Handling of Personal Information

Graffer, Inc., (hereinafter referred to as “Company”) will respect the privacy of individual persons using the service provided by the Company (hereinafter referred to as “User”), and it has stipulated the provisions for handling Users’ Personal Information (defined below) as follows:

Scope of Application

The provisions of this document constitute, together with the Company’s Personal Information Protection Policy, the Company’s Privacy Policy (the Personal Information Protection Policy and the Handling of Personal Information are hereinafter collectively referred to as the “Privacy Policy”) and will apply to the solutions for municipal and national governments (Graffer Smart Application, Graffer Window Reservation, and Graffer Procedures Guide), services for individuals and companies (Graffer Corporation Certificate Request and Graffer Electronic Certificate Acquisition Support), and other services provided by the Company (hereinafter collectively referred to as the “Service”).

In the event the procedures for handling personal information are separately stipulated in any individual rules, such individual rules will also be applied.

  1.  Definition of Personal Information

For the purpose of the Privacy Policy, “Personal Information” means the personal information provided for in Paragraph 1 of Article 2 of the Act on the Protection of Personal Information. 

2. Acquisition of Personal Information

1. The Company will, upon clearly stating the purposes of use in the Privacy Policy, acquire User’s personal information within the scope necessary for such purpose of use.

2. When a User uses the Service or make any inquiries about the Service, the Company may ask about the User’s Personal Information.

3. When a User uses the Service, the Company may automatically acquire information about the User. The Company will acquire the knowledge about how the User uses the Service when the User registers his/her account in the Service and logs into the Service. For the Service, the Company will automatically receive the User’s information, including IP address, cookie information, browsed Web pages, and usage environment, and record them on the server. 

4. The Company will not, in principle, acquire the Personal Information containing the following contents, except when a User provides them at his/her own discretion:

・ Matters concerning philosophy, creed or religion
・ Matters concerning race, ethnic group, family origin, physical/mental health, criminal history or other matters that may cause social discrimination
・ Matters concerning acts related to the workers’ rights to organize, collective bargaining or other collective actions
・ Matters concerning participation in collective demonstrations, or exercise of the right of petition or other political rights
・ Matters concerning healthcare or sexual life

3. Acquisition of Personal Information in A Way Not Readily Recognizable by User

The Company may collect the information concerning a User’s access statuses to the Services or ways of use thereof, including the following information. The Company will not use such information to identify the individual Users.

  • Access log to the Service.
  • The User’s access statuses collected and recorded by Google through the Google Analytics based on cookies. Such information will be managed by Google in accordance with its privacy policy.

* Cookies mean small-scale data transmitted from a Web server to a User’s browser. Cookies will be stored in the User’s browser and have functions, such as avoiding re-entry of the User information or displaying the best suited contents for the User. 

* Please check the Google’s privacy policy from the following link: https://www.google.com/intl/ja/policies/privacy/

* The Users may disable the Google Analytics at the add-on setting in their browser and stop the Company’s collection of the User’s access statuses utilizing the Google Analytics. If the User deactivates the Google Analytics, the Google Analytics will also be deactivated on any websites other than the Services. Please check the following link for the procedures to disable the Google Analytics: https://tools.google.com/dlpage/gaoptout?hl=ja

4. The Purposes of Use of Personal Information

The Company will use the acquired Personal Information for the following purposes. If separately agreed by a User for the purposes of use, the Company will use such information within the scope of such agreed purposes. 

