Privacy Policy (April 8, 2026)
Index
- Language Note
- Privacy Policy
- 1. Company Information
- 2. Scope of Application
- 3. Information We Collect
- 4. Purposes of Use
- 5. Provision to Third Parties
- 6. Entrustment
- 7. Cross-Border Transfers
- 8. Security Control Measures
- 9. Requests for Disclosure, etc. of Retained Personal Data
- 10. Cookies, etc.
- 11. Amendments
- 12. Contact
- Appendix: Handling of Personal Information of Customers Located in the EEA or the United Kingdom
- 1. Roles
- 2. Purposes of Use and Legal Bases
- 3. Cross-Border Transfers
- 4. Retention Period
- 5. Rights of Individuals
- 6. Contact
- 7. Representative and Data Protection Officer
- Appendix: Handling of Personal Information of Customers Residing in the State of California, United States
- 1. Definitions
- 2. Notice at Collection
- 3. Disclosure
- 4. Sale and Sharing
- 5. Sensitive Personal Information
- 6. Rights of California Residents
- 7. How to Exercise Rights
- 8. Handling During the Preceding 12 Months
- Updates:
Language Note
This English version is provided for convenience. In the event of any inconsistency between the Japanese version and the English version, the Japanese version shall prevail.
Privacy Policy
1. Company Information
Personal Information Handling Business Operator: Nulab Inc.
Address: 1-8-6 Daimyo, Chuo-ku, Fukuoka-shi, Fukuoka, Japan
Representative: Masanori Hashimoto, Representative Director
(Our contact point is provided at the end of this Policy.)
2. Scope of Application
This Policy applies to personal information that the Company directly acquires and uses.
As a general rule, with respect to personal data included in User Data*, the Company processes such data on behalf of the Subscriber (that is, in its capacity as a processor / entrusted party). The conditions applicable to such Processing (including subprocessors, processing regions, access controls, retention, and deletion) shall be governed by the Data Processing Addendum (DPA) separately established by the Company.
*“User Data” means information input, sent, uploaded, or caused to be generated by users in the Service (including content, attachments, comments, diagram data, and the like), and metadata generated within the Service in connection with the management, display, search, or sharing of such information (including creation date and time, update date and time, creator, identifiers, tags, and the like). For the avoidance of doubt, User Data does not include logs, measurement data, performance indicators, or any other information generated or collected for the provision, operation, security, or quality maintenance of the Service (Service Data).
3. Information We Collect
The Company collects the following information (the information collected by the Company varies depending on how it is obtained and how the relevant services are used).
(1) Information collected in connection with service provision and contract administration (examples)
- Account registration information (name, phone number, email address, user ID, company name, organization information, title, etc.)
- Information relating to contracts, billing, and payment (billing information, payment status, transaction records, etc.)
- Information relating to support services (inquiry details, contact information, support history, etc.)
- Information for security purposes (authentication events, administrator settings, audit logs, etc.)
(2) Information collected in connection with corporate activities (examples)
- Information relating to job applicants (application documents, screening results, contact information, etc.)
- Information relating to shareholders (information necessary for shareholder administration and legal compliance, etc.)
- Information relating to representatives of business partners (information necessary for contracts, purchase orders, payments, communications, etc.)
(3) Information collected in connection with the use of our website and the like (examples)
- Cookies and other identifiers, access history, device and browser information, pages viewed, referrers, and the like
For details, please refer to the Cookie Policy: https://nulab.com/ja/privacy/cookie-policy/
4. Purposes of Use
The Company uses acquired personal information for the following purposes.
(1) Service provision and operation
- Account management, authentication, organization management, billing and payment processing, and contract administration
- Responding to inquiries, providing support, and communicating important notices
- Quality maintenance, incident analysis, fraud prevention, security assurance, and legal compliance
(2) Corporate activities
- Recruitment screening, communication with applicants, and onboarding procedures
- Shareholder administration, responses under the Companies Act and other laws, and communications
- Contracts, purchase orders, payments, communications, and compliance responses with business partners
(3) Marketing and improvement (limited to information directly acquired and managed by the Company)
- Information on the Company’s services, events, and materials, and conducting surveys
- Improvement of the Company’s website and the like, and measurement of advertising effectiveness (including where Cookies or similar technologies are used)
If means to unsubscribe or opt out are available, they will be provided in accordance with the methods prescribed by the Company.
