Privacy Policy

Graffer, Inc. (hereinafter referred to as “Company”) will handle a large amount of personal information of its customers and employees in its business operation. The Company believes that it is the most important responsibility of all employees to recognize the importance of personal information and to protect it; thus, it stipulated the Company’s mission for protecting personal information in the “Personal Information Protection Policy” and the actual procedures for handling personal information based on said policy in the “Handling of Personal Information” (hereinafter collectively referred to as the Company’s “Privacy Policy”) to establish the personal information management system and realize responsible responses as a business entity.

Personal Information Protection Policy

1. Handling of Personal Information

Graffer, Inc. (hereinafter referred to as “Company”) will, in handling personal information in its business, establish the management system for the protection of personal information adequate to its business situation and handle personal information appropriately and carefully in compliance with the Handling of Personal Information and other Company rules and regulations. The acquired personal information will be used only within the scope of the intended purposes of use, and the measures to prevent unintended use will be implemented.

2. Compliance with Laws and Regulations

The Company will comply with the Act on the Protection of Personal Information, guidelines of ministries and agencies, and other related laws and ordinances to protect personal information.

3. Measures for Safe Management

The Company will, at its responsibility, implement reasonable security measures for appropriate management of the collected personal information to prevent any leakage, loss, or damage.

4. Complaints and Inquiries

The Company will endeavor to respond to customer complaints and inquiries sincerely and quickly. Please contact the inquiry desk stated in the “Handling of Personal Information.”

5. Continuous Improvement

The Company will stipulate the personal information protection management system and will periodically review and continuously improve the same in response to changes in its business content and the transformation in the social environment, laws and regulations, and information technologies surrounding its business.

Graffer, Inc. Representative Director and CEO, Daichi Ishii Established: March 1, 2018 Last Amended: January 24, 2023

<Inquiries About Personal Information> Graffer, Inc. Personal Information Protection Inquiry Desk Personal Information Protection Manager 5-8 Sendagaya 1-chome, Shibuya-ku, Tokyo 151-0051 [Inquiries About Personal Information]

Handling of Personal Information

Graffer, Inc. (hereinafter referred to as “Company”) will respect the privacy of individual persons using the services provided by the Company (hereinafter referred to as “User”), and it has stipulated the provisions for handling Users’ Personal Information (defined below) as follows:

Scope of Application

The provisions of this document constitute, together with the Company’s Personal Information Protection Policy, the Company’s Privacy Policy (the Personal Information Protection Policy and the Handling of Personal Information are hereinafter collectively referred to as the “Privacy Policy”) and will apply to the solutions for municipal and national governments provided by the Company (Graffer Smart Application, Graffer Window Reservation, Graffer Procedures Guide, and Graffer Call), and other services provided by the Company (hereinafter collectively referred to as the “Service”).

In the event the procedures for handling personal information are separately stipulated in any individual rules, such individual rules will also be applied.

1. Definition of Personal Information

For the purpose of the Privacy Policy, “Personal Information” means the personal information provided for in Paragraph 1 of Article 2 of the Act on the Protection of Personal Information.

2. Acquisition of Personal Information

The Company will, upon clearly stating the purposes of use in the Privacy Policy, acquire User’s personal information within the scope necessary for such purpose of use.
In the Service (hereinafter “this Service”), when a User uses this Service or makes any inquiries about this Service, the Company may ask about the User’s Personal Information.
In this Service, when a User uses this Service, the Company may automatically acquire information about the User. The Company will acquire the knowledge about how the User uses this Service when the User registers his/her account in this Service and logs in. This Service will automatically receive the User’s information, including IP address, cookie information, browsed web pages, and usage environment through the User’s browser, and record them on the server.
The Company will not, in principle, acquire sensitive personal information. Provided, however, this shall not apply if a User provides such information at his/her own discretion.

3. Acquisition of Personal Information in a Way Not Readily Recognizable by the User

The Company may collect information concerning a User’s access status to this Service or the ways of use thereof, including the following information. The Company will not use such information to identify individual Users.

