Privacy Policy

AKRIN株式会社 (AKRIN Co., Ltd.) 個人情報保護方針

Last Updated: August 15, 2025 Effective Date: August 15, 2025

1. Introduction

AKRIN株式会社 ("AKRIN," "we," "our," or "us"), a company registered and operating in Tokyo, Japan, is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard personal information in accordance with the Act on the Protection of Personal Information (個人情報の保護に関する法律, "APPI"), as amended, and applicable international data protection regulations including the EU General Data Protection Regulation ("GDPR") where relevant.

This Privacy Policy applies to all personal information collected through our website (akrin.jp), our managed IT services, IT asset disposition (ITAD) services, IT asset management services, and any other services we provide (collectively, the "Services").

Company Information (APPI Article 32 Disclosure):

• Company Name: AKRIN株式会社 (AKRIN Co., Ltd.)
• Registered Address: 〒107-0062 Tokyo, Minato City, Minami Aoyama 2-4-15
• Data Protection Contact: privacy@akrin.jp
• Phone: +81-3-6821-1223

2. Definitions

For the purposes of this Privacy Policy:

• "Personal Information" means information relating to a living individual that can identify a specific individual by name, date of birth, or other descriptions contained in such information (including information that can be easily cross-referenced with other information and thereby identify a specific individual), as defined under APPI Article 2.
• "Personal Data" means personal information constituting a personal information database, as defined under APPI Article 16.
• "Retained Personal Data" means personal data over which a business operator handling personal information has the authority to disclose, correct, add, delete, cease utilization of, erase, or cease provision to third parties, as defined under APPI Article 16.
• "Special Care-Required Personal Information" means personal information comprising the data subject's race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions prescribed by cabinet order that require special care in handling so as not to cause unjust discrimination, prejudice, or other disadvantages to the data subject, as defined under APPI Article 2.
• "Client Data" means any data that our clients entrust to us or that we access in the course of providing our managed IT services, including but not limited to data residing on client systems, networks, and devices.

3. Personal Information We Collect

3.1 Information You Provide Directly

We collect personal information that you voluntarily provide to us, including:

• Contact Information: Name, email address, phone number, company name, job title, and mailing address when you submit inquiries through our contact forms, request consultations, or subscribe to our communications.
• Business Information: Company name, industry, number of employees, and IT infrastructure details provided during service consultations and onboarding.
• Contractual Information: Billing address, payment details (processed through secure third-party payment processors), and contract terms.
• Communication Records: Content of emails, support tickets, chat messages, and other correspondence with our team.

3.2 Information Collected Automatically

When you visit our website, we automatically collect certain technical information, including:

• Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage Data: Pages visited, time spent on pages, click patterns, referring/exit pages, and navigation paths.
• Cookie Data: Information collected through cookies and similar tracking technologies (see our Cookie Policy for details).
• Google Analytics Data: We use Google Analytics 4 (GA4) to collect anonymized usage statistics, including demographic data, interest categories, and user behavior flows. GA4 uses first-party cookies and Google signals (where enabled) to collect this data.

3.3 Information Collected in the Course of Service Delivery

As a managed IT services provider, we may access or process the following categories of information while delivering our Services:

• Client System Data: Information residing on client servers, workstations, network devices, and cloud environments that we manage or support under service agreements.
• Client Employee Data: Names, email addresses, user credentials, and access permissions of client employees whose accounts or devices we manage.
• IT Asset Data: Device serial numbers, hardware specifications, software licenses, network configurations, and asset inventory records.
• ITAD Data: Device identification information, data sanitization records, certificates of destruction, chain of custody documentation, and recycling/disposal records.
• Security and Log Data: System logs, security event logs, access logs, and threat intelligence data collected during cybersecurity monitoring and incident response activities.

Important Note: Client Data is processed strictly in accordance with our service agreements and data processing addenda with each client. We act as a processor (委託先) of Client Data on behalf of our clients, who remain the controllers (委託元) of such data.