1. Solutions for municipal and national governments (Graffer Platform)

(1) Personal Information of Users of Graffer Smart Application

  • The Company will use the information submitted by the User to the Company to provide Graffer Smart Application services (provision of the electronic application system and the aggregation, analysis, investigation, and reporting to the municipal government of information concerning usage).
  • The application information inputted and registered by the User will be used to provide the User with a copy of the application. 
  • The information recorded in the valid electronic certificate for signature stored on the User’s My Number Card will be used by the Graffer Identity, a smartphone application provided by the Company, to verify identity of the User (including provision to a signature verifier). The information concerning name, address, and birth date read from the My Number Card will be used for the User to prepare the application information efficiently. 
  • The Company uses SBPS for processing payment by credit cards. The SBPS system does not inform the Company of any credit card information, including card number and CVC (security code), that require sensitive handling. The Company can only access the minimum information that is necessary for the purposes of management and confirmation of transactions by the Company. Therefore, it will be unlikely that any unauthorized access to the Company‘s database by a third party will lead to credit card fraud.
  • When the User answers a questionnaire after completion of the application, the answer data will be used for the following purposes:
    • To improve the services of the Company and the municipal government
    • If any inquiries from the User are included in the answer data, for the Company or the municipal government to implement measures as necessary
    • To provide to municipal governments other than the municipal government that received the application or any other third parties or to publish in the Company’s materials or articles for the purpose of presenting the User’s feedback and satisfaction level with the Company’s services (in this case, the answer data will be used in a way that a specific individual is not identifiable and no personal information is included).
  • The Company may use the information submitted by the User to the Company to respond to questions and inquiries about Graffer Smart Application services (including confirmation, recording, and management of such responses in the Company).
  • The Company may use the information submitted by the User to the Company to analyze usage of Graffer Smart Application services.
  • The Company may use the information submitted by the User to the Company to add and improve the features of Graffer Smart Application services.
  • The Company will also use the information submitted by the User to the Company for the purposes stated in the Personal Information of Users of Services (common matters) below.
  • The application information will also be provided from the User to the municipal government that received the application and will be used by such municipal government in accordance with its regulations on handling of personal information. Please refer to the terms of services of the said municipal government for details. 

(2) Personal Information of Users of Graffer Window Reservation

  • The Company will use the information submitted by the User to the Company to provide Graffer Window Reservation services (provision of the window reservation system, and aggregation, analysis, investigation, and reporting to the municipal government of information concerning usage). 
  • The Company may use the information submitted by the User to the Company to respond to questions and inquiries about Graffer Window Reservation services (including confirmation, recording, and management of such responses in the Company). 
  • The Company may use the information submitted by the User to the Company to analyze usage of Graffer Window Reservation services.
  • The Company may use the information submitted by the User to the Company to add and improve the features of Graffer Window Reservation services.
  • The Company will also use the information submitted by the User to the Company for the purposes stated in the Personal Information of Users of Services (common matters) below.

(3) Personal Information of Users of Graffer Procedures Guide

  • The Company will not acquire the User’s Personal Information in Graffer Procedures Guide services (provision of the administrative procedures guidance system, and aggregation, analysis, investigation, and reporting to the municipal government of information concerning usage).
  • The Company may use the information submitted by the User to the Company to respond to questions and inquiries about Graffer Procedures Guide services (including confirmation, recording, and management of such responses in the Company). 
  • The Company may use the information submitted by the User to the Company to analyze usage of Graffer Procedures Guide services.
  • The Company may use the information submitted by the User to the Company to add and improve the features of Graffer Procedures Guide services.
  • The Company will also use the information submitted by the User to the Company for the purposes stated in the Personal Information of Users of Services (common matters) below.

2. Personal Information of Users of Services for Individuals and Companies

  • The Company will use the information submitted by the User to the Company to provide Graffer Corporation Certificate Request and Graffer Electronic Certificate Acquisition Support (hereinafter referred to as “Certificate Services”) (provision of the system supporting request/acquisition of certificates, aggregation, analysis, and investigation of information concerning usage, and communication to the Users of system failures and other matters).
  • The Company uses SBPS for processing payment by credit cards. The SBPS system does not inform the Company of any credit card information, including card number and CVC (security code), that requires sensitive handling. The Company can only access the minimum information that is necessary for the purposes of management and confirmation of transactions by the Company. Therefore, it will be unlikely that any unauthorized access to the Company’s database by a third party will lead to credit card fraud.
  • The Company may use the information submitted by the User to the Company to respond to questions and inquiries about the Certificate Services (including confirmation, recording, and management of such responses in the Company).
  • The Company may use the information submitted by the User to the Company to analyze the usage of the Certificate Services.
  • The Company may use the information submitted by the User to the Company to add and improve the features of the Certificate Services.
  • The Company may use the information submitted by the User to send advertisements, promotions, and direct mails and to conduct questionnaire research and other marketing activities in relation to the Certificate Services and other services for individuals and companies (hereinafter collectively, including services to be developed by the Company in the future, referred to as the “Certificate Services and Other Services”).
  • The Company may use the information submitted by the User for ad delivery related to the Certificate Services and Other Services and to understand statistics and the impact of such ad delivery. 
  • The Company may use the information submitted by the User to investigate any violation of the Company’s regulations concerning the Certificate Services and to confirm details of the application based on such investigation. 
  • The Company will also use the information submitted by the User to the Company for the purposes stated in the Personal Information of Users of Services (common matters) below.

