PRIVACY POLICY
Reference Translation / Governing Language
This English version of the Privacy Policy is prepared for reference purposes only. If there is any discrepancy or inconsistency between the Japanese version and this English version, the Japanese version shall prevail.
SORABITO Inc. (the “Company”) recognizes the importance of protecting personal information, complies with the Act on the Protection of Personal Information (the “APPI”), and will endeavor to handle and protect personal information appropriately in accordance with the following Privacy Policy (the “Privacy Policy”). Unless otherwise provided in this Privacy Policy, the definitions of terms used in this Privacy Policy shall be in accordance with the APPI.
Article 1. Definition of Personal Information
In this Privacy Policy, “personal information” means personal information as defined in Article 2, Paragraph 1 of the APPI.
Article 2. Purposes of Use of Personal Information
The Company will use personal information for the following purposes:
- (1) To analyze information regarding the status of use of the Company’s services and other matters, and to use such analysis for improving the Company’s services, developing new services, and other purposes;
- (2) To carry out procedures for applications for contracts concerning the Company’s services, withdrawal, changes to registered information, notices and confirmations concerning contract renewal and continuation;
- (3) To bill usage fees for the Company’s services based on the Terms of Use, or the price of products sold by the Company and other amounts;
- (4) To confirm the content of, investigate, or respond to inquiries received concerning the Company or the Company’s services provided by the Company;
- (5) To provide information concerning technical support, such as failure information and maintenance information for the Company’s services provided by the Company;
- (6) To achieve purposes of use for which the Company has publicly announced the purposes of use and obtained consent in providing the Company’s services;
- (7) To respond to acts that violate the Company’s terms, policies, and other rules concerning the Company’s services;
- (8) To make various proposals concerning services, such as notices, advertising, publicity, sending direct mail, and introductions by telephone regarding new services, new products, functional improvements, and other information that the Company believes may be useful to customers;
- (9) To ship products, prizes, gifts, and other items, and to request cooperation with surveys conducted by the Company;
- (10) To compile registered personal information as statistical information within a scope that does not identify individuals, and to use it as reference material for developing services useful to customers;
- (11) To provide the Company’s services and related services provided by the Company, and to manage users of the Company’s services;
- (12) To provide personal information to third parties when the Company has obtained the customer’s prior consent in providing the Company’s services;
- (13) For employment management and internal procedures (with respect to personal information of officers and employees);
- (14) For screening and communication in recruitment activities (with respect to personal information of applicants);
- (15) For shareholder management and handling procedures under the Companies Act and other laws and regulations (with respect to personal information of shareholders, share option holders, and others);
- (16) For various procedures necessary for rental car services conducted by the Company (including cases conducted in cooperation with third parties; hereinafter simply referred to as “Rental Car Services”; the same applies below), such as examination for membership registration, identity verification, and confirmation of driver’s license information, as well as reservation and usage management of rental cars, fee calculation, and billing procedures;
- (17) In connection with Rental Car Services, for insurance and compensation procedures, investigation of causes, response, and handling when accidents, troubles, or other incidents occur;
- (18) For procedures necessary to provide car sharing services (including cases conducted in cooperation with third parties; hereinafter simply referred to as “Car Sharing Services”; the same applies below), examination for membership registration and identity verification, confirmation of driver’s license information, and reservation, usage history management, and billing procedures for car sharing vehicles;
- (19) In connection with Car Sharing Services, for insurance and compensation procedures and investigation of the causes of, response to, and handling of the relevant accidents, troubles, or other incidents;
- (20) When accepting orders or responding to customer support concerning services provided by the Company, to automatically analyze or summarize text data such as LINE chats and voice data such as call content by using speech recognition technology and other artificial intelligence (AI) technologies for the purposes of improving response quality, improving services, and accurately understanding response content; and
- (21) For other purposes incidental to the purposes of use above.
