Peraichi Privacy Policy

2022/6/30 6:142022/10/26 9:28

Peraichi Inc. ("the Company") recognizes that the protection of Personal Information of the Customers (including not only users of "Peraichi", but also customers of such users; the same shall apply hereinafter) is very important, and shall acquire and shall make effort to handle properly and protect Personal Information as defined by the Act on the Protection of Personal Information of Japan (the "Personal Information Protection Act") in accordance with the following privacy policy (the "Policy").

1 Acquisition of Personal Information

The Company acquires the Customers’ Personal Information (meaning Personal Information as defined in Article 2, Paragraph 1 of the Personal Information Protection Act; the same shall apply hereinafter). through services operated and provided by the Company (the "Company's Services") by proper means. If the Customers do not agree to the acquisition and handling of the Customers’ Personal Information in accordance with the Policy, the Customers shall not use the Company’s Services.

The Customers who use the Company’s Services shall be deemed to have agreed to the Policy.

2 Utilization Purpose of Personal Information

The Personal Information that the Company acquires, collects, and uses includes the following information;

The Customers’name, address, store name, store location, telephone number, e-mail address, and other information that can identify a specific individual;

Member information such as member ID, Facebook ID, bank account information, credit card number;

Unique information such as cell phone terminals used for the Company’s Services (including individual identification information such as unique terminal ID);

IP addresses automatically generated and stored when using the Company’s Services, the date and time of the Customers’ requests, and operation history information;

Location information sent from cell phone terminals, etc;

Transaction information related to payment processing (including, but not limited to, contract information with the Company, product information, order history information, transaction history information, payment history information, and billing information and payment information provided to payment companies);

Membership information such as member ID for RAKSUL’S services provided by the RAKSUL group, through the joint use of Personal Information with the RAKSUL group; and

Information regarding personal attributes that is integrated with personal information.

The Company uses the Customers' Personal Information for the following purposes;

Operation, provision and customer management of the Company’s Services (including customer management of Peraichi users);

Information of the Customers about the Company’s Services;

Response to inquiries etc. regarding the Company’s Services;

Responce to acts that violate the terms of Use, guidelines, etc. set forth by the Company regarding the Company’s Services;

Improvement and analysis of the Company’s Services, or development, etc. of new services;

Notification to the Customers regarding the Company’s Services and the products and services of the Company’s affiliates;

Applications, etc. for external services related to the Company’s Services;

Sending of prizes for campaigns, etc. related to the Company’s Services;

Identification of the Customers;

Provision of affiliated services (including services provided by the RAKSUL group), provision of the Company’s Services in cooperation with the Company’s affiliated services, display of advertising information, etc. that matches the needs and interests of the Customers, and analysis of advertising effectiveness;

Creation of statistical data and provision of such data to third parties;

Utilization incidental purpose to the above purposes;

Carrying out other purposes that the Company deems necessary within the scope of common sense;

Distribution of behavioral targeting advertisements using advertising distributors-such as Google and Yahoo!; and

Analysis of attribute information, behavioral history, etc. acquired by the Company in order to understand the interests and preferences, etc. of the Customers.

3 Disclaimer Regarding Disclosure of Personal Information

The Company does not disclose Personal Information to third parties without the consent of the customer, except in cases prescribed in the Policy or permitted by the Personal Information Protection Act or other laws and regulations; provided, however, that the Policy may disclose in the following cases;

In cases where the Company deems that the information is used within the scope of the Personal Information Protection Act and other laws and regulations;

In cases where the disclosure of Personal Information is deemed necessary to cooperate in regard to a central government organization or a local government, or a person entrusted by a central government organization or a local government, or a person performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a principal's consent would interfere with the performance of the said affairs; and

In cases where there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal's consent.

4 Change of Personal Information

Personal information registered at the time of the Company’s membership registration can be changed on the my page of the Company’s Service.

5 Management of Personal Information

The Company takes necessary and appropriate measures to manage access to Personal Information, restrict the means of transporting Personal Information, prevent unauthorized external access, prevent leakage, loss, or damage of Personal Information, and other safely manage Personal Information. The security control action of personal data is stipulated separately in the "Rules for Handling Personal Information, etc.", the main contents of which are as follows.

(Development of Personal Information Protection Guideline)

In order to ensure the proper handling of personal data, the Company has developed the guideline (Personal Information Protection Guidelines) regarding "compliance with relevant laws, regulations, guidelines, etc." and "contact for handling questions and complaints.

(Establishment of Rules for Handling Personal Data)

For each stage of acquisition, use, storage, provision, deletion, disposal, etc., the Company has established "Personal Information Handling Regulations" regarding handling methods, responsible person and person in charge, and their duties, etc.