4. Purposes of Use (利用目的)

In accordance with APPI Article 17, we specify the purposes for which we use personal information as follows:

4.1 Website Visitors

• To respond to inquiries and requests for consultation submitted through our website
• To provide information about our services, including managed IT services, ITAD, and IT asset management
• To send newsletters, service updates, and marketing communications (with your consent)
• To analyze website usage patterns and improve our website's functionality, performance, and user experience using Google Analytics 4
• To detect and prevent fraudulent or unauthorized access to our website
• To comply with legal obligations

4.2 Clients and Business Partners

• To deliver, maintain, and improve our managed IT services, ITAD services, and IT asset management services as specified in our service agreements
• To manage client accounts, process billing, and maintain financial records
• To provide technical support, troubleshooting, and incident response
• To manage and secure client IT infrastructure, including user accounts, devices, and network systems
• To perform IT asset disposition, including data sanitization, device recycling, and issuance of certificates of destruction
• To maintain IT asset inventories and lifecycle management records
• To communicate about service status, scheduled maintenance, security alerts, and contract matters
• To fulfill contractual obligations and enforce our Terms of Service
• To comply with applicable laws, regulations, and industry standards

4.3 General Purposes

• To comply with legal obligations under Japanese law, including tax and commercial regulations
• To establish, exercise, or defend legal claims
• To protect the safety and security of our employees, clients, and business operations
• To conduct internal audits, quality assurance, and business improvement activities

We will not use personal information beyond the scope of these specified purposes without obtaining your prior consent, except where permitted by APPI (Article 18).

5. Legal Bases for Processing (GDPR Compliance)

For individuals located in the European Economic Area (EEA) or the United Kingdom, we process personal data based on the following legal bases under GDPR:

• Consent (Article 6(1)(a)): For marketing communications and non-essential cookie placement.
• Contractual Necessity (Article 6(1)(b)): To perform our obligations under service agreements.
• Legitimate Interest (Article 6(1)(f)): For website analytics, security monitoring, fraud prevention, and business improvement activities, where our interests are not overridden by your rights.
• Legal Obligation (Article 6(1)(c)): To comply with applicable laws and regulations.

6. Sharing and Disclosure of Personal Information

6.1 We Do Not Sell Personal Information

AKRIN does not sell, rent, or trade your personal information to third parties for their marketing purposes.

6.2 Third-Party Service Providers (委託先)

We may share personal information with trusted third-party service providers who assist us in operating our business, subject to contractual obligations that ensure appropriate handling and protection of personal data. These include:

When entrusting the handling of personal data to third parties (APPI Article 25), we exercise necessary and appropriate supervision over the entrusted party, including entering into data processing agreements that specify handling requirements, security measures, and confidentiality obligations.

6.3 Legal and Regulatory Disclosure

We may disclose personal information where required or permitted by law, including:

• In response to lawful requests by public authorities, including law enforcement or national security requirements
• To comply with a court order, legal process, or government regulation
• To protect the rights, property, or safety of AKRIN, our clients, or others
• In connection with the investigation of suspected fraud, intellectual property infringement, or other illegal activity

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of the transaction. We will notify affected individuals before their personal information becomes subject to a different privacy policy.

7. Cross-Border Transfer of Personal Information

As a provider of IT services to international businesses, we may transfer personal information to countries outside of Japan. In accordance with APPI Article 28, we take the following measures:

• Adequacy Decisions: Where possible, we transfer data to countries recognized by the Personal Information Protection Commission (PPC) as having an adequate level of data protection (including EU/EEA member states and the United Kingdom).
• Contractual Safeguards: Where adequacy decisions do not apply, we ensure appropriate contractual protections are in place, including standard contractual clauses and data processing agreements that require the recipient to implement equivalent security measures.
• Consent: Where required, we obtain your explicit consent for cross-border transfers, providing you with information about the data protection systems of the destination country and the measures taken by the recipient to protect personal information.

Countries where personal information may be transferred include: United States (cloud infrastructure providers), and other countries where our ITAD and service delivery partners operate. Specific country information is available upon request.

8. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations:

After the applicable retention period, personal information is securely deleted or anonymized in accordance with our data disposal procedures.

9. Security Management Measures (安全管理措置)

In accordance with APPI Article 23, we implement the following security management measures to protect personal data:

9.1 Organizational Measures (組織的安全管理措置)

• Designation of a person responsible for handling personal data and clear definition of roles and responsibilities
• Establishment and maintenance of internal rules and regulations for handling personal data
• Regular internal audits and reviews of data handling practices
• Incident response procedures for data leaks and security breaches
• Maintenance of records of personal data handling activities

9.2 Personnel Measures (人的安全管理措置)

• Confidentiality agreements and non-disclosure obligations for all employees and contractors
• Regular privacy and data protection training for all staff
• Disciplinary measures for violations of data handling rules
• Supervision and monitoring of employees' handling of personal data