Article 3. Changes to Purposes of Use of Personal Information
The Company may change the purposes of use of personal information within a scope reasonably recognized as relevant to the original purposes of use. If the Company changes the purposes of use, it will notify or publicly announce such changes to the individual who is the subject of the personal information (the “Principal”).
Article 4. Use of Personal Information
1. Except where permitted by the APPI or other laws and regulations, the Company will not handle personal information beyond the scope necessary to achieve the purposes of use without obtaining the consent of the Principal; provided, however, that this shall not apply in the following cases:
- (1) Cases based on laws and regulations;
- (2) Cases where it is necessary for the protection of human life, body, or property, and it is difficult to obtain the consent of the Principal;
- (3) Cases where it is particularly necessary for improving public health or promoting the sound growth of children, and it is difficult to obtain the consent of the Principal;
- (4) Cases where it is necessary to cooperate with a national government organ, a local government, or a person entrusted by either of the foregoing in performing affairs prescribed by laws and regulations, and obtaining the consent of the Principal is likely to impede the performance of such affairs; or
- (5) Cases where personal data is provided to an academic research institution or similar organization, and such academic research institution or similar organization needs to handle such personal data for academic research purposes (including cases where part of the purpose of handling such personal data is an academic research purpose, excluding cases where there is a risk of unjustly infringing the rights and interests of individuals).
2. The Company will not use personal information in a manner that may facilitate or induce illegal or unjust acts.
Article 5. Proper Acquisition of Personal Information
1. The Company will properly acquire personal information and will not acquire it by deception or other wrongful means.
2. Except in the following cases, the Company will not acquire sensitive personal information (meaning information as defined in Article 2, Paragraph 3 of the APPI) without obtaining the Principal’s prior consent:
- (1) Cases falling under any of Items 1 through 4 of Article 4, Paragraph 1;
- (2) Cases where sensitive personal information is acquired from an academic research institution or similar organization, and it is necessary to acquire such sensitive personal information for academic research purposes (including cases where part of the purpose of acquiring such sensitive personal information is an academic research purpose, excluding cases where there is a risk of unjustly infringing the rights and interests of individuals) (limited to cases where the relevant business operator handling personal information and the relevant academic research institution or similar organization jointly conduct academic research);
- (3) Cases where the sensitive personal information has been made public by the Principal, a national government organ, a local government, an academic research institution or similar organization, a person listed in the items of Article 57, Paragraph 1 of the APPI, or another person prescribed by the rules of the Personal Information Protection Commission;
- (4) Cases where sensitive personal information that is apparent from the external appearance of the Principal is acquired by visually observing or photographing the Principal; or
- (5) Cases where sensitive personal information is received in a manner that is deemed not to constitute provision to a third party pursuant to the proviso of Article 8, Paragraph 1.
3. When receiving personal information from a third party, the Company will confirm the following matters as prescribed by the rules of the Personal Information Protection Commission; provided, however, that this shall not apply where the provision of the relevant personal information falls under any item of Article 4, Paragraph 1, or where it is made in a manner that is deemed not to constitute provision to a third party pursuant to the proviso of Article 8, Paragraph 1:
- (1) The name and address of the relevant third party, and, in the case of a corporation, the name of its representative (or, in the case of an organization that is not a corporation and has a representative or administrator, the name of such representative or administrator); and
- (2) The circumstances under which the relevant third party acquired the relevant personal information.
Article 6. Security Control of Personal Information
The Company will exercise necessary and appropriate supervision over its employees to ensure the security control of personal information against risks such as loss, destruction, alteration, and leakage of personal information. In addition, if the Company entrusts all or part of the handling of personal information, the Company will exercise necessary and appropriate supervision to ensure the security control of personal information at the entrusted party. Specific details of the security control measures for personal data held by the Company are as follows.
Establishment of Basic Policy
To ensure the proper handling of personal data, the Company has established this Privacy Policy as its basic policy concerning matters such as “compliance with relevant laws, regulations, guidelines, and other rules” and “contact point for questions and complaint handling.”