5. Provision to Third Parties
The Company does not provide personal information to third parties except where permitted by law or where the individual has consented. For the avoidance of doubt, provision in connection with entrustment, joint use, or business succession may not constitute provision to a third party under applicable law.
6. Entrustment
The Company may entrust all or part of the handling of personal information to third parties to the extent necessary to achieve the purposes of use (for example, payment processing, customer management, email distribution, recruitment management, and the like).
The Company shall select and supervise such contractors and shall implement appropriate contractual arrangements and security control measures.
7. Cross-Border Transfers
The Company may provide personal data to, or have personal data handled by, third parties located in foreign countries by means of entrustment or otherwise.
In such cases, the Company shall take one of the following measures in accordance with Article 28 of the Act on the Protection of Personal Information of Japan (the “APPI”) and the relevant provisions of the APPI Enforcement Rules (Articles 17 and 18 thereof).
(1) Provision based on the individual’s consent
Where the individual’s consent is required under Article 28, Paragraph 1 of the APPI, the Company shall obtain the individual’s prior consent. In obtaining such consent, the Company shall provide, in accordance with Article 17 of the APPI Enforcement Rules and by an appropriate method (including provision of electronic records or delivery of written documents), the following information: (i) the name of the relevant foreign country; (ii) information concerning the personal information protection system in such foreign country; and (iii) information concerning the protective measures taken by the relevant third party.
(2) Provision based on an equivalent system
Where the Company provides personal data to a third party located in a foreign country that has established a system conforming to the standards prescribed by the rules of the Personal Information Protection Commission, the Company shall, in accordance with Article 28, Paragraph 3 of the APPI and Article 18 of the APPI Enforcement Rules, take necessary measures to ensure the continuous implementation by such third party of equivalent protective measures (including periodic review, corrective action in the event of impediments, suspension of provision, and the like).
Information regarding cross-border transfers of personal data directly acquired and managed by the Company (including the country in which the recipient is located, the personal information protection system of such country, the protective measures taken by the recipient, the status of ensuring equivalent measures, and other information required by law) is disclosed on the following pages:
https://nulab.com/app/assets/pdf/terms/personal-data-overseas-transfer-information-ja.pdf (Japanese)
https://nulab.com/files/terms/personal-data-overseas-transfer-information-en.pdf (English)
With respect to personal data included in User Data, where the Company causes subprocessors to process such data for the provision of the Service, the relevant subprocessors and processing regions are set forth in Schedule 3 (Subprocessor List Page) of the Data Processing Addendum (DPA).
Japanese: https://nulab.com/ja/privacy/list-of-service-providers/
English: https://nulab.com/privacy/list-of-service-providers/
If, pursuant to Article 17, Paragraphs 3 and 4 of the APPI Enforcement Rules, the name of the country or information regarding protective measures cannot be provided at the time consent is obtained, the Company shall provide notice of that fact and the reasons therefor in accordance with the APPI Enforcement Rules.
In addition, where requested by the individual pursuant to Article 28, Paragraph 3 of the APPI, the Company shall provide, without delay, the information specified in the items of Article 18, Paragraph 3 of the APPI Enforcement Rules (including the manner in which the relevant system has been established, an outline of the equivalent measures, the frequency and method of confirmation, the name of the country, the existence and outline of the relevant system, the existence and outline of any impediments, and an outline of the measures taken by the Company), except where the proviso to that paragraph applies.
8. Security Control Measures
The Company has taken necessary and appropriate measures, including those described below, to prevent leakage, loss, or damage of personal data handled by the Company and otherwise to ensure the secure management of such personal data. In addition, the Company has established an appropriate response framework in preparation for incidents relating to personal information, and reviews and improves its security control measures as necessary.
(1) Formulation of basic policy
To ensure the proper handling of personal data, the Company complies with applicable laws, regulations, guidelines, and the like.
The Company has established a basic policy for ensuring the proper handling of personal data.
(2) Development of internal rules for the handling of personal data
The Company has established internal rules concerning the acquisition, use, provision, storage, deletion, and other handling of personal information.
(3) Organizational security control measures
The Company has appointed a person responsible for the handling of personal information and clarified the employees who handle personal information and their respective roles.
The Company has established a reporting and communication framework for cases where a violation of laws or internal rules, or the risk thereof, is identified.
(4) Human security control measures
The Company provides education and training to employees regarding matters to be noted in handling personal data.
The Company imposes necessary confidentiality obligations on employees and contractors who access personal data.
