Privacy Policy

1. Information about Our Company

2. Definitions of Personal Information and Personal Data

In this Privacy Policy, “Personal Information” refers to information related to a living individual that (1) can identify a specific person through descriptions contained within the information (including information that can be easily cross-referenced with other information to identify a specific individual) or (2) information that contains personal identification codes. Furthermore, “Personal Data” refers to (1) Personal Information that is systematically organized to allow for easy search and retrieval using electronic computers or (2) Personal Information systematically organized in accordance with specific rules to allow for easy search and retrieval of specific Personal Information, and includes Personal Information that is structured for easy searching purposes.

3. Purpose of Use of Personal Information

Our Company retains and uses the Personal Information for the following purposes in connection with Our Company’s business:

• To facilitate necessary communications between Our Company, individuals monitored via IRUKA DX (“Monitored Individuals”), and parties pre-registered under IRUKA DX (“Registered Parties”) in relation to IRUKA DX, including responding to inquiries from Monitored Individuals or Registered Parties.
• To enter into contracts with parties who purchase a subscription to IRUKA DX for the purpose of monitoring the Condition of Monitored Individuals, and to fulfill contractual obligations and exercise contractual rights.
• To fulfill obligations and exercise rights under the terms of use with parties who use applications that form part of IRUKA DX for the purpose of monitoring the Condition of Monitored Individuals.
• For the development of products and services other than IRUKA DX.
• To provide information about IRUKA DX.
• To provide information about products and services other than IRUKA DX.
• To improve IRUKA DX.

4. Restrictions on the Use of Personal Information

Our Company will not handle Personal Information beyond the necessary scope to achieve the above purposes of use without the prior consent of each individual. However, this does not apply in the following cases:

• When required by law (including ordinances; the same applied hereinafter).
• When it is necessary to protect a person’s life, body, or property, and it is difficult to obtain the individual’s consent.
• When it is particularly necessary to improve public health or promote the healthy development of children, and it is difficult to obtain the individual’s consent.
• When it is necessary to cooperate with a national or local government agency, or a person entrusted by such an agency, in performing duties prescribed by law, and obtaining the individual’s consent is likely to impede the execution of those duties.

5. Prohibition of Improper Use

Our Company will not use Personal Information in a manner that may promote or induce illegal or improper activities.

6. Proper Acquisition of Personal Information

Our Company will not acquire Personal Information through deception or other wrongful means.

7. Notification of Purpose of Use of Personal Information

Our Company will publish this Privacy Policy on its website. When acquiring Personal Information directly from an individual in written form (including electronic records), Our Company will, in principle, clearly inform the individual of the purpose of use in advance, unless it falls under exceptions stipulated by the Act on the Protection of Personal Information, such as cases where it is urgently necessary to protect a person’s life, body, or property.

8. Ensuring Accuracy of Data

Our Company will keep Personal Data accurate and up-to-date within the scope necessary to achieve the purpose of use. Additionally, when the Personal Data is no longer needed for use, Our Company will make efforts to promptly delete the relevant Personal Data.

9. Security Measures

• Formulation of Basic Policy: This Privacy Policy sets out the basic guidelines for the proper handling of Personal Data.
• Establishment of Rules for Handling Personal Data: To comply with applicable laws, Our Company has introduced internal regulations regarding the collection, use, retention, protection, and disclosure of Personal Data.
• Understanding of External Environments: Our Company regularly reviews the environment surrounding its Personal Data, including applicable laws and regulations.
• Organizational Secure Management Measures: Access to Personal Data held by Our Company is restricted to officers and employees who need access to achieve the specific purposes for which the data is held. Our Company has appointed a person responsible for overseeing the collection, use, retention, protection, and disclosure of Personal Data. This person ensures, through regular audits and other measures, that Personal Data is handled in accordance with Our Company’s guidelines and applicable laws.
• Personnel Security Measures: Officers and employees with access to Personal Data are contractually obligated to comply with Our Company’s guidelines and applicable laws, and they receive regular training on the handling of Personal Data.
• Physical Security Measures: Personal Data held by Our Company is electronically stored on data servers maintained by Our Company or external vendors. Physical access to these data servers is strictly limited by Our Company or the external vendors. External vendors are contractually prohibited from using Our Company’s Personal Data and are required to maintain Personal Data in a manner that meets Our Company’s standards set forth in this Section 9 (Security Measures). Copies of Personal Data downloaded for temporary use are appropriately deleted after use. Copies of Personal Data printed for temporary use are shredded or dissolved and then disposed of after use.
• Technical Security Controls: Access to Personal Data held by Our Company is controlled by technical access control systems such as password protection and firewalls. The data servers that store Personal Data, as well as the local computers that access these servers, are equipped with the latest security software. Our Company and external vendors regularly analyze logs to detect unauthorized access.