Development of Rules Concerning Handling of Personal Data
The Company has established rules for handling personal data concerning handling methods, responsible persons and persons in charge, their duties, and other matters.
Organizational Security Control Measures
The Company appoints a person responsible for handling personal data, clarifies employees who handle personal data and the scope of personal data handled by such employees, and establishes a reporting and communication system to the responsible person when facts or indications of violations of laws or handling rules are identified.
Physical Security Control Measures
The Company locks and unlocks the office with card keys at the start and end of business hours and manages logs of such actions.
Personnel Security Control Measures
- 1) The Company regularly provides employees with training concerning points to note in handling personal data.
- 2) The Company includes matters concerning confidentiality of personal data in its work rules.
Technical Security Control Measures
- 1) The Company implements access controls to limit the persons in charge and the scope of personal information databases and similar systems handled by them.
- 2) The Company introduces mechanisms to protect information systems that handle personal data from unauthorized external access or unauthorized software.
Understanding of External Environment
When handling personal data in a foreign country, the Company will implement security control measures after understanding the systems for protecting personal information in that country.
Article 7. Reporting and Other Measures in the Event of Leakage
If a leakage, loss, damage, or other incident occurs concerning personal information handled by the Company, and reporting to the Personal Information Protection Commission and notification to the Principal are required under the APPI, the Company will make such reporting and notification.
Article 8. Provision to Third Parties
1. Except in cases falling under any item of Article 4, Paragraph 1, the Company will not provide personal information to third parties without obtaining the Principal’s prior consent; provided, however, that the following cases shall not constitute provision to a third party as specified above:
- (1) Cases where personal information is provided in connection with the entrustment of all or part of the handling of personal information within the scope necessary to achieve the purposes of use; or
- (2) Cases where personal information is provided in connection with the succession of business due to a merger or other reason.
2. Notwithstanding Article 8, Paragraph 1, except in cases falling under any item of Article 4, Paragraph 1, when providing personal information to a third party in a foreign country (excluding countries designated by the rules of the Personal Information Protection Commission pursuant to Article 28 of the APPI) (excluding persons that have established systems conforming to standards designated by the rules of the Personal Information Protection Commission pursuant to Article 28 of the APPI), the Company will obtain the Principal’s prior consent to the effect that the Principal permits provision to a third party in a foreign country.
3. When obtaining the Principal’s consent for provision to a third party in a foreign country pursuant to the preceding paragraph, the Company will provide the Principal with information concerning the following matters; provided, however, that if the matter in Item 1 cannot be specified, the Company will provide, in place of the matters in Items 1 and 2, the fact that the matter in Item 1 cannot be specified and the reason therefor, as well as any information that may serve as a reference for the Principal in place of such matter, if any:
- (1) The name of the relevant foreign country;
- (2) Information concerning the systems for protecting personal information in the relevant foreign country; and
- (3) Information concerning measures taken by the relevant third party for the protection of personal information (if such information cannot be provided, the fact thereof and the reason therefor).
4. When the Company provides personal information to a third party, the Company will create and retain records in accordance with Article 29 of the APPI.
5. When the Company receives personal information from a third party, the Company will conduct necessary confirmation and create and retain records concerning such confirmation in accordance with Article 30 of the APPI.
6. In connection with the provision of Rental Car Services and Car Sharing Services, the Company may entrust or provide personal information to partner businesses (for example, insurance companies, payment processing companies, vehicle providers, etc.) within the scope necessary to achieve the purposes of use. Even in such cases, however, the Company will comply with the APPI and other laws and regulations and manage such information appropriately so as not to exceed the scope specified in this Privacy Policy.
7. In connection with the provision of the Company’s services, the Company may entrust the handling of personal information to external service providers that provide speech recognition and artificial intelligence (AI) technologies, within the scope necessary to achieve the purposes of use, for the purpose of analyzing, summarizing, and otherwise processing text data such as LINE chats and call or voice data in the Company’s services. Even in such cases, however, the Company will exercise necessary and appropriate supervision over the relevant entrusted parties in accordance with the APPI and other laws and regulations.
