc., in an environment with physical security controls.
• Technical safeguards: Communications are encrypted with TLS 1.2 or higher, and data is encrypted at rest. API keys are stored in hashed form, and the original cannot be retrieved. Access logs are retained for all production-system access.

8.1 Retention periods of logs and records

We retain logs and records that include personal information for the periods set forth below according to their type, and promptly delete or anonymise them after such period.

• API access logs (request timestamp, endpoint, IP address, etc.): 90 days (for fraud investigation and rate-limit auditing)
• Error logs (via Sentry): 180 days (for incident-recurrence prevention and quality improvement)
• Billing-related information (invoices, billing details, Stripe integration logs): 7 years (statutory retention under the Corporation Tax Act, the Consumption Tax Act, and the Electronic Books Maintenance Act)
• Identity-verification documents (for disclosure / access requests): 3 years after completion of the request (for re-verification of identity in subsequent requests and for dispute response)
• API key history of cancelled / terminated accounts: 90 days after cancellation/termination (for unpaid-fee settlement and fraud investigation)

9. Procedures for disclosure, correction, and suspension of use (APPI Articles 27 to 34)

A data subject or their authorised representative may, with respect to retained personal data held by us, request disclosure, correction, addition, deletion, suspension of use, erasure, and suspension of provision to third parties (collectively, "access requests") in accordance with APPI.

• Submit to: [email protected]
• How to submit: Email the request to the address above, attaching a copy of identity-verification documents (driver's license, passport, My Number Card with the individual number masked, or equivalent)
• Response deadline: We will issue an initial response within thirty (30) days of receipt and complete disclosure, correction, deletion, etc. by then. If, due to a wide investigation scope or other reasonable cause, we cannot complete the response within that period, we will notify the requester of that fact and the expected completion date.
• Data portability (export of one's own data): Paid users may export access logs and billing records linked to their account electronically via the Company's dashboard and the Stripe Customer Portal (self-service; no application required).
• Fees: As a rule, no fee is charged. However, where the actual costs of investigation and disclosure exceed JPY 1,000 per request, we will notify the requester in advance of that fact and the estimated amount, and will charge such costs only with the requester's consent.

10. Cookies and access analytics

We use only Cloudflare Web Analytics as the access-analytics tool for the Service and our website. Cloudflare Web Analytics does not use cookies and does not associate data with personally identifiable information (PII).

We do not use Google Analytics or any other cookie-based third-party analytics tool.

11. Revisions to this Policy

We may revise this Policy in response to amendments of laws and regulations, changes to the Service, or other reasons.

• Material changes: Where we make changes that materially affect the rights and obligations of data subjects, we will give notice on this page at least thirty (30) days prior to the effective date.
• Minor changes: Changes that do not materially affect the rights and obligations of data subjects (e.g., editorial corrections, minor changes to contact information) take effect immediately upon posting on this page.
• Statutory amendments: Where APPI or other related laws are amended, we will revise this Policy as necessary by the effective date of such amendment.

12. Contact

• Operator: Bookyou Inc. (Bookyou Kabushiki Kaisha)
• Department: Personal Information Protection Officer
• Email: [email protected]
• Hours: Reasonable hours on business days (excluding weekends, public holidays, and the Company's designated closure days)

Related documents

• Terms of Service
• Specified Commercial Transactions Act disclosure