10. Supervision of Officers and Employees

Our Company will provide necessary and appropriate supervision of officers and employees handling Personal Data to ensure the secure management of Personal Data.

11. Supervision of Outsourcing Contractors

When outsourcing all or part of the handling of Personal Data, Our Company will enter into contracts with contractors or require contractors to agree to conditions set by Our Company. Such contracts or agreements will include confidentiality obligations regarding the handling of Personal Data. Our Company will provide necessary and appropriate supervision of contractors to ensure that Personal Data is securely managed by them.

12. Reporting Leaks

In the event of a Personal Data breach, loss, damage, or any other situation that significantly threatens the security of Personal Data and may harm individual rights and interests, as specified by regulations of the Personal Information Protection Commission, Our Company will report to the Personal Information Protection Commission in accordance with the Act on the Protection of Personal Information.

13. Restrictions on Provision to Third Parties

Our Company will not provide Personal Data to third parties without the prior consent of the individual, except in the following cases. However, officers and employees of Our Company are not considered third parties in this context. In addition, Our Company may provide the Monitored Individual’s family members, acquaintances, and the Registered Parties with information related to the Monitored Individuals as a service of IRUKA DX:

• When required by law.
• When it is necessary to protect a person’s life, body, or property, and it is difficult to obtain the individual’s consent.
• When it is particularly necessary to improve public health or promote the healthy development of children, and it is difficult to obtain the individual’s consent.
• When it is necessary to cooperate with a national or local government agency, or a person entrusted by such an agency, in performing duties prescribed by law, and obtaining the individual’s consent is likely to impede the execution of those duties.
• When providing Personal Data to contractors to the extent necessary to achieve the purpose of use.
• When providing Personal Data due to a merger or other reasons for business succession.

When providing Personal Data to third parties with the prior consent of the individual, Our Company will create a record containing the name or title of the third party, sufficient information to identify the individual subject of the provided Personal Data, the items of Personal Data provided, and confirmation that the individual’s consent has been obtained. This record will be retained for three years from the date of the last provision of the relevant Personal Data.

14. Restrictions on Provision to a Third Party in a Foreign Country

Our Company will not provide Personal Data to third parties located in foreign countries, except in the following cases. However, officers and employees of Our Company who are temporarily staying abroad are not considered third parties in this context:

• When required by law.
• When it is necessary to protect a person’s life, body, or property, and it is difficult to obtain the individual’s consent.
• When it is particularly necessary to improve public health or promote the healthy development of children, and it is difficult to obtain the individual’s consent.
• When it is necessary to cooperate with a national or local government agency, or a person entrusted by such an agency, in performing duties prescribed by law, and obtaining the individual’s consent is likely to impede the execution of those duties.
• When providing Personal Data to third parties located in the United Kingdom, Iceland, Ireland, Italy, Estonia, Austria, the Netherlands, Cyprus, Greece, Croatia, Sweden, Spain, Slovakia, Slovenia, Czech Republic, Denmark, Germany, Norway, Hungary, Finland, France, Bulgaria, Belgium, Poland, Portugal, Malta, Latvia, Lithuania, Liechtenstein, Romania, or Luxembourg.
• When the relevant third party has established a system that complies with the standards specified by the rules of the Personal Information Protection Commission as necessary to continuously implement measures equivalent to those that a personal information handling business operator is required to take under Section 4, Subsection 2 of the Act on the Protection of Personal Information (“Equivalent Measures”), and, in accordance with the rules of the Personal Information Protection Commission, takes necessary measures to ensure the continuous implementation of such Equivalent Measures by the third party, and provides information regarding such necessary measures to the individual upon request.
• When, in accordance with the rules of the Personal Information Protection Commission, the individual has given prior consent to the provision of personal data to a third party located in a foreign country, after being provided with information that should serve as a reference for the individual, such as the Personal Information protection system in the foreign country where the third party is located and the measures taken by the third party to protect Personal Information.

15. Requests based on the Act on the Protection of Personal Information

When an individual requests notification of the purpose of use of their identifiable Personal Data, Our Company will promptly notify the individual, except in the following cases:

• When the purpose of use of the identifiable retained Personal Data is already clear from prior public disclosure.
• When notifying or publicizing the purpose of use to the individual may harm the life, body, property, or other rights and interests of the individual or a third party.
• When notifying or publicizing the purpose of use to the individual may harm Our Company’s rights or legitimate interests.
• When it is necessary to cooperate with a national or local government agency, or a person entrusted by such an agency, in performing duties prescribed by law, and notifying or publicizing the purpose of use to the individual is likely to impede the execution of those duties.