Access log to this Service
The User’s access status collected and recorded by Google LLC through “Google Analytics” based on cookies. Such information will be managed by Google LLC in accordance with its privacy policy.

Cookies mean small-scale data transmitted from a web server to a User’s browser. Cookies will be stored in the User’s browser and have functions such as avoiding re-entry of User information or displaying the best-suited content for the User.

Please check Google LLC’s privacy policy from the link:https://www.google.com/intl/ja/policies/privacy/

The Users may disable the Google Analytics at the add-on setting in their browser and stop the Company’s collection of the User’s access status utilizing Google Analytics. If the User deactivates Google Analytics, it will also be deactivated on any websites other than this Service. Please check the following link for the procedures to disable Google Analytics: https://tools.google.com/dlpage/gaoptout?hl=ja

4. External Transmission

For purposes such as understanding usage status, improving convenience, and optimizing ad delivery, the Company uses cookies and other tags and information-collection modules to transmit customer information externally. When a customer browses the Company’s website, information recorded on the customer’s device (PC, smartphone, etc.) may be sent to third-party companies as shown in the table below.

For information on how to restrict the use of cookies by each recipient, please refer to the “How to Opt Out” column in the table below.

Recipient Business Name	Information Collection Module	Information Transmitted Externally	Company’s Purpose of Use	Recipient’s Purpose of Use	How to Opt Out
Google LLC and its affiliates	Google Analytics	· Device information (browser type, OS information, etc.) ·Network information (IP address, etc.) ·Access/behavioral history (referrer, etc.)	·Analysis of browsing trends and history ·Measurement of advertising effectiveness ·Monitoring of websites and apps	https://policies.google.com/technologies/partner-sites ·Provision, maintenance, and improvement of services ·Development of new services ·Measurement of advertising effectiveness · Prevention of fraud and abuse · Delivery of advertisements and content optimized for users	https://support.google.com/analytics/answer/181881?hl=ja
Google LLC and its affiliates	Google Ads		· For placing advertising information for the purpose of delivering the Company’s advertisements		https://myadcenter.google.com/home?hl=ja

5. The Purposes of Use of Personal Information

The Company will use the acquired Personal Information for the following purposes. If separately agreed by a User for the purposes of use, the Company will use such information within the scope of such agreed purposes.

1. Solutions for Municipal and National Governments (Graffer Platform)

(1) Personal Information of Users of Graffer Smart Application

The Company will use the information submitted by the User to the Company to provide Graffer Smart Application services (provision of the electronic application system, and the aggregation, analysis, investigation, and reporting to the municipal government of information concerning usage).
The application information inputted and registered by the User will be used to provide the User with a copy of the application.
For the purpose of User identity authentication processing, the information recorded in the valid electronic certificate for signature stored on the User’s My Number Card will be used by the smartphone application “Graffer Identity” provided by the Company (including provision to a signature verifier). In addition, the information concerning name, address, and date of birth read from the My Number Card will be used for the User to prepare the application information efficiently.
The information inputted by the User will be used for payment processing via Pay-easy.
When the User answers a questionnaire after completion of the application, the answer data will be used for the following purposes:
- To improve the services of the Company and the municipal government providing the service
- If any inquiries from the respondent are included in the answer data, for the Company or the municipal government providing the service to implement measures as necessary
- To provide to municipal governments other than the municipal government that provided the service, or to any other third parties, or to publish in the Company’s materials or articles for the purpose of presenting the User’s evaluation and satisfaction level with the Company’s services (in this case, the answer data will be used only in a way that a specific individual is not identifiable and no personal information is included)
The Company may use the information submitted by the User to the Company to respond to questions and inquiries about Graffer Smart Application services (including confirmation, recording, and management within the Company).
The Company may use the information submitted by the User to the Company to analyze the usage of Graffer Smart Application services.
The Company may use the information submitted by the User to the Company to add and improve the features of Graffer Smart Application services.
The Company will also use the information submitted by the User to the Company for the purposes stated in “Personal Information of Users of this Service (Common Matters)” below.
The application information will also be provided from the User to the municipal government that received the application and will be used by such municipal government in accordance with its regulations on handling of personal information. Please refer to the terms of service of each municipal government for details.

