This privacy policy is translated from the original text written in Japanese into English. If there are any differences in interpretation between the Japanese version and the English version, please refer to the Japanese version.

Established on 21 February 2017
Revised on 2 November 2021
Revised on 17 May 202
Revised on 9 March 2023
Stroly Inc.

This privacy policy (the “Policy”) establishes the Policy of Stroly Co., Ltd. (“Stroly”, “we”, “us”) regarding the handling of personal information or personal data (“User Information”) of individuals (“Users”) who use the Stroly’s website and application software Stroly (the “Service”). The terms used in the Policy comply with the Personal Information Protection Law and the General Data Protection Regulation (“GDPR”).

1. User Information obtained when using the Service (for cases where registration is not required) - general

1.1. Acquisition of location information and identification of User's device

1.1.1. User Information obtained

When a User uses the Service, we obtain the User’s location information. In addition, we assign a unique identification information (“Unique Generated ID”) generated by Stroly itself as a Cookie to the User’s device to identify the device.

1.1.2. Purpose of use

(1) Use of location information to implement basic functions
The location information mentioned in 1.1.1. is used to implement the following functions in the Service:

• a) Provide Users with information about their current location and nearby facilities or other spots in conjunction with the map displayed on the Service.
• b) Provide information about maps related to the User’s current location on the Service.
• c) Enable Users to share their current location with other Users selected on the Service.

(2) Use of location information for statistical analysis of User stay time and movement trends
The location information mentioned in 1.1.1., in combination with the Unique Generated ID, is used to statistically analyze the User’s stay time in each area and movement trends between areas. The results obtained from such analysis are used to understand the usage of the Service and to improve the specifications.

1.1.3. Necessity of acquiring User Information and disadvantages to Users

(1) Use of location information to implement basic functions
The use of location information for the purpose stated in 1.1.2.(1) is essential for implementing the basic functions of the Service. In addition, if high-precision location information is not necessary for implementing this function, we adopt a specification that reduces the granularity of the collected location information, in order to minimize the privacy disadvantage to Users.

(2) Use of location information, etc to statistically analyze Users’ length of stay and movement tendencies
The use of location information and proprietary generated IDs for the purpose stated in 1.1.2.(2) is highly necessary to achieve the goal of improving the specifications of the Service. In addition, the information saved by us to achieve this purpose consists only of statistical information that cannot uniquely identify Users, in order to minimize the privacy disadvantage to Users.

1.1.4. Storage period

The location information mentioned in 1.1.1. is temporarily stored until it is converted into the statistical information mentioned in 1.1.2.(2). In addition, the Unique Generated ID is assigned to the User’s device as a cookie and is deleted one year after the last access from the device.

1.1.5. Information to Users residing in regions where GDPR applies

(1) The basis for lawfully processing User Information under GDPR
The following are the basis for lawfully processing User Information under GDPR for the User Information listed in 1.1.1:

• a) Use of location information for implementing basic functionsThe basis for lawfully processing location information for the purpose of providing the Service is GDPR Article 6.1(b), as it is necessary for the performance of a contract.
• b) Use of location information and Unique Generated IDs for statistically analyzing User stay time and movement trendsThe basis for lawfully processing location information and Unique Generated IDs for the purpose of statistically analyzing User stay time and movement trends is GDPR Article 6.1(f), as it is necessary for the legitimate interests pursued by the controller (refer to 1.1.3.(2)) and the interests or fundamental rights and freedoms of the data subject do not override those interests.

(2) Whether the provision is mandatory, etc.
The provision of User Information listed in 1.1.1 is not an obligation under laws or contracts, but it is essential for using the Service, and without it, users cannot use the Service.

1.2. Use of Cookies for Retaining Settings, etc.

1.2.1. Information to be obtained and purpose of use

We store and refer to cookies on a User’s device to retain settings from when the User previously accessed the Service and to maintain the User's access status while using the Service (“Retaining Settings”).

1.2.2. Necessity of obtaining User Information and disadvantages for Users

The use of cookies for the purpose described in 1.2.1 is essential for providing the Service and any potential disadvantages to the User are limited.

1.2.3. Storage period

We do not set a specific storage period for cookies used for the purpose described in 1.2.1, taking into account the necessity of Retaining Settings.

1.2.4. Information to Users residing in areas where GDPR applies

(1) Basis for legitimate processing of User Information under GDPR
The handling of User Information listed in 1.2.1 is necessary for the performance of the contract to provide our service, and therefore, the legal basis for processing under GDPR is Article 6.1(b).

(2) Necessity of providing information, etc.
The provision of User Information listed in 1.2.1 is not a legal or contractual obligation, but it is essential to use the Service. Without providing such information, users will not be able to use the Service.