Article 9. Disclosure of Personal Information and Other Matters
1. When the Principal requests disclosure of personal information pursuant to the provisions of the APPI, the Company will, after confirming that the request is made by the Principal himself or herself, disclose such information to the Principal without delay (if the relevant personal information does not exist, the Company will notify the Principal to that effect); provided, however, that this shall not apply where the Company is not obligated to disclose such information under the APPI or other laws and regulations. Please note in advance that a fee of JPY 500 per case will be charged for the above disclosure.
2. The provisions of the preceding paragraph shall apply mutatis mutandis to records concerning provision to third parties prepared pursuant to Article 8, Paragraph 4, and records concerning provision from third parties prepared pursuant to Article 8, Paragraph 5, in relation to personal information by which the Principal is identified.
Article 10. Correction, Etc. of Personal Information
If the Principal requests correction, addition, or deletion of the content of personal information (collectively, “Correction, Etc.”) pursuant to the provisions of the APPI on the grounds that the personal information is not true, the Company will, after confirming that the request is made by the Principal himself or herself, conduct necessary investigation without delay within the scope necessary to achieve the purposes of use, perform Correction, Etc. of the content of the personal information based on the results thereof, and notify the Principal to that effect (if the Company decides not to perform Correction, Etc., the Company will notify the Principal to that effect); provided, however, that this shall not apply where the Company is not obligated to perform Correction, Etc. under the APPI or other laws and regulations.
Article 11. Suspension of Use, Etc. of Personal Information
If the Principal requests suspension of use or deletion of personal information (“Suspension of Use, Etc.”) pursuant to the provisions of the APPI on the grounds that (1) the Principal’s personal information is being handled beyond the scope of the previously publicly announced purposes of use, or is being used in a manner that may facilitate or induce illegal or unjust acts, or the Principal’s personal information was acquired by deception or other wrongful means; (2) the Principal requests suspension of provision of personal information (“Suspension of Provision”) pursuant to the provisions of the APPI on the grounds that personal information is being provided to a third party without the Principal’s consent; or (3) the Principal requests Suspension of Use, Etc. or Suspension of Provision pursuant to the provisions of the APPI on the grounds that the Company no longer needs to use the Principal’s personal information, an event prescribed in the main clause of Article 26, Paragraph 1 of the APPI has occurred with respect to the Principal’s personal information, or there is a risk that the Principal’s rights or legitimate interests may be harmed by the handling of the Principal’s personal information, and it is found that the request has merit, the Company will, after confirming that the request is made by the Principal himself or herself, suspend the use of, delete, or suspend the provision of the personal information without delay and notify the Principal to that effect; provided, however, that this shall not apply where the Company is not obligated to suspend the use of, delete, or suspend the provision of personal information under the APPI or other laws and regulations.
Article 12. Handling of Anonymously Processed Information
1. When the Company creates anonymously processed information (meaning information concerning an individual obtained by processing personal information so that a specific individual cannot be identified by taking measures prescribed by laws and regulations, and so that the personal information cannot be restored), the Company will take the following actions:
- (1) Perform appropriate processing in accordance with standards prescribed by laws and regulations;
- (2) Take security control measures to prevent leakage of deleted information and information concerning processing methods in accordance with standards prescribed by laws and regulations;
- (3) Publicly announce the items of information included in the anonymously processed information created; and
- (4) Refrain from taking actions to identify the Principal of the personal information from which the anonymously processed information was created.
2. When providing anonymously processed information to a third party, the Company will publicly announce the items of information concerning individuals included in the anonymously processed information to be provided and the method of provision, and will clearly indicate to the third-party recipient that the information provided is anonymously processed information.
