ACTUAL Inc. (the “Company”) understands the importance of protecting personal information, and will observe the Act on the Protection of Personal Information (the “Act”) and endeavor to handle and protect personal information in an appropriate manner in accordance with this Privacy Policy (the “Privacy Policy”). Unless otherwise provided herein, the definitions of the terms used herein shall be in accordance with the Act.
DEFINITION OF PERSONAL INFORMATION
For the purpose of the Privacy Policy, personal information shall mean the information regarding a living individual which falls under any of the following Items:
information containing a name, date of birth or other descriptions, etc. (including any and all matters stated, recorded or otherwise expressed using voice, movement or other methods in a document, drawing or electromagnetic record) whereby a specific individual can be identified (including information which can be easily collated with other information and thereby identify a specific individual); or
information containing an individual identification code.
PURPOSE OF USE OF PERSONAL INFORMATION
The Company shall use personal information for the following purposes:
Provision of the Company’s service (the “Service”);
Notifications and responses to customer inquiries, with respect to the Service;
Announcement regarding the Company’s products or services, etc.;
Dealing with breach of the Company’s terms of use, policy, etc. (the “Terms”), with respect to the Service;
Notifications of amendment to the Terms of the Service;
Improvement of the Service and development of new service, etc. by means of analyzing the information related to the user’s usage of the Service;
(i) Labor management and the Company’s internal procedures (with respect to personal information of directors, officers and employees of the Company), and (ii) selection and contact for recruit (with respect to personal information of applicant);
Shareholder management and procedures under Companies Act and other applicable laws (with respect to personal information of shareholders, holders of share options, etc.)
Creation of statistics data which is processed so that no particular individuals shall be identified, in connection with the Service; or
other purposes related to the above purposes.
CHANGE OF PURPOSE OF USE OF PERSONAL INFORMATION
The Company may change the purpose of use of personal information to the extent that the purpose of use after the change is reasonably recognized to be related to the original purpose of use. When the purpose of use has been changed, the Company shall notify the person which can be identified by the personal information (the “Principal”) of, or publicly announce the purpose of use after the change.
USE OF PERSONAL INFORMATION
The Company shall not use personal information, without the consent of the Principal, beyond the scope necessary for the achievement of the purpose of use, unless permitted by the Act or other laws or regulations; provided, however, that this provision shall not apply if such use is:
based on laws and regulations;
necessary for the protection of the life, body or property of an individual and it is difficult to obtain the consent of the Principal;
specially necessary forimproving public health or promoting the sound growth of children and it isdifficult to obtain the consent of the Principal;
necessary for cooperatingwith a national government, a local government, or a person or entity entrustedthereby in executing the affairs prescribed by laws and regulations and acquisitionof the consent of the Principal may impede the execution of the affairsconcerned; or
cases where the Company provides personal data to an academic research institute, etc., and an academic research institute, etc. needs to handle such personal data for the purpose of academic research (including cases in which a part of the purpose of such handling is for academic research, but excluding cases in a fear of unreasonable infringement on the rights and interests of individuals).
The Company shall not use personal information in a manner that may encourage or induce illegal or unjust acts.
PROPER ACQUISITION OF PERSONAL INFORMATION
The Company shall acquire personal information by proper means, and shall not acquire it by a deception or other wrongful means.
Except in the following cases, the Company shall not acquire special care-required personal information (defined in Paragraph 3 of Article 2 of the Act) without obtaining a prior consent of the Principal.
cases where such acquisition falls under Items 1 through 4 of Article 4.1;
cases where the Company acquires special care-required personal information from an academic research institute, etc. and needs to acquire for the purpose of academic research (including cases where a part of the purpose of such acquisition is for academic research, but excluding cases in a fear of unreasonable infringement on the rights and interests of individuals.) (limited to the cases where a business operator handling personal information and such academic research institute, etc. jointly conduct academic research);
cases where the special care-required personal information is being made available to the public by the Principal, a government organization, a local government, an academic research institute, etc., a person set forth in Items of Paragraph 1 of Article 57 of the Act or other persons prescribed by the rules of the Personal Information Protection Commission;
cases where the Company acquires special care-required personal information clearly recognized from the Principal's appearance by seeing or taking pictures; or
cases where the Company receives special care-required personal information from a third party and such provision of the information by the third party falls under any of Items of Article 8.1.
