プライバシーポリシー

Effective Date: [DATE] · Last Updated: [DATE]

弁護士によるレビューが必要なドラフトです。[LIKE THIS] のプレースホルダーは法人登記後に記入されます。

1. Who We Are

This Privacy Policy describes how Benricart ("we," "us," "our") collects, uses, stores, and protects your personal information when you use the Benricart marketplace platform ("Platform").

Company Name: [COMPANY NAME] 合同会社 / 株式会社

Representative: [REPRESENTATIVE NAME]

Address: [REGISTERED ADDRESS], Japan

Privacy Contact: privacy@benricart.jp

This Policy complies with Japan's 個人情報の保護に関する法律 (Act on the Protection of Personal Information — APPI/PIPA), effective as amended. By using the Platform, you acknowledge that you have read and understood this Policy.

2. Personal Information We Collect

2.1 Information You Provide Directly

Data	When Collected	Who It Applies To
Email address	Account registration	All users
Phone number	Registration (optional buyers, required sellers)	All users
Full name	Registration and checkout	All users
Shipping address	Order placement	Buyers
Language preference	Registration or settings	All users
Profile photo	Optional, user-uploaded	All users
Government-issued ID	Seller verification	Sellers only
Business registration documents	Seller verification	Business sellers only
Business address	Seller registration	Sellers only
Store name and description	Seller registration	Sellers only
Japanese bank account details	Seller payout setup	Sellers only
Product listings content	Listing creation	Sellers only
Review content	After purchase	Buyers
Dispute details and evidence photos	When a dispute is filed	Buyers
Messages sent via Platform	Buyer-seller messaging	All users

2.2 Information Collected Automatically

Data	Purpose	Retention
IP address	Security, fraud prevention	90 days
Device type and browser	Platform compatibility, security	90 days
Pages visited and time spent	Platform improvement, analytics	12 months (anonymized)
Order and transaction history	Order management, dispute resolution	7 years (tax law)
Login timestamps	Security audit	12 months
Search queries	Search improvement	90 days (anonymized)

2.3 Information from Third Parties

Source	Data Received	Purpose
Authentication service	User ID, email, session tokens	Account authentication
Payment service	Payment status, payout confirmations	Payment processing and seller payouts
Delivery carriers	Tracking status updates	Order tracking

We do not purchase personal data from data brokers.

3. How We Use Your Personal Information

We use your personal information only for the purposes stated below:

Purpose	Legal Basis (APPI)
Creating and managing your account	Contract performance
Processing orders and payments	Contract performance
Verifying seller identity and eligibility	Legal obligation + contract performance
Delivering seller payouts via Stripe	Contract performance
Sending order, shipping, and delivery notifications	Contract performance
Handling disputes and refunds	Contract performance
Preventing fraud and ensuring platform security	Legitimate interests
Complying with Japanese tax and financial record-keeping laws	Legal obligation
Sending marketing emails about new features or promotions	Consent (opt-in only; opt out at any time)
Improving Platform features and performance	Legitimate interests (anonymized analytics only)
Responding to your support inquiries	Contract performance

We do not use your personal information for automated decision-making that produces legal effects without human review.

4. How We Share Your Personal Information

We do not sell your personal information. We share it only as described below.

4.1 Between Buyers and Sellers

When you place an order: your shipping name and delivery address are shared with the seller to fulfill your order; your first name and order details are visible in the seller's dashboard; your email address is not shared with the seller unless you contact them via Platform messaging. For reviews, your display name (first name + last initial) is shown.

4.2 Third-Party Service Providers

We work with carefully selected service providers to operate the Platform. All providers are bound by data processing agreements and are contractually prohibited from using your data for their own purposes:

Service Category	Data Shared	Purpose
Identity & authentication service	User ID, email, session data	Secure login and account management
Payment processing service	Name, email; bank account details (sellers only)	Processing orders and seller payouts
Cloud infrastructure & content delivery	Files you upload, request routing metadata	Secure storage of product images and verification documents; global content delivery
Database hosting service	Platform operational data	Secure, reliable data storage
Transactional email service	Email address, name	Order confirmations, account notifications

All service providers are located in the United States and operate under appropriate data transfer safeguards. You may request the full list of named subprocessors by emailing privacy@benricart.jp.

4.3 Cross-Border Data Transfers

The service providers above are based in the United States. Your personal data is transferred to and processed in the United States under appropriate safeguards consistent with APPI requirements. By using the Platform, you consent to this transfer.

4.4 Legal Requirements

We may disclose your personal information if required by: Japanese law, court order, or government authority; to protect the rights, property, or safety of Benricart, our users, or the public; in connection with fraud prevention or law enforcement cooperation.

4.5 Business Transfers

If Benricart is acquired, merged, or its assets transferred, your personal information may be transferred as part of that transaction. You will be notified in advance if this occurs.