Article 13. Use of Cookies and Other Tools
1. The Company’s services may use cookies, similar technologies, and other tools designated by the Company (collectively, “Cookies, Etc.”). Cookies, Etc. help the Company understand the status of use of the Company’s services and other matters, and contribute to service improvement. Users of the Company’s services who wish to disable cookies may disable cookies by changing the settings of their web browser. However, if cookies are disabled, some functions of the Company’s services may become unavailable. Tools other than cookies used in the Company’s services are as follows.
(1) Google Analytics
- 1) Tool provider: Google LLC
- 2) Google Analytics Terms of Service: https://www.google.com/analytics/terms/jp.html
- 3) Google Privacy Policy: http://www.google.com/intl/ja/policies/privacy/
(2) Zoho CRM
- 1) Tool provider: Zoho Japan Corporation
- 2) Zoho CRM Terms of Use: https://www.zoho.com/jp/crm/terms.html
- 3) Zoho Privacy Policy: https://www.zoho.co.jp/privacy/
(3) Mixpanel
- 1) Tool provider: Mixpanel, Inc.
- 2) Mixpanel Terms of Use: https://mixpanel.com/legal/terms-of-use
- 3) Mixpanel Privacy Policy: https://mixpanel.com/legal/privacy-policy/
(4) Microsoft Clarity
- 1) Tool provider: Microsoft Corporation
- 2) Microsoft Clarity Terms of Use: https://clarity.microsoft.com/terms
- 3) Microsoft Privacy Statement: https://privacy.microsoft.com/ja-jp/privacystatement
2. The Company may use behavioral targeting advertising services by using Cookies, Etc. in order to deliver advertisements best suited to customers and others. In addition, based on the content of contracts with third parties to whom the Company entrusts advertisement distribution, the Company may disclose all or part of the information collected through Cookies, Etc. to such third parties (such information will not include any information that identifies individuals). In such cases, the relevant third party may use information such as page history information viewed on websites provided by the Company and display advertisements of the Company that may be of interest to customers on websites other than websites provided by the Company that are registered with advertising networks. If you wish to disable this service, please follow the procedures below prescribed by the advertising service providers.
- (1) Google: https://www.google.com/intl/ja/policies/technologies/ads/
- (2) Yahoo: http://btoptout.yahoo.co.jp/optout/index.html
- (3) Facebook: https://www.facebook.com/ads/website_custom_audiences/
- (4) X: https://x.com/settings/security
- (5) LINE: https://terms2.line.me/LINECareer_optout
- (6) Microsoft: https://help.ads.microsoft.com/resources/microsoft_advertising_agreement/ja-jp.pdf
3. In providing Rental Car Services and Car Sharing Services, the Company may acquire location information such as GPS information and information concerning users’ vehicle usage status as necessary. Such information will be used for improving service quality, vehicle safety management, accident response, confirming the accuracy of usage fee billing, and other purposes.
Article 14. Disclosure Matters Concerning Information Transmission Instruction Communications (External Transmission)
Services of the Company that may be subject to the external transmission rules concerning information transmission instruction communications under Article 27-12 of the Telecommunications Business Act, and disclosure matters under such rules for such services, are as follows.
(1) All services operated by the Company
| Function or service using information transmission instruction communications | Google Analytics |
|---|---|
| Information concerning users to be transmitted |
|
| Name of transmission destination | Google LLC and its affiliates |
| Purpose of use (Company) | To analyze users’ browsing tendencies and histories |
| Purpose of use (Transmission destination) | To analyze users’ browsing tendencies and histories |
Article 15. Contact
For requests for disclosure and other matters, opinions, questions, complaints, and other inquiries concerning the handling of personal information, please contact the following contact point.
Name, address, and name of representative of the business operator handling personal information
Inamura Building 8F, 1-9-2 Nihombashi Kayabacho, Chuo-ku, Tokyo 103-0025, Japan
SORABITO Inc. (Representative Director: Kazuaki Hakata)
Article 16. Continuous Improvement
The Company will review the operational status concerning the handling of personal information as appropriate and endeavor to make continuous improvements, and may change this Privacy Policy as necessary.