When the Company receives personal information from a third party, the Company shall confirm the following matters pursuant to the rules of the Personal Information Protection Commission, except where such provision of the personal information by the third party falls under any of Items of Article 4.1 or any of Items of Article 8.1.
the name or appellation and address of the third party and, for a corporate body, the name of its representative (for a non-corporate body having appointed a representative or administrator, such representative or administrator)
circumstances under which the personal information was acquired by the third party
SECURITY CONTROL OF PERSONAL INFORMATION
The Company shall sufficiently and appropriately supervise the Company’s employees to ensure the security control of personal information against the risk of loss, destruction, alteration or leakage. When the Company entrusts a third party with the handling of personal information in whole or in part, the Company shall sufficiently and appropriately supervise the third party to ensure the security control of personal information. Specific details of security control measures respect to the retained personal data is as follows.
To ensure the accurate handling of personal data the Company establishes this Privacy Policy as its basic policy regarding "compliance with related laws and guidelines", "contact for questions and complaints", etc.
Maintenance of rules respect to handling personal data
The Company establishes basic rules for handling personal data in case of acquisition, use and storage, etc.
Systematic security control measures
A responsible person confirmswhether personal data is handled along with maintained handling rules.
The Company maintains thereport and contact system to a responsible person from an employee.
Human security management measures
The Company provides regulartraining for employees on matters to be considered in handling personal data.
The Company lists mattersregarding confidentiality of personal data in employment regulations.
Physical security management measures
The Company takes measures toprevent persons excluding employees authorized to handle personal data and the Principalfrom easily viewing personal data.
The Company takes measures toprevent theft or loss of equipment, digital media, documents, etc. that handlepersonal data, and to prevent personal data from being easily discovered whensuch equipment, digital media, etc. are carried, including duringtransportation within the place of business.
Technical security management measures
The Company clarifies deviceswhich access to personal data and employees who handle the devices and preventsunnecessary access to personal data.
The Company installsmechanisms to protect equipment that handle personal data from unauthorizedexternal access or unauthorized software.
Understanding the external environment
The Company implements security management measures after understanding the system regarding the [ ] country where the Company store personal data.
REPORTING, ETC. IN CASE OF LEAKAGE
TheCompany shall report to the Personal Information Protection Commission andnotify the Principal in cases where such reporting and notifying shall beneeded because of the event of leakage, loss, damage, etc. of personalinformation handled by the Company in accordance with the provisions of the Act.
PROVISIONTO A THIRD PARTY
The Company shall not providepersonal information to a third party without the prior consent of the Principal,except where such provision falls under any of Items of Article 4.1; provided,however, that the following cases shall not be regarded as the provision to athird party:
Cases where the Company providespersonal information accompanied by entrustment to a third party with thehandling of personal information within the scope necessary for the achievementof the purpose of use;
Cases where personal informationis provided as a result of the succession of business in a merger or otherwise;or
Cases where personalinformation is used jointly with others in accordance with the provisions ofthe Act.
Notwithstanding Article 8.1, incases where the Company provides personal information to a third party(excluding a party establishing a system conforming to the standards specifiedby the rules of the Personal Information Protection Commission based on Article28 of the Act) in a foreign country (excluding countries specified by the rulesof the Personal Information Protection Commission based on Article 28 of theAct), the Company shall obtain the Principal's prior consent to the effect thatthe Principal approves the provision to a third party in a foreign country, exceptwhere such provision falls under any of Items of Article 4.1.
When obtaining the consent ofthe Principal to provide personal information to a third party in a foreigncountry in accordance with Section 8.2, the following information shall beprovided to the Principal; provided, however, that in cases where the item (1)cannot be specified, the Company shall provide, in lieu of the items (1) and(2), the fact that the item (1) cannot be specified and the reason therefor,and any information that can be used as a reference for the Principal in lieuof the item (1).
Name of the foreign country
Information on thesystem for the protection of personal information in the foreign country
Information onmeasures taken by the third party to protect personal information (if suchinformation cannot be provided, a statement to that effect and the reason)
When the Company has provided personal informationto a third party, the Company shall make and maintain a record pursuant to Article29 of the Act.
When the Company receives personal informationfrom a third party, the Company shall conduct necessary confirmation pursuantto Article 30 of the Act, and make and maintain a record concerning such confirmation.
DISCLOSURE OF PERSONAL INFORMATION
In cases where the Company is requested bya customer to disclose the personal information under the Act, the Companyshall, after confirming that the request is made by the Principal itself,disclose the personal information to the Principal without delay (in caseswhere the Company does not have such personal information, the Company shallnotify the Principal to that effect); provided, however, that this provisionshall not apply to cases where the Company is not obliged to disclose suchpersonal information under the Act or other laws or regulations.