(2) Personal Information of Users of Graffer Window Reservation

The Company will use the information submitted by the User to the Company to provide Graffer Window Reservation services (provision of the window reservation system, and the aggregation, analysis, investigation, and reporting to the municipal government of information concerning usage).
The Company may use the information submitted by the User to the Company to respond to questions and inquiries about Graffer Window Reservation services (including confirmation, recording, and management within the Company).
The Company may use the information submitted by the User to the Company to analyze the usage of Graffer Window Reservation services.
The Company may use the information submitted by the User to the Company to add and improve the features of Graffer Window Reservation services.
The Company will also use the information submitted by the User to the Company for the purposes stated in “Personal Information of Users of this Service (Common Matters)” below.

(3) Personal Information of Users of Graffer Procedures Guide

The Company will not acquire the User’s Personal Information in providing Graffer Procedures Guide services (provision of the administrative procedures guidance system, and the aggregation, analysis, investigation, and reporting to the municipal government of information concerning usage).
The Company may use the information submitted by the User to the Company to respond to questions and inquiries about Graffer Procedures Guide services (including confirmation, recording, and management within the Company).
The Company may use the information submitted by the User to the Company to analyze the usage of Graffer Procedures Guide services.
The Company may use the information submitted by the User to the Company to add and improve the features of Graffer Procedures Guide services.
The Company will also use the information submitted by the User to the Company for the purposes stated in “Personal Information of Users of this Service (Common Matters)” below.

(4) Personal Information of Users of Graffer Call

The Company may use information inputted as call content to provide Graffer Call services (provision of voice recognition functionality, recording functionality, history summarization functionality, etc.).

2. Personal Information of Users of Services Other Than Municipal/Government Services

The Company will use personal information for marketing activities such as researching and analyzing service usage history, measuring advertising effectiveness, and using the results to deliver advertisements related to services based on interests and preferences, as well as for the purpose of providing such information to third parties that conduct such research, analysis, and marketing.

3. Personal Information of Users of this Service (Common Matters)

The Personal Information in items 1. and 2. above may also be used for the following purposes.

When the User uses the “Graffer Account,” the shared account for this Service, the Company will use the information submitted by the User to display the User’s basic information and application information inputted in the past upon login, and to store information tied to the account.
When a User approves linkage with other SNS services such as Google or LINE in using this Service, the Company will collect the following information from such external services in accordance with the details of the consent given at the time of such approval:
- (a) User ID to be notified to the relevant external service provider
- (b) Any other information that the User approved disclosure to the linked service through the privacy settings of the relevant external service provider

4. Personal Information of Company’s Business Partners (Employees of Municipal Governments, etc.)

The Company will use the contact information of business partners for meetings, communication, negotiations, etc.
The Company may use the contact information of business partners to provide information related to this Service, such as delivery of emails, questionnaires, and service guides.
The Company may use the contact information of business partners to operate seminars related to this Service.
The Company will use the contact information of business partners to perform contracts.
For inquiries received through the website related to the AI Solution business, the Company may, only with the User’s consent, hash information such as email addresses and provide them to affiliated business operators, etc. (as defined in 7(3)) for the purpose of improving the accuracy of ad delivery and using such information for remarketing ad delivery. This provision does not apply to inquiries from services for municipalities and residents such as Graffer Smart Application and Graffer Window Reservation, the corporate website, job application inquiries, or other contact points.

5. Personal Information Acquired through Operation Entrusted to the Company

If any Personal Information is included in the information handled in the operations entrusted to the Company (including the residents’ help desk service provided to municipal governments by the Company as “Graffer Technical Support”) and the owner of such Personal Information is not a person who has accepted the Privacy Policy, the Company will appropriately handle such Personal Information only within the scope required to achieve the purposes of use specified in such entrusted operations and implement the necessary measures therefor.

6. Personal Information Related to Events or Seminars

In the events and seminars hosted or participated in by the Company, the Company may use the information submitted by the User to the Company to send advertisements, promotions, and direct mails, and to conduct questionnaire research and other marketing activities.