(Organizational Security Control Action)

In addition to appointing a person responsible for handling personal data, the Company clarifies the employees who handle personal data and the scope of personal data handled by such employees, and has established a system for reporting to the person responsible for handling personal data in the event that the Company understands a violation of the Personal Information Protection Act or Personal Information Handling Regulations is detected.

The Company conducts regular self-inspections of the status of personal data handling, as well as audits by other departments and outside parties.

(Personnel Safety Control Action)

The Company provides employees with regular training on points to keep in mind regarding the handling of personal data.

The Company stipulates items concerning confidentiality of personal data in the employment regulations.

(Physical Safety Control Action)

In areas where personal data is handled, the Company controls the entry and exit of employees, restricts the equipment and other items employees may bring in, and takes measures to prevent unauthorized person from accessing personal data.

The Company takes measures to prevent theft or loss of equipment, electronic media, and documents that handle personal data, as well as to prevent personal data from being easily discovered when such equipment, electronic media, etc. are transported, including within the business site.

(Technical Safety Control Action)

The Company implements access control to limit the scope of persons in charge and the Personal Information databases, etc. handled.

A mechanism is in place to protect information systems handling personal data from unauthorized external access or unauthorized software.

(Understanding the external environment: Entrusting the handling of Personal Information in foreign countries)

Please refer to section 6 below.

6 Entruting the Handling of Personal Data in Foreign Countries

The Company entrusts a part of the development of the Company’s Services to Japan Quality Co., Ltd. and Rikkeisoft Co. (hereinafter referred to as the "Vietnamese contractors"), companies located in the Socialist Republic of Vietnam, and the Company allows the Vietnamese contractor to access the Customers' Personal Information on the Company’s Servers only to the extent necessary for part of the development.

The measures taken by the Company in entrusting the handling of Personal Information to the Vietnamese contractors are as follows

(1) Method of Providing Personal Information to Vietnamese contractors

The Company provides Personal Information to the Vietnamese contractors after concluding, an entrustment agreement with the Vietnamese contractors.

(2) Measures taken by the Vietnamese contractors

The entrustment contract stipulates that the Vietnamese contractors shall handle personal data within the scope of the specified purpose of use, shall take necessary and appropriate security control action, shall exercise necessary and appropriate supervision over the Vietnamese contractor’s employees, shall not re-entrustment, and shall not provide provision of personal data to third parties.

(3) System for the Protection of Personal Data in the Socialist Republic of Vietnam

Please refer to the "System for the Protection of Personal Information in the Socialist Republic of Viet Nam" described below.

(4) Cessation of Provision of Personal Data

In cases where a Vietnamese contractor is handling Personal Information in violation of the entrustment agreement, including the measures described in (2) above, and even if the Company requests the contractor to promptly correct such handling in accordance with the entrustment agreement and such handling is not corrected within a reasonable period of time and the Company deems difficult to ensure the continuous implementation of appropriate measures, the Company will stop providing Personal Information to the Vietnamese contractors.

The Company will cease to provide Personal Information to the Vietnamese contractors if the Company confirms that any amendment has been made to the system for the protection of Personal Information in the Socialist Republic of Vietnam that is in conflict with the above (3).

7 Response to Requests for Disclosure, Correction, Utilization Cease, etc. of Personal Information

In cases where the Company receives a request from a customer for notification of utilization purpose, disclosure, correction, addition, deletion, or utilization cease of Personal Information, the Company will respond to the customer in accordance with the provisions of the Personal Information Protection Act after confirming the customer's identity; provided, however, that the Company is not obligated to disclose the Personal Information. Any communication and transportation costs incurred in making such an application, as well as any costs associated with the documents and other materials to be prepared at the time of identity verification, shall be borne by the customer.

8 Cookies and other technologies

(1) The Company’s Services may use cookies and similar technologies to improve the service level. These technologies are used for the purpose of understanding the usage of the Company’s Services, enhancing navigation, and improving the Company’s Services to the Customers. Cookies can be disabled in the Customers’ web browser settings. However, disabling cookies may prevent some of the Company’s Services from being used properly. Please understand this beforehand.

(2) The Company uses Google Analytics to monitor the usage of the Company’s website. Please refer to the following URL for details on Google Analytics, including data collection and processing methods.

https://www.google.com/intl/ja/policies/privacy/partners/

https://www.google.com/analytics/policies/

https://support.google.com/analytics/answer/2700409?hl=ja&topic=2611283

(3) The Company uses Stripe for payment, analytics and other purposes of the Company’s Services. Stripe collects identifying information about devices that connect to its services. Stripe uses that information to operate and improve its services, including its abuse detection services. For more information about Stripe and its privacy policy, please visit https://stripe.com/privacy

9 Joint Utilization

The Company utilizes the Personal Information of the Customers jointly by the RAKSUL group with the RAKSUL group. Please refer to the following page for information on the joint utilization of Personal Information by the RAKSUL group.