The preceding paragraph shall applymutatis mutandis to records of provision to third parties made in accordancewith Section 8.4 and records of provision from third parties made in accordancewith Section 8.5 with respect to personal information that identifies the Principal.
CORRECTION,ETC. OF PERSONAL INFORMATION
In caseswhere the Company is requested by the Principal to correct, add or delete thepersonal information under the Act on the ground that such personal informationis contrary to the fact, the Company shall, after confirming that the requestis made by the Principal itself, conduct a necessary investigation withoutdelay within the scope necessary for the achievement of the purpose of use, andon the basis of the result, correct, add or delete the personal information andnotify the Principal to that effect (in cases where the Company decides not tomake such correction, addition or deletion, the Company shall notify the Principalto that effect); provided, however, that this provision shall not apply tocases in which the Company is not obliged to make such correction, addition ordeletion under the Act or other laws or regulations.
DISCONTINUANCEOF THE USE, ETC. OF PERSONALINFORMATION
Incases where the Company is (i) requested by the Principal to discontinue usingor to erase the personal information under the Act on the ground that suchpersonal information is being handled beyond the purpose of use publiclyannounced in advance or is being handled by measures which may facilitate orinduce illegal or unjust act or has been acquired by a deception or otherwrongful means, or (ii) requested by the Principal to discontinue providing thepersonal information under the Act on the ground that such personal informationis provided to a third party without the Principal’s consent, or (iii) requestedby the Principal to cease use or provision of the personal information underthe Act on the ground that it has become unnecessary for the Company to utilizepersonal information or a situation prescribed in the main clause of Article 26paragraph 1 of the Act has occurred or the handling of the personal informationof the Principal is likely to harm the rights or legitimate interests of the Principaland where it is found that the request has a reason, the Company shall, after confirmingthat the request is made by the Principal itself, discontinue the use of orerase the personal information, or discontinue the provision of the personalinformation, without delay and shall notify the Principal to that effect;provided, however, that this provision shall not apply to cases in which theCompany is not obliged to make such discontinuance of use or erasure, ordiscontinuance of provision, under the Act or other laws or regulations.
THIRD PARTY PROVISION OF PERSONALLY REFERABLEINFORMATION
In case where the Company assumes thatsuch third party acquires personally referable information (which means what isset forth in Article 2, Paragraph 7 of the Act and is limited to those thatconstitute the personally referable information database, etc. set forth inArticle 16, Paragraph 7 of the Act; The same applies hereinafter.) as personaldata, the Company, except any of Items of Article 4.1, shall not provide a personallyreferable information to the third party without confirming those matters setforth in the following in advance under the rules of the Personal InformationProtection Commission.
The Principal’sconsent to the effect that the Principal approves that the third party acquirespersonally referable information, as personal data that can identify the Principal,that is provided from the Company, has been obtained.
For a provision toa third party in a foreign country, in case of intending to obtain the Principal’sconsent referred to in the preceding item, pursuant to rules of the Personal InformationProtection Commission, information on the personal information protectionsystem of the foreign country, on the measures the third party takes for theprotection of personal information, and other information that is to serve as areference to the Principal, have been provided in advance to the Principal.
The Company shall produce and store therecord according with Article 31 of the Act when the Company provides personallyreferable information pursuant to the provisions of the preceding paragraph.
The Company shall make necessary confirmationand shall produce and store the record in according with the Act when theCompany acquires personally referable information as personal data from thethird party.
TREATMENT OF PSEUDONYMOUSLYPROCESSED INFORMATION
The Company shall process personalinformation pursuant to the standards set forth in the provisions of the rulesof the Personal Information Protection Commission when the Company produce pseudonymouslyprocessed information (it means what set forth in Article 2, Paragraph 5 of theAct, and is limited to what constitute the pseudonymously processed informationdatabase, etc. set forth in Article 16, Paragraph 5 of the Act; The same shallapply hereinafter.).
When the Company has producedpseudonymously processed information or has acquired pseudonymously processedinformation and deleted information, etc. regarding pseudonymously processed information(it means what set forth in Article 41, Paragraph 2 of the Act; The same shallapply hereinafter.), the Company shall take measures for the security controlof deleted information, etc. in accordance with the standards prescribed by therules of the Personal Information Protection Commission as needed to preventleak of deleted information, etc..