7. Personal Information of Job Candidates or Retired Employees

The Company will use the information submitted by job candidates to contact and review the job candidates and to conduct recruitment, hiring procedures, and employment management.
The Company will use the contact information of retired employees for the provision of information and other communication.

6. Voluntary Provision of Personal Information

The Users may choose not to input some information required in this Service; provided, however, if the User does not input the information required for provision of the Service, the whole or part of the Service may not be available to such User.

7. Provision of Personal Information to Third Parties

(1) When a User makes a payment using a credit card, the following personal information collected from the User will be provided to the card-issuing company of the card used by the User, via the Company’s system, for use in the identity authentication service “EMV 3-D Secure” for detection and prevention of unauthorized use conducted by the card-issuing company.

Billing name (in Roman characters)
Billing phone number

If the card-issuing company used by the User is located in a foreign country, this information may be transferred to the country in which such issuing company is located. As the Company cannot identify the card-issuing company or the country in which such company is located from the information collected from the User, the Company is unable to obtain and provide the following information regarding personal information protection measures:

The name of the foreign country where the recipient is located
Information regarding the personal information protection system of that country
The personal information protection measures of the issuing company

Information on personal information protection systems in each country is available on the website of the Personal Information Protection Commission (https://www.ppc.go.jp/). If the User is a minor, the User shall use this Service with the consent of a person with parental authority or guardian.

(2) When a User uses the voice recognition and recording features of Graffer Call, the User’s call content will be provided to Twilio Inc. via the Company’s system for processing.

Information on the recipient (business name, country of incorporation, and country where data is handled (outside Japan)):
- Business name: Twilio Inc.
- Country of incorporation: United States of America
- Information on the personal information protection system of that country: Please refer to chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.ppc.go.jp/files/pdf/USA_report.pdf
- Countries where data is handled (outside Japan): Unspecified (may be handled in the United States and other countries). For details, please refer to https://www.twilio.com/ja-jp/legal/privacy.
Information on personal information protection measures taken by the business operator: SOC 2 Type 2 audit, CBPR certification, and PRP certification have been obtained.

(3) For purposes such as optimizing ad delivery, the Company may provide personal information to affiliated business operators, etc. in the following cases:

Based on consent to the Privacy Policy, with respect to personal information of Users and business partners (including those who have made inquiries regarding this Service) such as advertising identifiers, email addresses, phone numbers, IP addresses, device information, attribute information, and information relating to the usage history of this website, the Company may provide such information to research and analysis companies, affiliators, SNS operators, advertising companies, ad delivery operators, DMP operators, and other business operators with whom the Company has partnerships (hereinafter “Affiliated Business Operators, etc.”), to the extent necessary for use in analysis, ad delivery, and other activities, by matching the personal information already held by such Affiliated Business Operators, etc. with the personal information acquired from the Company.

(4) In any of the following cases, the Company may provide Personal Information to third parties:

Based on laws and regulations
When required for protection of people’s life, body, or property, and it is difficult to obtain the User’s consent
When specifically required for improvement of public health or promotion of children’s sound development, and it is difficult to obtain the User’s consent
When required in cooperating with a national government agency, municipal government, or a person entrusted thereby in performing functions prescribed by laws and regulations, and obtaining the User’s consent is likely to interfere with the performance of such functions

8. Use of Statistically Processed Data

The Company may prepare statistical data based on the Personal Information provided by the Users that is processed so that no individual person is identifiable. The Company will be free to use such statistical data without any restriction.

9. Supervision of Outsourcing Contractors

The Company may outsource the whole or any part of the handling of the collected personal information within the scope necessary for the accomplishment of the prescribed purpose of use. In such case, the Company shall, upon obtaining required approval, select the outsourcing contractor that will rightfully handle the Personal Information and shall implement the appropriate and necessary measures for appropriate protection of the Personal Information.