9.3 Physical Measures (物理的安全管理措置)

• Access controls for areas where personal data is processed
• Measures to prevent unauthorized removal of devices and documents containing personal data
• Secure storage and disposal of physical media containing personal data
• Visitor management and escort procedures for restricted areas

9.4 Technical Measures (技術的安全管理措置)

• Encryption of personal data in transit (TLS 1.2+) and at rest
• Access control systems with role-based permissions and multi-factor authentication
• Network security measures including firewalls, intrusion detection/prevention systems, and network segmentation
• Regular vulnerability assessments and security updates
• Logging and monitoring of access to systems containing personal data
• Data loss prevention (DLP) controls

9.5 Measures for External Transmission (外的環境の把握)

• Assessment of data protection regulations in countries where personal data is stored or processed
• Implementation of appropriate contractual and technical safeguards for cloud services and external partners
• Regular review and audit of third-party service providers' security practices

10. Your Rights

10.1 Rights Under APPI

As a data subject under APPI, you have the following rights regarding your retained personal data:

• Right to Disclosure (開示請求権): You may request disclosure of your retained personal data and records of third-party provision (APPI Articles 33, 33-2).
• Right to Correction (訂正等請求権): You may request correction, addition, or deletion of your retained personal data if it is inaccurate (APPI Article 34).
• Right to Cease Utilization (利用停止等請求権): You may request that we cease using or erase your retained personal data if it was obtained improperly, is being used beyond the specified purpose, or is no longer necessary (APPI Article 35).
• Right to Cease Third-Party Provision (第三者提供停止請求権): You may request that we stop providing your retained personal data to third parties (APPI Article 35).

How to Exercise Your Rights: Please submit your request to privacy@akrin.jp or by mail to our registered address. We will verify your identity before processing any request. We will respond to your request without delay and within the time period prescribed by applicable law. We may charge a reasonable fee for processing disclosure requests, as permitted under APPI.

10.2 Additional Rights for EEA/UK Residents (GDPR)

If you are located in the EEA or UK, you have the following additional rights:

• Right to Access: To obtain confirmation of whether your data is being processed and access to that data.
• Right to Rectification: To have inaccurate personal data corrected.
• Right to Erasure ("Right to be Forgotten"): To have your personal data deleted in certain circumstances.
• Right to Restriction of Processing: To restrict processing in certain circumstances.
• Right to Data Portability: To receive your personal data in a structured, machine-readable format.
• Right to Object: To object to processing based on legitimate interests, including profiling and direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, to withdraw that consent at any time.
• Right to Lodge a Complaint: To lodge a complaint with a supervisory authority in the EU/UK.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website. For comprehensive information about the types of cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.

12. Marketing Communications

We may send you marketing communications about our services with your prior consent. You may withdraw your consent and opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Contacting us at privacy@akrin.jp
• Updating your communication preferences through your account settings (where available)

Please note that even if you opt out of marketing communications, we may still send you service-related communications that are necessary for the operation of your account or the delivery of our Services.

13. Children's Privacy

Our Services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at privacy@akrin.jp.

14. Data Breach Notification

In the event of a data breach that is likely to harm the rights and interests of individuals, we will:

• Report the breach to the Personal Information Protection Commission (PPC) within 3–5 days of becoming aware of the incident, and submit a full report within 30 days (or 60 days for unauthorized purpose use or third-party provision incidents), in accordance with APPI Article 26
• Notify affected individuals without delay, providing details of the breach, the types of personal information involved, and the measures we are taking in response
• Take immediate steps to contain the breach and mitigate any potential harm
• Document the incident and implement measures to prevent recurrence

For clients covered under service agreements, breach notification procedures are governed by the terms of the applicable data processing addendum.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated Privacy Policy on our website with a revised "Last Updated" date
• Notify you by email or through a prominent notice on our website, where appropriate
• Obtain your consent where required by applicable law

We encourage you to review this Privacy Policy periodically.

16. Governing Law and Dispute Resolution

This Privacy Policy is governed by and construed in accordance with the laws of Japan. Any disputes arising from or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the Tokyo District Court (東京地方裁判所) as the court of first instance.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

AKRIN株式会社 (AKRIN Co., Ltd.) Data Protection Inquiries

• Email: privacy@akrin.jp
• Phone: +81-3-6821-1223
• Mail: 〒107-0062 Tokyo, Minato City, Minami Aoyama 2-4-15
• General Support: support@akrin.jp

This Privacy Policy was last reviewed and updated on August 15, 2025.