The Company shall subject tothe following items regarding pseudonymously processed information (it islimited to personal information; The same shall apply hereinafter in Article of13.3)
Notwithstanding Article4.1, the Company shall not use personal information beyond the scope necessaryfor the achievement of the purpose of use without based on laws and regulations.
With regard toapplying Article 3 regarding pseudonymously processed information, the phrase “TheCompany may change the purpose of use of personal information to the extentthat the purpose of use after the change is reasonably recognized to be relatedto the original purpose of use” is deemed to be replaced with “The Company maychange the purpose of use of personal information” and the phrase “the Companyshall notify the person which can be identified by the personal information(the “Principal”) of, or publicly announce the purpose of use after the change”is deemed to be replaced with “the Company shall publicly announce the purposeof use after the change”.
Notwithstandingfrom Article 8.1 to Article 8.3, the Company shall not provide personal datawhich is pseudonymously processed information to the third party without basedon laws and regulations; provided, however, that the cases listed in any ofitems of Article 8.1 is not provision to the third party as stipulated above.
In case where the Companyhandles pseudonymously processed information, the Company shall not collate thepseudonymously processed information with other information to identify the Principalregarding personal information that is used for producing the pseudonymouslyprocessed information.
In case where theCompany handle pseudonymously processed information, the Company shall not usecontact information and other information including pseudonymously processedinformation to call, to send by mail or letter, to send telegrams, to transmitby facsimile or electromagnetic means, or to visit Principal’s residence.
Article 7 and fromArticle 9 to Article 11 shall not be applied regarding pseudonymously processedinformation.
TREATMENTOF ANONYMOUSLY PROCESSED INFORMATION
When the Company produces anonymouslyprocessed information (defined in Paragraph 6 of Article 2 of the Act and limitedto those constituting anonymously processed information database, etc. prescribedin Paragraph 6 of Article 16 of the Act; hereinafter the same shall apply), theCompany shall process personal information in accordance with the standardsprescribed by the rules of the Personal Information Protection Commission.
When the Company has produced anonymouslyprocessed information, the Company shall take measures for the security controlin accordance with the standards prescribed by the rules of the Personal InformationProtection Commission.
When The Company has produced anonymouslyprocessed information, the Company shall disclose to the public the items ofinformation relating to the individuals contained in the anonymously processedinformation pursuant to the rules of the Personal Information ProtectionCommission.
When the Company provides a third partywith the anonymously processed information (including the same produced by theCompany and the same received by the Company from a third party; hereinafterthe same shall apply unless otherwise provided in the Privacy Policy), theCompany shall disclose to the public the items of information concerning the individualscontained in the anonymously processed information to be provided to a thirdparty and the method of provision thereof, and state to the third partyexplicitly that the information being provided is anonymously processedinformation, in advance pursuant to the rules of the Personal InformationProtection Commission.
When the Company handles the anonymouslyprocessed information, the Company shall not (1) collate the said anonymouslyprocessed information with other information, or (2) acquire descriptions, etc.or individual identification codes deleted from personal information, or informationrelating to the processing method carried out pursuant to Paragraph 1 of Article43 of the Act ((2) shall be applied only to the anonymously processedinformation provided by a third party) in order to identify the individualsconcerned with the personal information used to produce the anonymouslyprocessed information.
The Company shall make efforts to take measuresnecessary to ensure the proper handling of the anonymously processedinformation, including measuresnecessary and appropriate for the security control of the anonymously processedinformation and dealing with complaints about the handling, includingproducing, of the anonymously processed information, and make efforts todisclose to the public the content of such measures taken.
USEOF COOKIES AND OTHER TECHNOLOGIES
Cookies or similar technologies may beused in the Company’s service. Suchtechnologies help the Company to recognize the status of use of the Company’sservice, etc. and contribute improvement of the service. When a user intends to disable cookies, theuser may disable cookies by changing the web browser’s settings. Please note that when cookies are disabled, apart of the service may be unavailable.
On the Company’s website, theCompany uses Google Analytics, a service provided by Google, Inc. to track theuse of such website by its visitors. Pleaserefer to the following link for a description of how data is collected andprocessed by Google Analytics.
https://www.google.com/intl/ja/policies/privacy/partners
CONTACT
Withrespect to requests for disclosure, etc., comments, questions, complaints andother inquiries regarding the handling of personal information, please contact thefollowing.
ACTUAL Inc.
E-mail :hello@actu-al.co
CONTINUOUS IMPROVEMENT
TheCompany shall endeavor to review timely the status of the operation regardinghandling of personal information and to improve such operationcontinuously. The Company may amend this Privacy Policy as necessary.