1.3. Use of Cookies with Google Tag Manager

1.3.1. Information obtained

We use Google Tag Manager provided by Google on our website, which may involve storing and accessing cookies on the User's device. However, no personally identifiable information is included in the information obtained by Google from our website.

We obtain only statistical information that does not identify specific Users from Google, and we use it without comparing it with other User Information.

1.3.2. Our purpose

We use the statistical information obtained from Google to analyze the access status of our website and improve its specifications.

1.3.3. Google’s purpose

For the purposes of information obtained by Google through the use of Google Tag Manager, please refer to the Google Tag Manager Usage Guidelines, Google Terms of Service, and Google Privacy Policy.

(1) Google Tag Manager Terms of Service
［URL］https://marketingplatform.google.com/intl/ja/about/analytics/tag-manager/use-policy/

(2) Google Terms of Service
［URL］https://policies.google.com/terms

(3) Google Privacy Policy
［URL］https://policies.google.com/privacy

2. Collection of User Information when using the Service (for Users who do not register for use) - when the Service uses Google Analytics and the User agrees to its use.

If a User chooses to consent to the use of Google Analytics on the Service, in addition to the information listed in 1., we will use the following information:

2.1. Information obtained

We use Google Analytics, provided by Google, on the Service, and may save and refer to cookies on the User’s device.

We obtain only statistical information from Google that does not lead to the identification of specific Users.

2.2. Purpose of use by our company

We use the statistical information obtained from Google to analyze the access status of the Service and to improve its specifications.

2.3. Purpose of use by Google

For the purpose of using Google Analytics, please refer to the Google Analytics Terms of Service, Google Terms of Service, and Google Privacy Policy for the information obtained by Google.

(1) Google Analytics Terms of Service
［URL］https://marketingplatform.google.com/about/analytics/terms/jp/

(2) Google Terms of Service
［URL］https://policies.google.com/terms

(3) Google Privacy Policy
［URL］https://policies.google.com/privacy

2.4. Information to Users residing in regions where GDPR applies

(1) Basis for handling User Information lawfully under GDPR
The User Information listed in 2.1. is handled only with the User’s prior consent, therefore the legal basis for handling such information under GDPR Article 6.1(a) is consent.

Please note that even if the User has consented to the handling of the User Information listed in 2.1., they can withdraw their consent at any time from the same display screen.

(2) Whether providing information is mandatory or not
The provision of User Information listed in 2.1. is not a legal or contractual obligation, nor is it mandatory for using the Service.

3. Information collected when registering to use the Service

When a User registers to use the Service, in addition to the items listed in 1. and 2., the following User Information will be used:

3.1. Information collected

When a User registers to use the Service, we will obtain the User’s ID (which the User sets at their discretion), the User’s email address, and authentication information from Facebook, Twitter, or Google.

3.2. Purpose of use

The User Information listed in 3.1. will be used to identify the User when they log in to the Service. Logging in to the Service is necessary to provide customized services for each user.

3.3. Necessity of obtaining User Information and disadvantage to Users

The User Information listed in 3.1. is necessary to provide customized services for each user who has registered to use the Service. In addition, we will only use this User Information to the extent necessary for logging in to the Service, and will take care to minimize any privacy disadvantages to the User.

3.4. Storage period

We will store the User Information listed in 3.1. for the duration of the User’s registration, as well as for one week after the User’s registration is terminated. The reason for continuing to store this information even after the User has terminated their registration is to allow for revocation by Users who mistakenly terminated their registration.

3.5. Information to Users residing in regions where GDPR applies

(1) Legal basis for handling User Information under GDPR
The handling of User Information listed in 3.1 is necessary for the fulfillment of the contract to provide services to registered Users and is therefore based on GDPR Article 6.1(b).

(2) Necessity of provision, etc.
The provision of User Information listed in 3.1 is not a legal or contractual obligation, but it is necessary for Users who have registered to use the services provided to them.

4. Security management measures for User Information

4.1. Storage methods for User Information

We store User Information managed by our company on cloud servers provided by Google or Amazon, located in Japan or in Virginia, USA. The cloud services provided by Google and Amazon have a robust information security level and comply with GDPR.

4.2. Security management measures at our company

In addition to the measures listed in 4.1., we have taken the following security management measures:

(1) Formulation of basic policies and internal regulations
We have formulated basic policies regarding the handling of User Information, as well as internal regulations regarding the handling method, responsible persons and their duties, etc, and have disseminated them throughout Stroly.

(2) Organizational security management measures
We have appointed a person responsible for the handling of User Information and clarified the scope of employee handling of User Information, and have established a reporting and contact system to the person in charge in case of incidents such as information leaks or suspected incidents.