3. Personal Information of Users of Services (common matters)

  • When the User uses Graffer Account, the account common to all services, the Company will use the information submitted by the User to display, upon log in, the User’s basic information and application information inputted in the past, and to store information tied to the account. 
  • When the User approves linkage with other SNS services, such as Google or LINE in using the Service, the Company will collect the following information from such external services in accordance with the details of approval given to the Company:
    (a) User ID to be informed to such external service provider.
    (b) Any other information that the User approved disclosure to the linked services in the privacy setting of such external service provider.

4. Personal Information of Company’s Clients (employees of municipal governments)

  • The Company will use the contact information of the clients for meetings, communication, and negotiations.
  • The Company may use the contact information of the clients to provide information related to the Services including delivery of mails, questionaries, or service brochures.
  • The Company may use the contact information of the clients to operate the seminars related to the Services.
  • The Company will use the contact information of the clients to perform the contracts.

5. Personal Information Acquired through Operation Entrusted to Company

  • If any Personal Information is included in the information handled in the operation entrusted to the Company (including Graffer Technical Support, the residents help desk service provided to municipal governments by the Company) and an owner of such Personal Information is not a person who has accepted the Privacy Policy, the Company will appropriately handle such Personal Information only within the scope required to achieve the purposes of use stated in such entrusted operation and implement the necessary measures therefor.

6. Personal Information Related to Events or Seminars

  • In the events and seminars that are hosted by the Company or in which the Company participates, the Company may use the information submitted by the User to send advertisements, promotions, and direct mails and to conduct questionnaire research and other marketing activities.

7. Personal Information of Job Candidates or Retired Employees

  • The Company will use the information submitted by job candidates to contact and review the job candidates and to conduct recruitment, hiring procedures, and employment management. 
  • The Company will use the contact information of retired employees for the provision of information and other communication.

5. Voluntary Provision of Personal Information

The Users may choose not to input some information required in the Services; provided, however, if the User does not input the information required for provision of the Service, the whole or part of the Service may not be available to such User.

6. Provision of Personal Information to Third Parties

The Company will not sell nor lend any acquired Personal Information. The Company will not, in principle, provide any acquired Personal Information to any third party, except when the User consents thereto. Provided, however, the Company may, within the scope not violating the relevant laws and regulations, provide the Personal Information to a third party without the User’s consent if the provision is

  • based on the laws and regulations;
  • required for protection of people’s life, body, or property, and it is difficult to obtain the User’s consent;
  • specifically required for improvement of public health or promotion of children’s sound development, and it is difficult to obtain the User’s consent; or
  • required in cooperating with a national government agency, municipal government, or person entrusted thereby performing functions prescribed by the laws and regulations, and obtaining consent of the User is likely to interfere with the performance of such functions.

7. Use of Statistically Processed Data

The Company may prepare statistical data based on the Personal Information provided by the Users that is processed so that no individual person is identifiable. The Company will be free to use such statistical data without any restriction. 

8. Supervision of Outsourcing Contractors

The Company may outsource the whole or any part of the handling of the collected personal information within the scope necessary for the accomplishment of the prescribed purpose of use. In such case, the Company shall, upon obtaining required approval, select the outsourcing contractor that will rightfully handle the Personal Information and shall implement the appropriate and necessary measures for appropriate protection of the Personal Information.

9. Disclosure of Personal Information

In principle, only the User or his/her agent may, with respect to the personal data held by the Company or the records provided by third parties, request that the Company report the purposes of the use of the Personal Information, or disclose, correct, add, delete, or cease to use or provide third parties with the registered Personal Information (hereinafter collectively referred to as “Disclosure of Personal Information”). Please contact the personal information-related inquiry desk stated below for the detailed procedures. Provided, however, the Company may not respond to the Disclosure of Personal Information in the following cases. Also, the Company may charge the fees (500 yen (excluding tax) per item) for notification of the purposes of the use of the Personal Information and disclosure of the Personal Information.