(5) Physical security control measures
The Company has implemented measures to prevent unauthorized persons from viewing, removing, stealing, or losing areas, devices, electronic media, documents, and the like that handle personal data.
Where devices, electronic media, or the like containing personal data are transported, the Company implements appropriate measures so that the contents cannot be easily identified.
(6) Technical security control measures
The Company implements access controls and limits employees who may access personal data, and the scope of information handled, to the minimum extent necessary.
The Company has implemented measures to protect information systems handling personal data from unauthorized external access, malicious software, and other threats.
For communications containing personal data, the Company implements encryption and other appropriate protective measures.
(7) Understanding of the external environment
Where the Company handles personal data using cloud services or other external service providers, the Company identifies the systems relating to personal information protection in the country or region where such providers or data storage locations are situated and takes necessary and appropriate security control measures.
9. Requests for Disclosure, etc. of Retained Personal Data
Where the Company receives from the individual or such individual’s representative a request under the APPI with respect to retained personal data for disclosure, correction, suspension of use, cessation of third-party provision, or disclosure of records of third-party provision, the Company shall respond in accordance with applicable law.
The procedures for making such requests, methods of identity verification, fees (if any), and the like will be explained through the Company’s designated contact point.
10. Cookies, etc.
The Company may use Cookies and similar technologies on its website and the like. For details (including purposes of use, third-party services used, and methods of opting out), please refer to the Cookie Policy.
Cookie Policy
Japanese: https://nulab.com/ja/privacy/cookie-policy/
English: https://nulab.com/privacy/cookie-policy/
11. Amendments
If this Policy is amended, the Company will provide prior notice on its website in the case of any material amendments.
12. Contact
Contact point for inquiries regarding personal information: https://nulab.com/ja/contact/
Appendix: Handling of Personal Information of Customers Located in the EEA or the United Kingdom
With respect to the handling of personal information of customers located in the EEA (European Economic Area) or the United Kingdom, this Appendix shall apply in addition to this Privacy Policy in accordance with applicable laws. In the event of any inconsistency between this Appendix and this Privacy Policy, this Appendix shall prevail to the extent of such inconsistency.
1. Roles
(1) With respect to personal information directly acquired and used by the Company, the Company shall act as the controller.
(2) With respect to personal data included in User Data, the Company shall, in principle, act as a processor processing such data on behalf of the Subscriber. In such case, the conditions applicable to such Processing shall be governed by the Data Processing Addendum (DPA) separately established by the Company.
2. Purposes of Use and Legal Bases
(1) The Company processes personal data primarily on the following legal bases for the purposes of use described in the main body of this Privacy Policy:
(i) where necessary for the performance of a contract or for taking steps prior to entering into a contract;
(ii) where necessary for compliance with a legal obligation to which the Company is subject;
(iii) where necessary for the legitimate interests of the Company or a third party, except where such interests are overridden by the rights and interests of the individual; and
(iv) where the consent of the individual is required, based on such consent.
(2) Where the Company processes personal data on the basis of legitimate interests, such interests include the operation and improvement of the Service and the Company’s website, ensuring security, preventing unauthorized use, incident response, security monitoring, responding to inquiries, business operations, and compliance matters.
3. Cross-Border Transfers
(1) The Company may transfer personal data outside the EEA or the United Kingdom, or may have such data handled by third parties outside those regions.
(2) In such cases, where required under applicable law, the Company shall address such transfers on the basis of the Standard Contractual Clauses (SCCs), the UK Addendum, or any other lawful transfer mechanism.
(3) Information regarding cross-border transfers of personal data directly acquired and managed by the Company is disclosed on the page identified in the main body of this Privacy Policy. Information regarding subprocessors and processing regions relating to personal data included in User Data is set forth in the DPA and on the List Page.
4. Retention Period
The Company retains personal data for the period necessary to achieve the purposes of use or for the period required under applicable law. Specific retention periods or the criteria used to determine them shall be governed by the main body of this Privacy Policy, the Deletion Policy, the DPA, and other documents separately established by the Company.
5. Rights of Individuals
Individuals located in the EEA or the United Kingdom may, in accordance with applicable law, exercise the following rights with respect to their personal data held by the Company:
(1) the right to request access;
(2) the right to request rectification;
(3) the right to request erasure;
(4) the right to request restriction of Processing;
(5) the right to request data portability;
(6) the right to object to Processing based on legitimate interests or for direct marketing purposes;
(7) where Processing is based on consent, the right to withdraw consent at any time (without affecting the lawfulness of Processing based on consent before its withdrawal); and
(8) the right to lodge a complaint with a competent supervisory authority.
