Cybozu, Inc. and Cybozu Labs, Inc., (“Cybozu”) appropriately handle personal information collected in the course of providing products and services, holding events, and conducting other business activities, in accordance with the policy described below. In this policy, "personal information," "personal data," and "retained personal data" are used in accordance with the terminology used in the Act on the Protection of Personal Information (Act No. 57 of 2003. Hereinafter, the "Personal Information Protection Act"). Please note that the handling of personal information in recruitment activities is specified separately here.
In the course of conducting our business activities, Cybozu collects personal information, including the following:
Cybozu may collect the My Number (national identification number) of individuals, such as sole proprietors, speakers, etc., for use in the preparation of payment statements and withholding tax certificates.
Cybozu uses the collected personal information to the extent necessary to achieve the purposes described below. If Cybozu uses personal information beyond the extent necessary to achieve the purposes described below, we will do so only after obtaining the consent of the individual concerned.
(1) Purposes personal information of people who have purchased or used our products and services, or who have an interest in our products and services ("Customers") is used for:
to provide a range of information on products and services (new products and services, new features, feature improvements, case studies, etc.)
to provide information on, and to run, seminars and events
to manage customer transaction information, such as subscription applications for our products and services, changes to Customer Information, subscription renewals and cancellations, etc.
to estimate and/or bill for products, services, and subscription fees
to send thank you letters for purchasing our products and services
to advise that we are conducting a survey on products and services, as well as to notify winners, and to send out prizes
to provide information on product and service maintenance, failures, etc.
to reply to inquiries received and to provide customer support
to manage certification programs, user communities, and developer communities
to utilize as basic data to enhance and improve our products and services; and
to measure the effectiveness of marketing and customer support initiatives.
(2) Purposes personal information of people in charge at Cybozu business partners is used for:
to manage business partner information
to engage in the necessary communications to enter into contracts and carry out transactions; and
to carry out billing and payment operations.
(3) Purposes personal information of people who have reported vulnerabilities in our products and services, or information security incidents at our company ("Reporter") is used for:
to contact the Reporter
to pay a bounty if the Reporter is participating in a Bug Bounty Program, and to administer said program; and
if the Reporter is participating in a Bug Bounty Testing Environment Program, to provide the vulnerability verification environment and to administer said program.
(4) Purposes personal information of shareholders and people who are interested in becoming a shareholder is used for:
to exercise Cybozu’s rights and fulfill our obligations under the Companies Act
to implement various IR (Investor Relations) measures; and
to manage shareholders, including the preparation of shareholder data as per the prescribed standards under the various laws and regulations.
(5) Purposes personal information of media representatives and other individuals not included in (1) through (4) above is used for:
to contact the person; and
to provide information on, and to run, seminars and events.
(6) Common purposes of using personal information in (1) through (5):
to comply with applicable laws and regulations
to exercise or defend Cybozu’s legal rights; and
in the event of a merger, acquisition, sale, or other transaction involving the business or its assets, to support or give effect to the transaction.
Cybozu will not provide personal data to third parties without the prior consent of the individual, except in the following cases:
when providing the Customer Information, to the provider of a billing and/or payment collection service for the payment of products and services or subscription fees
when co-hosting a seminar or event with another company, and providing the co-host with the participants’ personal data
when required by law
when it is necessary for the protection of the life, body, or property of a person and it is difficult to obtain the consent of the individual
when it is particularly necessary to improve public health or promote the sound development of children, and it is difficult to obtain the consent of the individual; and
when it is necessary to cooperate with a national government agency or a local government, or a person entrusted by either of the aforementioned in performing duties prescribed by laws and regulations, and obtaining the consent of the individual concerned is likely to impede the performance of such duties.
Cybozu may outsource some of the handling of personal data. When Cybozu outsources, we will select a contractor on the condition that the company has secured a sufficient level of personal data protection, and will do so only after having entered into a contract pertaining to personal data. In addition, Cybozu will conduct the necessary and appropriate supervision in relation to the management of said contractors.
Cybozu will jointly use personal data between Cybozu and our subsidiaries (the "Cybozu Group") only when necessary within the scope described below.
Items of personal information to be jointly used
Items stated in “1 Information that we Collect”
Scope of joint users
The Cybozu Group
Purpose of use
Items stated in “2 How we Use your Information”
(4) Chief Administrator
Cybozu takes necessary and appropriate measures, including those described below, to prevent the leakage, loss of, or damage to personal data handled by the company and to otherwise securely manage personal data.
(1) Formulation of basic policy/Establishment of rules on handling of personal data
Cybozu has established internal regulations for each stage of collection, use, and provision of personal data, including handling methods, responsible persons and persons in charge, and their duties, in order to ensure the proper handling of personal data.
(2) Systematic security control measures
Cybozu has a system in place for reporting and communicating with the person in charge for when signs of, or actual violations of laws, or internal regulations are identified.
Cybozu conducts regular self inspections on the status of personal data handling.
(3) Human security control measures
Cybozu conducts regular training for employees on the important points regarding the handling of personal data.
Matters relating to maintaining the confidentiality of personal data are stated in the Work Rules.
(4) Physical security control measures
In areas where personal data is handled, employee access is controlled and restrictions imposed on devices brought into the area, and measures are implemented to prevent unauthorized persons from viewing personal data.
In addition to taking measures to prevent the theft or loss of equipment, electronic media, documents, etc., that handle personal data, Cybozu takes measures to ensure that personal data is not easily revealed when such equipment, electronic media, etc., are transported, including within the business premises.
(5) Technical security control measures
Cybozu implements access controls limiting the range of people in charge and extent of the personal information database, etc., they can handle.
Cybozu has implemented systems to protect information systems that handle personal data from unauthorized access from outside and from unauthorized software.
(6) Understanding the external environment
In the case of storing personal data in a cloud service, if either, the country where the cloud service provider of the cloud service is located, or the country where the server where the personal data is stored is located, is a foreign country, Cybozu takes the necessary and appropriate measures for the safe management of personal data based on an understanding of said foreign country's legal systems, etc., for the protection of personal information.
Cybozu will respond to requests for disclosure of your retained personal data, correction, addition or deletion of the content of your retained personal data, cessation of use, or deletion of your retained personal data, or cessation of provision of your retained personal data to third parties ("Requests for Disclosure, etc.") to the extent permitted by the Personal Information Protection Act. If you wish to make Requests for Disclosure, etc., or to make a complaint regarding our handling of personal information, please contact us at the inquiries desk listed in "9 Contact Us.”
This policy is subject to revision without notice in response to changes in laws and regulations, changes in business activities, etc. Your understanding is appreciated.
For all inquiries regarding this policy, please contact us at: Personal Information Inquiries Desk, Cybozu, Inc. firstname.lastname@example.org
Revised on February 12, 2017
Revised on July 28, 2017
Revised on December 3, 2021