*If you wish the information to be disclosed by electromagnetic means, please tell us as such, in principle, and we will respond to your request.

  • If the Disclosure of Personal Information is likely to harm the User’s or any third party’s life, body, property, or other rights or interests
  • If the Disclosure of Personal Information is likely to interfere seriously with the proper provision of the Services
  • If the Disclosure of Personal Information will violate any laws or regulations
  • If the Disclosure of Personal Information will require substantial amount of expenses
  • If the information is applied in administrative procedures and is required to be stored
  • Otherwise, if the Disclosure of Personal Information is difficult and the alternative measures necessary for protection of the User’s rights and interests are implemented 

10. System for Handling Personal Information and Details of Measures Taken

1) Development of Basic Policy

  • The Company has established the Personal Information Protection Policy for the Compliance with Laws, Regulations, and Guidelines and the Complaints and Inquiries Desk and other related matters to ensure the appropriate handling of Personal Information. 

2) Development of Disciplines Concerning Handling of Personal Data

  • The Company has established the rules on the protection of Personal Information for handling procedures, persons in charge, and their responsibilities, and other related matters at each stage of retention of personal data, including acquisition, use, storage, provision, deletion, and disposal thereof.

3) Systematic Security Control Measures

  • The Company has appointed a person responsible for the handling of personal data, defined the employees who handle personal data and the extent of the personal data to be handled by such employees, and established a system of reporting to the said responsible person if the fact of violation of the laws and handling rules or any indication of such violation is found.
  • The Company conducts periodic self-inspections concerning the status of handling of personal data and audits by internal and external organizations.

4) Human Security Control Measures

  • The Company implements the regular training of its employees on matters that require attention concerning the handling of personal data.
  • The Company has received a letter of commitment concerning confidentiality, including personal data from each employee.

5) Physical Security Control Measures

  • The Company manages the entry and exit of employees to and from the areas where personal data is handled and restricts the equipment and other items they may bring. The Company also implements measures to prevent unauthorized persons from accessing personal data.
  • The Company implements measures to prevent the loss or theft of equipment, electronic media, and documents containing personal data and implements measures to prevent personal data from being easily identified when transporting such equipment, electronic media, and documents, including transportation within the Company’s offices. 

6) Technical Security Control Measures

  • The Company implements the access restrictions to limit the scope of persons in charge and of the personal information database to be handled by such persons.
  • The Company has introduced a mechanism to protect information systems that handle personal data from unauthorized external access or unauthorized software.

11. Amendments of Privacy Policy

The Company may amend the Privacy Policy from time to time, except when otherwise provided for in the laws and regulations.

<Name of Authorized Personal Information Protection Organization and Where to File Complaints>

Name of Authorized Personal Information Protection Organization:

General Incorporated Association Japan Users Association of Information Systems (JUAS)

Where to File Complaints

Authorized Personal Information Protection Organization Office, Complaint Desk

Address:

8F Nihonbashi Horidomecho Nichome Bldg., 2-4-3 Nihonbashi Horidome-cho, Chuo-ku, Tokyo

Phone Number:

03-3249-4104

Desk Hours:

10:00–16:00 (except Saturdays, Sundays, and Holidays)

<Inquiries About Personal Information>

Graffer, Inc., Personal Information Protection Inquiry Desk
Personal Information Protection Manager
5-8 Sendagaya 1-chome, Shibuya-ku, Tokyo 151-0051
Tel:03-3405-7007
E-mail:privacy@graffer.jp

<Name of Business Enterprise>

a) Graffer, Inc.

5-8 Sendagaya 1-chome, Shibuya-ku, Tokyo 151-0051

Representative Director and CEO, Daichi Ishii

b) Personal Information Protection Manager

Division: Corporate Division

Tel: 03-3405-7007

Established: March 1, 2018

Last Amended: January 24, 2023

In the event of any conflict between the Japanese version and English version, the Japanese version shall take precedence.