Privacy Policy

Note: This English text is provided for convenience only. The Japanese version is the legally binding original; in the event of any discrepancy, the Japanese version prevails.

Last updated: April 19, 2026

FeelFlow Inc. (hereinafter "the Company") establishes this Privacy Policy (hereinafter "this Policy") as set forth below regarding the personal information handled in the services belonging to the FeelFlow AI Ecosystem (hereinafter collectively "the Service"), in compliance with the Act on the Protection of Personal Information (hereinafter the "APPI") and other relevant laws and regulations.

1. Collection of Personal Information

In providing the Service, the Company collects the following personal information.

1.1 Information Obtained Directly from Users

Type of information	Examples
Account information	Name, email address, password (stored hashed)
Organization information	Organization name, address, contact person information
Payment information	Credit card information (processed directly by Stripe; the Company does not retain card numbers)
Profile information	Display name, avatar image, language setting
Inquiry information	Name, email address, company name, phone number, category, and inquiry content provided through the inquiry form or the inquiry desk
Marketing delivery settings	Opt-in status per Subscription Category (Inquiry Follow-up Communications / Regular Newsletter), date and time of Double Opt-in confirmation, date and time of unsubscription, reason for unsubscription (optional)
Consent records	Date and time of consent to the Terms of Service / Privacy Policy / Marketing Communications, the version consented to, and the IP address and user agent at the time of consent

1.2 Information Obtained Automatically Through Use of the Service

Type of information	Examples
Access logs	IP address, access date/time, request content
Device information	Browser type, OS, screen resolution
Cookie information	Session management cookies, authentication tokens
Usage status	Login history, feature usage status, error logs
Inquiry submission metadata	Source IP address, user agent, source service (the Service's domain or an affiliated website)
Email delivery records	Send history of Marketing Communications, open/click status, bounce count

1.3 Information Obtained from Third Parties

• When social login (Google, GitHub, etc.) is used, public profile information provided by the authentication provider
• Information submitted via the inquiry form on the Company's affiliated websites (corporate site, etc.)

1.4 Information Obtained as an Anonymous Subscriber (newsletter_subscribers)

For persons who wish only to receive Marketing Communications without creating a FeelFlow ID Platform account (the "Anonymous Subscribers" set forth in Article 12 of the Terms of Service), the Company manages such recipients' registration information in a database logically independent of User accounts (the newsletter_subscribers table).

The information retained in an Anonymous Subscriber record is as follows:

• Email address
• Opt-in status per Subscription Category (Inquiry Follow-up Communications / Regular Newsletter)
• Token for Double Opt-in confirmation and the confirmation date/time
• A unique token for unsubscription (compliant with RFC 8058) and the date/time and reason for unsubscription (optional)
• Registration route (source) and language setting (locale)
• Email delivery records (send date/time, open/click status, bounce count, last send date/time)

An Anonymous Subscriber record will not be automatically linked even if a FeelFlow ID Platform user account (auth.users) corresponding to the same email address is later created; it is managed independently as a separate entity. The personal information of Anonymous Subscribers is handled under security control measures equivalent to those for ordinary account information.

2. Purposes of Use

The Company uses the collected personal information for the following purposes.

1. Provision and operation of the Service: Account authentication, single sign-on, organization management
2. Billing and payment processing: Subscription management, invoice issuance, payment processing
3. Customer support: Responding to inquiries, handling incidents
4. Service improvement: Analysis of usage status, feature improvement, new feature development
5. Security: Detection and prevention of unauthorized access, identity verification
6. Performance of legal obligations: Responses based on laws and regulations, tax processing
7. Notices and contact: Sending important notices regarding the Service and maintenance information
8. Marketing Communications: Sending announcements about the Service, introductions of new features, event information, newsletters, and similar — only when the User or Anonymous Subscriber has explicitly consented per Subscription Category and has completed confirmation via Double Opt-in
9. Management of Anonymous Subscribers: Double Opt-in confirmation processing, management of the delivery status per Subscription Category (Inquiry Follow-up Communications / Regular Newsletter), processing of unsubscription and re-subscription, and prevention of erroneous sending to recipients who have already unsubscribed
10. Retention of consent records: Management of evidence of obtaining and recording consent under the Specified Electronic Mail Act, the APPI, and other relevant laws and regulations

The Company will not use personal information beyond the scope of the above purposes of use. If the purposes of use are changed, the Company will reflect the changed purposes in this Policy and notify Users.

The Company does not use Users' personal information for the purpose of training AI models.

3. Provision to Third Parties

Except in the following cases, the Company does not provide personal information to third parties without the User's consent.

