GALLUSYS Co., Ltd (hereinafter referred to as “the Company”) considers the appropriate handling and protection of users’ personal information collected in the course of our business activities to be an important social responsibility. The Company handles and protects the personal information the Company collects appropriately based on this Basic Policy on the Protection of Personal Information (hereinafter referred to as “this Policy”).

1. Definition of Personal Information and Personal Data

1. “Personal information” means that information relating to a living individual which falls under any of each following item:
   1. Those containing a name, date of birth, telephone number, e-mail address or other descriptions etc. whereby a specific individual can be identified.
   2. Those that, by themselves, cannot identify a specific individual, but can be readily collated with other information and thereby identify a specific individual
   3. Those containing an individual identification code (Article 2, Paragraph 2 of the Act on the Protection of Personal Information ((hereinafter referred to as “the Act on the Personal Information Protection”)).
2. ”Personal data” means personal information constituting a personal information database etc. (Article 2, Paragraph 4 of the Act on the Protection of Personal Information).

2. Acquisition and utilization purpose of personal information

GALLUSYS Co., Ltd (hereinafter referred to as “the Company”) considers the appropriate handling and protection of users’ personal information collected in the course of our business activities to be an important social responsibility. The Company handles and protects the personal information the Company collects appropriately based on this Basic Policy on the Protection of Personal Information (hereinafter referred to as “this Policy”).

The Company acquires and utilize users’ personal information in a lawful and appropriate manner to the extent necessary to achieve the following purposes.
1. To provide the Company’s services.
2. To respond to sales activities, inquiries, and complaints incidental to (1) above.
3. To provide personal information or personal data to third parties in order to achieve the above utilization purposes.
1. In case that the necessity to use personal information of an user beyond the scope of purposes described in the preceding paragraph arises, the Company notifies the user principal of the utilization purposes and obtain the user’s prior consent before using the information, except in the following cases.
   1. Cases in which there is a need to protect a human life, body, or fortune, and when it is difficult to obtain a consent of the user principal.
   2. When it is especially necessary to improve public health or to promote the sound growth of children and it is difficult to obtain the consent of the user principal.
   3. When it is necessary to cooperate with a national agency, a local government, or an individual or entity entrusted by either a national agency or local government to execute affairs prescribed by law and obtaining a consent of user principal is likely to impede the execution of such affairs.
   4. When required by law.
2. Except for the cases listed in each item of Article 17, Paragraph 2 of the Act on the Protection of Personal Information, the Company does not acquire any “Special Care-Required Personal Information” (Article 2, Paragraph 3 of the Act on the Protection of Personal Information) without obtaining the prior consent of the user principal.

3. Third Party Provision

1. In the following cases, the Company shall be able to disclose personal data of an user principal to the Company’s contractors or other third parties (excluding third parties located in foreign countries. hereinafter in this paragraph, the same shall apply).
   1. When the consent of the principle is obtained
   2. When a court, public prosecutor’s office, police department, tax office, bar association, or other organization with equivalent authority requests disclosure of personal information.
   3. When disclosing information to financial institutions, credit card companies, settlement agents, or other businesses that settle or act as settlement agents for the purpose of settling fees or other amounts owed to the Company.
   4. When disclosing information to a person who succeeds to the business at the time of succession of business due to merger, transfer of business or other reasons.
   5. When permitted by the Act on the Personal Information Protection and other laws and regulations
   6. Other cases as individually determined for each of the Company’s services
2. Even in cases that do not fall under any of the cases described in the preceding paragraph, after notifying the Personal Information Protection Committee, the personal data of user principle (excluding Special Care-Required Personal Information, hereinafter the same shall apply in this paragraph) may be provided to a third party (excluding a third party located in a foreign country, hereinafter the same shall apply in this paragraph)within the following scope.
   1. Items of personal data to be provided to third parties in accordance with this section.
      All personal information of the user principal, unless otherwise requested by the user principal.
   2. Method of provision to third parties in accordance with this paragraph
      Any of the methods of transmission of paper and electronic data, delivery in the form of external recording media, or access to a server.
   3. Methods of making a request for cessation of provision in accordance with this paragraph
      If a user principal requests to cease a third-party provision of personal data in accordance with this paragraph, the Company ceases to provide personal data that identifies the user principal to such third parties without delay in accordance with the provisions of the law. Please contact the “Personal Data Disclosure Consultation Service” listed below for information on how to request the cessation of provision to a third party.
3. The Company may provide personal data of a user principal to a third party in a foreign country in any of the following cases.
   1. When a user principal has given prior consent for the provision of personal information to a third party in a foreign country.
   2. When personal data is provided to a third party located in a foreign country that has implemented, in an appropriate and reasonable manner, measures for the handling of personal data in accordance with the intent of the provisions of Chapter 4, Section 1 of the Act on the Protection of Personal Information and has secured such implementation with the Company.
   3. When the individual user is not identifiable.
   4. When any of the above 2.2 (1) through (4) applies.

Implementation of security control measures

1. In order to prevent unauthorized access to personal information and the loss, alteration, or leakage of personal information, the Company implements necessary and appropriate organizational, personnel, technical, and physical security control measures and properly manages personal information.
2. The Company enters into an outsourcing agreement with the outsourcing contractor that includes a confidentiality clause and makes every effort to have the contractor handle and protect the user’s personal information in an appropriate manner. The Company also seek to prevent leakage, re-provision, or disclosure to a third party, or use of user’s personal information outside the scope of the purposes of use described in 2(1) above.

5. Disclosure, correction, addition, deletion, suspension of use, elimination, and suspension of provision to third parties of personal information and personal data

1. If you wish to request disclosure, notification of utilization purpose, correction, suspension of use, etc., or cessation of provision to third parties of your personal information and personal data, or if you wish to have blurring effects, etc., including anonymous processing on your personal data, or have any questions about our handling of your personal information, please contact us at the contact information below.
   [Personal Data Disclosure Consultation Desk]
   E-mail address: otoiawase@pictier.com
2. From the viewpoint of preventing leakage of personal information and ensuring accuracy and safety, the company conducts the necessary investigation without delay except in cases where special procedures are stipulated by law. Only when it is confirmed that the request is made by an user principal, the company, in accordance with the provisions of the law discloses, corrects, adds, or deletes the contents of, ceases the utilization of, erases, and ceases the third-party provision of the personal data of the user principal.

6. Updating this Policy

The Company may change the contents of this Policy as necessary and will not notify users each time changes are made to this Policy. Therefore, please refer to the latest version of this Policy posted on the Company’s website for the most up-to-date information.

Effective date: October 1, 2020