6. Contact
For the exercise of the above rights or inquiries regarding this Appendix, please contact the contact point set forth in “12. Contact” of this Privacy Policy.
7. Representative and Data Protection Officer
If the appointment of a representative or a data protection officer in the EEA or the United Kingdom is required under applicable law, the Company shall publish the relevant information on its website or by any other appropriate means.
Appendix: Handling of Personal Information of Customers Residing in the State of California, United States
With respect to the handling of personal information of customers residing in the State of California, United States, this Appendix shall apply in addition to this Privacy Policy in accordance with the California Consumer Privacy Act and other applicable laws. In the event of any inconsistency between this Appendix and this Privacy Policy, this Appendix shall prevail to the extent of such inconsistency.
1. Definitions
Terms used in this Appendix shall have the meanings given to them under the California Consumer Privacy Act and other applicable laws. In particular, the following terms shall have the meanings set forth below in this Appendix.
(1) “Sell,” “selling,” “sale,” or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a customer’s personal information by the Company to a third party for monetary or other valuable consideration.
(2) “Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a customer’s personal information by the Company to a third party for cross-context behavioral advertising.
2. Notice at Collection
(1) During the preceding 12 months, the Company may have collected, and may continue to collect, the following categories of personal information relating to California residents:
(i) Identifiers
(including name, email address, user ID, IP address, cookie identifiers, and other similar information)
(ii) Categories of personal information described in the California Customer Records statute
(including billing information, payment information, transaction records, and other information relating to contracts, billing, and payments)
(iii) Commercial information
(including contract information, purchase history, service usage history, and inquiry history)
(iv) Internet or other electronic network activity information
(including access history, pages viewed, referrers, device information, and browser information)
(v) Professional or employment-related information
(including title, employer information, and job applicant information)
(vi) Sensitive personal information
(limited to authentication credentials necessary to access an account and other information that constitutes sensitive personal information under applicable law, to the extent collected by the Company)
(2) For details regarding the personal information the Company collects, the purposes of use, the sources from which the information is collected, and retention periods, please refer to the relevant sections of this Privacy Policy.
3. Disclosure
The Company may disclose personal information for business purposes to contractors, external service providers, the Company’s group companies, public authorities, and other parties permitted by applicable law.
4. Sale and Sharing
(1) The Company does not provide the personal information of California residents to third parties in a manner that constitutes a “sale” under applicable law.
(2) For purposes such as advertising, measurement of advertising effectiveness, analytics, and similar activities on the Company’s website and the like, the Company may provide to third parties, or allow third parties to handle, cookies, identifiers, and internet or other electronic network activity information, and such handling may constitute “sharing” under applicable law.
(3) If the Company engages in handling that constitutes “sharing,” the Company shall provide the notices, opt-out mechanisms, and any other measures required under applicable law.
5. Sensitive Personal Information
Even where the Company collects sensitive personal information, the Company will, in principle, use or disclose such information only within the scope of the purposes stated in this Privacy Policy and this Appendix, including service provision, security assurance, fraud prevention, and legal compliance. Where applicable law grants a right to limit such use or disclosure, the Company will respond in accordance with such law.
6. Rights of California Residents
California residents may, subject to applicable law, exercise the following rights with respect to the Company:
(1) the right to request disclosure of the categories of personal information collected, the sources from which it was collected, the purposes of use, the categories of recipients to whom it was disclosed, and the specific pieces of personal information collected by the Company;
(2) the right to request deletion of personal information held by the Company, except where a legal or business exception applies;
(3) the right to request correction of inaccurate personal information held by the Company;
(4) the right to opt out where the Company sells or shares personal information;
(5) the right to request limitation of the use or disclosure of sensitive personal information where such right applies under law; and
(6) the right not to receive discriminatory treatment for exercising these rights.
7. How to Exercise Rights
(1) If you wish to exercise any of the above rights, please contact the contact point set forth in “12. Contact” of this Privacy Policy.
(2) The Company may request additional information to the extent necessary to understand, evaluate, and respond to the request.
(3) Requests may be made by the customer, an agent duly authorized by the customer, or any other person permitted under applicable law.
(4) The Company may verify the identity of the requester and the authority of any agent in accordance with applicable law.
8. Handling During the Preceding 12 Months
The Company will disclose, in accordance with applicable law, the status of its collection, use, and disclosure of personal information during the preceding 12 months.