5. Cookies and Tracking

5.1 Cookies We Use

Cookie	Provider	Purpose	Duration	Can opt out?
Authentication session cookie	Authentication service	Keeps you logged in	Session	No — required for login
Authentication token cookie	Authentication service	Authentication token	Session	No — required for login
benricart_lang	Benricart	Saves your language preference	1 year	Yes
Analytics cookie	Hosting service	Anonymous usage analytics	30 days	Yes

We do not use advertising cookies or tracking pixels. We do not participate in cross-site behavioral advertising.

5.2 Cookie Consent

Essential cookies (authentication) cannot be disabled — they are required for the Platform to function. Non-essential cookies (analytics, language preference) require your consent. A cookie consent banner is shown on your first visit.

6. Data Retention

We retain your personal information for as long as necessary for the purposes described in this Policy:

Data Type	Retention Period	Reason
Account information (name, email, phone)	Until account deletion + 5 years	Dispute resolution, legal obligations
Order and transaction records	7 years from transaction date	Japanese tax law (国税通則法)
Shipping addresses	5 years from last order	Dispute resolution
Seller verification documents	5 years from account closure	Anti-fraud, legal compliance
Seller bank account details	Until removed + 5 years	Payout audit trail
Dispute records and evidence	5 years from resolution	Legal compliance
Messages between users	3 years from last message	Dispute resolution
IP address and security logs	90 days	Security monitoring
Analytics data	12 months (anonymized after 30 days)	Platform improvement
Marketing consent records	Until consent withdrawn + 3 years	Compliance with opt-out obligations

When the retention period expires, we securely delete or anonymize your data.

7. Data Security

In Transit

All data transmitted between your device and our servers is encrypted using TLS 1.3.

At Rest

Database access is restricted to authenticated backend service accounts only. Seller verification documents are stored in a private Cloudflare R2 storage bucket with no public access. Administrative access to verification documents uses signed URLs that expire after 15 minutes.

Access Controls

Platform access is controlled by Clerk authentication. Admin panel access requires a verified admin role. Internal staff access to personal data is limited to what is necessary for their role. All admin actions on personal data are logged.

Incident Response

In the event of a breach affecting 1,000 or more individuals or involving sensitive data, we will notify the Personal Information Protection Commission (個人情報保護委員会) within the legally required timeframe and notify affected users promptly.

Despite these measures, no system is completely secure. We cannot guarantee absolute security of your data.

8. Your Rights Under APPI

Under Japan's Act on the Protection of Personal Information, you have the following rights:

8.1 Right to Disclosure (開示請求)

You may request a copy of the personal information we hold about you.

8.2 Right to Correction (訂正請求)

You may request correction of inaccurate or incomplete personal information.

8.3 Right to Deletion (削除請求)

You may request deletion of your personal information. Note: we may be required to retain certain data for legal obligations (e.g., tax records for 7 years) and cannot delete this data on request.

8.4 Right to Opt Out of Use (利用停止請求)

You may request that we stop using your personal information for specific purposes (e.g., marketing), subject to legal and contractual obligations.

8.5 Right to Opt Out of Third-Party Provision (第三者提供停止請求)

You may request that we stop sharing your personal information with third parties, except where required by law or necessary to fulfill a contract.

8.6 How to Exercise Your Rights

Submit your request by email to: privacy@benricart.jp

Include: your full name; email address registered with your account; description of the right you wish to exercise; sufficient information to verify your identity.

We will respond within 2 weeks as required by APPI. Requests are processed free of charge unless manifestly unfounded or excessive.

9. Children's Privacy

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe a minor has provided us with personal information, please contact privacy@benricart.jp and we will delete it.

10. Marketing Communications

We will only send you marketing emails if you have opted in. You may withdraw consent at any time by: clicking the unsubscribe link in any marketing email; updating notification preferences in your account settings; emailing privacy@benricart.jp.

Withdrawing consent does not affect transactional emails (order confirmations, dispute notifications, payout alerts) — these are necessary for your use of the Platform and cannot be disabled while your account is active.

11. Links to Third-Party Sites

The Platform may contain links to external websites. This Privacy Policy does not apply to those sites. We encourage you to read the privacy policies of any external sites you visit.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. For material changes, we will notify you by email and/or Platform notification at least 14 days before the changes take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

13. Contact — Privacy Inquiries

Privacy Contact: privacy@benricart.jp

Postal Address: [REGISTERED ADDRESS], Japan

Response Time: Within 2 weeks

If you are not satisfied with our response, you may file a complaint with:

個人情報保護委員会 (Personal Information Protection Commission)

Website: www.ppc.go.jp

Address: 〒100-0013 東京都千代田区霞が関3-2-1 霞が関コモンゲート西館32階