10. Disclosure of Personal Information

In principle, only the User or his/her agent may, with respect to the personal data held by the Company or the records provided by third parties, request that the Company report the purposes of the use of the Personal Information, or disclose, correct, add, or delete the registered Personal Information, cease to use, or cease to provide to third parties, or disclose third-party provision records (hereinafter collectively referred to as “Disclosure of Personal Information, etc.”). Please contact the personal information-related inquiry desk stated below for the detailed procedures. Provided, however, the Company may not respond to the Disclosure of Personal Information in the following cases. Also, the Company may charge a fee (500 yen (excluding tax) per case) for notification of the purposes of the use of the Personal Information and disclosure of the Personal Information.

If you wish the information to be disclosed by electromagnetic means, please tell us as such; in principle, we will respond to your request accordingly.

If the Disclosure of Personal Information is likely to harm the User’s or any third party’s life, body, property, or other rights or interests
If the Disclosure of Personal Information is likely to interfere seriously with the proper provision of this Service
If the Disclosure of Personal Information will violate any laws or regulations
If the Disclosure of Personal Information will require a substantial amount of expenses
If the information was submitted as part of an administrative procedure and is required to be stored as an administrative document
Otherwise, if the Disclosure of Personal Information is difficult and the alternative measures necessary for protection of the User’s rights and interests are implemented

11. System for Handling Personal Information and Details of Measures Taken

1) Development of Basic Policy The Company has established the “Personal Information Protection Policy” regarding “Compliance with Related Laws, Regulations, and Guidelines” and the “Complaints and Inquiries Desk” to ensure the appropriate handling of Personal Information.

2) Development of Disciplines Concerning Handling of Personal Data The Company has established the Personal Information Protection Regulations on handling procedures, persons in charge and their responsibilities, etc. at each stage of acquisition, use, storage, provision, deletion, and disposal of retained personal data.

3) Systematic Security Control Measures The Company has appointed a person responsible for the handling of personal data, defined the employees who handle personal data and the extent of the personal data to be handled by such employees, and established a system of reporting to the said responsible person if the fact of or any indication of violation of laws or handling rules is found. The Company conducts periodic self-inspections concerning the status of handling of personal data and audits by other departments and external parties.

4) Human Security Control Measures The Company implements regular training of its employees on matters that require attention concerning the handling of personal data. The Company has received a letter of commitment concerning confidentiality, including personal data, from each employee.

5) Physical Security Control Measures The Company manages the entry and exit of employees to and from the areas where personal data is handled and restricts the equipment and other items they may bring. The Company also implements measures to prevent unauthorized persons from accessing personal data. The Company implements measures to prevent the loss or theft of equipment, electronic media, and documents containing personal data and implements measures to prevent personal data from being easily identified when transporting such equipment, electronic media, and documents, including transportation within the Company’s offices.

6) Technical Security Control Measures The Company implements access restrictions to limit the scope of persons in charge and the personal information database to be handled by such persons. The Company has introduced a mechanism to protect information systems that handle personal data from unauthorized external access or unauthorized software.

<Name of Authorized Personal Information Protection Organization and Where to File Complaints>

Name of Authorized Personal Information Protection Organization: General Incorporated Association Japan Users Association of Information Systems (JUAS)

Where to File Complaints: Authorized Personal Information Protection Organization Office, Complaint Desk

Address: 5F NBF Higashi-Ginza Square, 1-13-14 Tsukiji, Chuo-ku, Tokyo

Phone Number: 03-6264-1316

Desk Hours: 10:00–16:00 (except Saturdays, Sundays, and Holidays)

[This is not an inquiry contact for the Company’s products or services.]

<Inquiries About Personal Information>

Graffer, Inc. Personal Information Protection Inquiry Desk Personal Information Protection Manager 5-8 Sendagaya 1-chome, Shibuya-ku, Tokyo 151-0051 [Inquiries About Personal Information]

<Name of Business Enterprise>

a) Graffer, Inc. 5-8 Sendagaya 1-chome, Shibuya-ku, Tokyo 151-0051 Representative Director, Daichi Ishii

b) Personal Information Protection Manager Division: Corporate Division

Established: March 1, 2018 Last Amended: February 27, 2026

In the event of any conflict between the Japanese version and the English version, the Japanese version shall take precedence.