(3) Human security management measures
We have implemented necessary education after imposing an obligation on each employee to maintain confidentiality.

(4) Physical security management measures
We have taken measures such as access control and other necessary physical security management measures to prevent theft and taking out of devices handling User Information.

(5) Technical security management measures
We have taken necessary technical security management measures such as access control for User Information.

(6) Understanding of external environments
Regarding the handling of User Information in foreign countries, we collect information on the system for handling personal information in each country and make efforts to take necessary security management measures.

5. Procedures for Disclosure, etc of personal data held

5.1. Procedures for requesting Disclosure, etc.

To request notification of the purpose of use, disclosure, correction/addition/deletion, suspension/erasure, or third-party suspension of personal data held by us (“Disclosure, etc”), please send an email to the following contact point, along with image data of the documents listed below. Requests for Disclosure, etc by any other means cannot be accepted.

Please note that the personal information of Users who have not registered for the Service is not personal data held by us, and therefore cannot be the subject of requests for Disclosure, etc.

5.1.1. Requests from the individual concerned

A copy of a document that can confirm the individual's identity, such as a driver’s license, health insurance card, or other form of identification.

5.1.2. Requests from a representative

All of the following documents:

(1) A copy of a document that can confirm the individual's identity, such as a driver’s license, health insurance card, or other form of identification.

(2) A document stating that the representative has been delegated authority by the individual concerned (limited to those created by the individual themselves).

［Contact］
109-1 Kanegaecho, Shimogyo-ku, Kyoto-shi, Kyoto 600-8258
Privacy Policy Department, Stroly Inc.

5.2. Information to be included in a request for Disclosure, etc

If you request Disclosure, etc, please create the body of the email as follows, indicating “Request for disclosure of personal data held” in the email title.

• (1) Please provide your full name and address.
• (2) If the request is made by an agent, please provide the agent's full name and address.
• (3) Please specify in detail what type of request you are making.
• (4) For requests for disclosure, please clearly and specifically indicate the scope of the disclosure being sought.
• (5) For requests for correction/addition/deletion, suspension of use/erasure, or suspension of provision to third parties, please clearly specify the contents of the request and the reasons for it.
• (6) For requests for disclosure, please indicate whether you wish to receive the information by email or by postal mail. Please note that even if you request postal mail, we may provide the information by email if we determine that it is appropriate to do so.
• (7) If there are any other matters that we specify separately on our website, please include them in your request.

5.3. Cases in which we can respond to requests for Disclosure, etc.

6. Other information for Users residing in regions where GDPR applies

Regarding 6., it applies only to Users residing in regions where GDPR is applicable.

6.1. Right of access (GDPR Article 15)

Users have the right to ask us if we process any information about them and if so, they have the right to access certain information such as the purpose and categories of processing.

6.2. Right to rectification or erasure (GDPR Articles 16, 17)

Users have the right to ask us to rectify any inaccurate information about them without undue delay (GDPR Article 16). Also, Users have the right to ask us to erase their information without undue delay in certain circumstances such as when their information is no longer necessary, they have withdrawn their consent based on GDPR Article 6.1(a), or other specific requirements based on GDPR Article 17.

6.3. Right to restriction of processing (GDPR Article 18)

Users have the right to ask us to restrict the processing of their information in certain circumstances such as when they doubt the accuracy of their information or other specific requirements based on GDPR Article 18.

6.4. Right to object to processing (GDPR Article 21)

Users have the right to object to the processing of their information in certain circumstances based on specific requirements under GDPR Article 21.

6.5. Right to data portability (GDPR Article 20)

Users have the right to receive their own information that is managed as a database, in a structured, commonly used, machine-readable format, provided certain requirements are met. Users also have the right to transfer their personal data to another controller without hindrance from us.

6.6. Contacting us

The contact information for Users to assert their rights from 6.1. to 6.5. is as listed in “7. Contact information”. The procedure required to exercise these rights is the same as the one described in “5.1 Procedures for requesting Disclosure, etc”, but please indicate “Claim based on GDPR” in the email title.

6.7. Exclusion from automated decision making (GDPR Article 22)

We will not cause legal effects or similarly significant impacts on Users by making decisions solely based on automated processing of their personal data.

6.8. Right to lodge a complaint with a supervisory authority

If Users object to our processing of their personal data, they may lodge a complaint with the supervisory authority in the GDPR member state where they reside, work, or where the alleged violation occurred.

7. Contact information

For inquiries regarding the handling of User Information by us, please contact us by email at:
privacy@stroly.jp

8. More information about our company

Please visit:
https://corp.stroly.com/

9. About the revision of the Policy

When revising the Policy, we will publish the fact that it has been revised, the revision date, and the revised content on the Service.