RAKSUL INC. Personal Information Protection Policy

Joint Utilization of Personal Information within the RAKSUL group

https://corp.raksul.com/privacy-policy/

10 Amendment to the Policy

The Company may change the contents of the Policy based on the Customers opinions and the Company’s reasonable judgment. Any amendment will be notified to the Customers by posting on the Company’s Service website, the Company’s corporate website, or by e-mail.

11 Contact

If the Customers have any questions regarding the Policy, please contact us at the following address

Daiichi Akatsuki Building 9F, 1-19-9 Dogenzaka, Shibuya-ku, Tokyo-to, 150-0043 Japan

Peraichi Inc.

Representative Director: Yasui Kazuhiro

Attn: Yasui Kazuhiro

E-mail: hello@peraichi.com

Established April 21, 2015

Revised February 20, 2009

Revised November 16, 2020

Revised August 26, 2021

Revised October 1, 2021

Revised March 24, 2022

【System for Protection of Personal Information in the Socialist Republic of Viet Nam】

Whether or Not there is a System for the protection of Personal Information

There is no comprehensive law and regulation.

The following laws and regulations are representative of those applicable to individual field.

Law on Cyber-information Security No. 86/2015/QH13(the "Law on Cyber-information Security")

URL: https://thuvienphapluat.vn/van-ban/Cong-nghe-thong-tin/Luat-an-toan-thong-tin-mang-2015-298365.aspx

Implementation Status: July 1, 2016

Target Organization: Individuals and organizations directly engaged or involved in cyber information security in Vietnam

Target Information: Information in connection with the identification of a specific individual

Law on Information Technology No. 67/2006/QH11 (the "Information Technology Law")

URL: https://thuvienphapluat.vn/van-ban/Cong-nghe-thong-tin/Luat-cong-nghe-thong-tin-2006-67-2006-QH11-12987.aspx

Implementation Status: July 1, 2007

Target Organization: Individuals and organizations engaged in the use and development of information technology in Vietnam

Target information: Information in connection with the identification of specific individuals, including name, age, address, ID number, telephone number, E-mail Address, and other information specified by the Information Technology Law.

※In February 2021, the government of the Socialist Republic of Viet Nam published a draft cabinet order on personal information protection, a comprehensive law, for public comment.

Information that may as an Indicator of Systems for the Protection of Personal Information.

An adequacy decision by the EU: None ※1

The APEC CBPR System: None ※2

※1 Countries or regions that have obtained an adequacy decision by the EU are designated by Personal Information Protection Commission, Government of Japan as foreign countries, etc. with systems for the protection of personal information that is deemed to be at the same level of protection as Japan. Based on the GDPR, which is the system for the protection of personal information in the EU (EU member states and Iceland, Norway, and Liechtenstein, which are part of the European Economic Area), or its predecessor, the Data Protection Directive, the European Commission has decided that the country or region is deemed to have an adequate level of data protection, so that it can expect roughly the same level of personal information protection as Japan. For this reason, the fact that a country or region has obtained an adequacy decision by the EU falls under “information that may as an indicator of a system for the protection of personal information”.

※2 As a precondition for participation in the APEC CBPR system, it is stipulated that economies participating in the APEC CBPR system have laws and regulations that comply with the APEC Privacy Framework, and the administrative bodies have the authority to investigate and rectify complaints and problems that cannot be resolved businesses and accountability agents that CBPR certified. Therefore, economies participating in the APEC CBPR system, like Japan, are considered to have laws and regulations compliant with the APEC Privacy Framework and administrative bodies that enforce such laws and regulations and can be expected to protect personal information generally equivalent to that of Japan. For this reason, the fact that economies participating in APEC's CBPR system constitute "information that may as an indicator of a system for the protection of personal information”. Note that the APEC CBPR system covers the private sector.

Obligations of Business Operator, etc., or Rights of the Individuals Corresponding to OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’s BASIC PRINCIPLES OF NATIONAL APPLICATION

Obligations of business operator, etc., or rights of the individuals corresponding to OECD guidelines on the protection of privacy and transborder flows of personal data’s basic principles of national application are as follows

① Collection Limitation Principle

Partially stipulated in the Cyber Information Security Law, Information Technology Law, etc.

② Data Quality Principle