When an individual requests disclosure of their identifiable retained Personal Data, or records of provision of their identifiable Personal Data to third parties (excluding those where the existence of such records is specified by government ordinance as likely to harm public or other interests), Our Company will promptly disclose the data, except in the following cases:

• When disclosure may harm the life, body, property, or other rights and interests of the individual or a third party.
• When disclosure may significantly impede the proper execution of Our Company’s business.
• When disclosure would violate other laws.

When an individual requests correction, addition, or deletion of their identifiable retained Personal Data on the grounds that it is not factual, Our Company will promptly conduct the necessary investigation and, based on the results, correct, add, or delete the relevant retained Personal Data.

When an individual requests suspension or deletion of the use of their identifiable retained Personal Data on the grounds that it is being handled in violation of Sections 4 or 5 of this Privacy Policy, or was obtained in violation of Section 6, Our Company will promptly suspend or delete the use of the relevant Personal Data to the extent necessary to correct the violation. However, if the suspension or deletion of use requires a significant cost or is otherwise difficult, and alternative measures can be taken to protect the individual’s rights and interests, this limitation does not apply.

When an individual requests to suspend the provision of their identifiable retained Personal Data to third parties on the grounds that it has been provided in violation of Sections 13 or 14 of this Privacy Policy, and the request is found to be justified, Our Company will promptly suspend the provision of the relevant Personal Data to third parties. However, if the suspension of provision to third parties requires a significant cost or is otherwise difficult, and alternative measures can be taken to protect the individual’s rights and interests, this limitation does not apply.

When an individual requests suspension or deletion of the use, or suspension of provision to third parties, of their identifiable retained Personal Data on the grounds that Our Company no longer needs to use the data, there has been a breach, loss, damage, or other situation threatening the security of the data as specified by the regulations of the Personal Information Protection Commission, or the handling of their identifiable retained Personal Data is likely to harm their rights or legitimate interests, and the request is found to be justified, Our Company will promptly take the necessary measures to suspend or delete the use, or suspend the provision to third parties, of the relevant Personal Data to the extent necessary to prevent harm to the individual’s rights and interests. However, if such measures require a significant cost or are otherwise difficult, and alternative measures can be taken to protect the individual’s rights and interests, this limitation does not apply.

16. Requests and Complaints under the Act on the Protection of Personal Information

If you wish to make a request under the Act on the Protection of Personal Information regarding Personal Information held by Our Company, or if you wish to file a complaint, please contact us by email at support@irukadx.com. In such cases, we may ask you to submit materials for identity verification. If a fee is to be charged for notifying the purpose of use of retained Personal Data that can identify the individual concerned, or for disclosing such data, the amount of the fee will be publicly announced or promptly disclosed upon the individual’s request.

17. Pseudonymized Information Created and Provided by Our Company

Our Company may create pseudonymized information. Even if such pseudonymized information constitutes Personal Information, Personal Data, or retained Personal Data, we may use or provide it in ways permitted under the Act on the Protection of Personal Information, notwithstanding the provisions of this Privacy Policy.

18. Anonymous Information Created and Provided by Our Company

Our Company regularly creates anonymized information. The anonymized data created by Our Company includes the following generalized categories of data relating to Monitored Individuals.

• The location, activities and body conditions of the Monitored Individual
• Information about the status of rooms of the Monitored Individual

Our Company regularly provides anonymized information to third parties. The categories of Personal Information included in the anonymized data provided to third parties are the same as those listed above. The method of providing anonymized information to third parties is as follows:

• Uploading anonymized information to a designated virtual space through a cloud service provider accessible by specified third parties.

Our Company does not compare anonymized information with other data to identify the individual to whom the original Personal Information pertains. When providing anonymized information to third parties, Our Company clearly indicates that the information being provided is anonymized. Our Company applies the same measures to anonymized information as those described in Section 9 (Security Measures), Section 10 (Supervision of Officers and Employees), and Section 11 (Supervision of Outsourcing Contractors).

19. Controlling Language of this Privacy Policy

If this Privacy Policy is prepared in multiple languages, the versions in languages other than Japanese are for reference only. The Japanese version shall be the official version and shall take precedence.

20. Changes to this Privacy Policy

Our Company may change this Privacy Policy within the scope permitted by law when deemed necessary by Our Company. In such cases, Our Company will publish the revised privacy policy, indicating the effective date of the changes. The revised privacy policy will become effective on the indicated effective date. Our Company will not change the purpose of use of Personal Information beyond what is reasonably related to the purposes before the change.