3.1 Provision to Subcontractors

To the extent necessary to provide the Service, the Company provides personal information to the following subcontractors.

Subcontractor	Purpose	Information provided	Location
Supabase, Inc.	Authentication infrastructure / database	Account information, authentication information	United States
Stripe, Inc.	Payment processing	Information necessary for payment (name, email address)	United States
Vercel, Inc.	Hosting / CDN	Access logs (IP address, request information)	United States
Render Services, Inc.	Backend hosting	Access logs (IP address, request information)	United States
Cloudflare, Inc.	CDN / edge computing	Access logs (IP address), traffic data	United States
Twilio Inc. (SendGrid)	Email delivery (transactional email and Marketing Communications)	Name, email address, email body, delivery record data	United States

For details on subcontractors, please refer to the List of Sub-processors.

3.2 Provision Based on Laws and Regulations

The Company may provide personal information without the User's consent when disclosure is required by law, when there is a court order, or when necessary to protect the life, body, or property of a person.

4. Management of Subcontractors

When the Company entrusts the handling of personal information, it conducts the following management of subcontractors.

• In selecting subcontractors, the Company verifies their personal-information-protection framework
• In the subcontracting agreement, the Company sets forth provisions regarding the handling of personal information
• The Company periodically verifies the subcontractor's personal-information management status

5. Security Control Measures

To prevent leakage, loss, or damage of personal information, the Company implements the following security control measures.

5.1 Organizational Security Control Measures

• Designation of a person responsible for the protection of personal information
• Establishment of internal rules regarding the handling of personal information
• Periodic inspection and audit of the handling status of personal information

5.2 Human Security Control Measures

• Provision of education and training to employees regarding the protection of personal information
• Conclusion of confidentiality agreements regarding the handling of personal information

5.3 Physical Security Control Measures

• Management of areas where personal information is handled
• Prevention of theft of devices, electronic media, and the like

5.4 Technical Security Control Measures

• Encryption of communications (TLS/SSL)
• Hashed storage of passwords
• Recording and monitoring of access logs
• Access control to databases
• Application of regular security updates

5.5 Understanding of the External Environment

The Company implements security control measures after understanding the systems relating to the protection of personal information in the foreign countries (the United States and Singapore) where personal data is handled.

6. Rights of the Individual

Users and Anonymous Subscribers may make the following requests to the Company.

Right	Description
Disclosure request	To request disclosure of the User's personal information held by the Company
Correction/addition/deletion request	To request correction, etc. where the content of personal information is not factual
Suspension of use/erasure request	To request suspension of use, etc. where there has been use beyond the scope of the purpose of use, improper acquisition, where the information is no longer needed, where a leak or similar has occurred, or where there is otherwise a risk of harm to the rights or interests of the individual
Suspension of provision to third parties	To request suspension of provision to third parties
Unsubscribe from Marketing Communications	To stop receiving Marketing Communications per category or all at once (may be done at any time, free of charge, by the methods set forth in Article 11, Paragraph 5 of the Terms of Service)
Deletion of Anonymous Subscriber record	To request the complete deletion (hard delete) of personal information retained as an Anonymous Subscriber (newsletter_subscribers)

Request Procedure

The above requests may be made from the account settings screen of the Service or by contacting the inquiry desk below. After verifying your identity, we will respond within the period prescribed by law. For disclosure requests, in addition to delivery of documents, we also support provision by electromagnetic record (such as data download).

7. Cookies and Access Logs

7.1 Use of Cookies

The Service uses cookies for the following purposes.

• Essential cookies: User authentication, session management (Supabase Auth)
• Functional cookies: Retention of language settings and display settings

At present, the Company does not use tracking cookies for marketing purposes (third-party cookies for ad delivery, behavioral analysis, etc.). If introduced in the future, the Company will update this Policy and the Cookie Policy, provide advance notice, and obtain consent to the extent necessary.

For details on cookies, please refer to the Cookie Policy.

7.2 Access Logs

The Company records access logs to maintain the security of the Service and to improve the Service. Access logs are not used for the purpose of identifying individuals.

8. Retention Period of Personal Information

The Company retains personal information only for the period necessary to achieve the purposes of use.

Type of information	Retention period
Account information	30 days after account deletion (recovery period)
Anonymous Subscriber data (newsletter_subscribers)	Retained for delivery purposes while the subscription status is active; after unsubscription, retained in a soft-deleted state (recording of unsubscribed_at) as evidence to prevent erroneous sending. Upon a deletion request, after verifying identity, we will promptly delete it completely to the extent permitted by law.
Payment history	After completion of the transaction, the period prescribed by law (up to 7 years)
Access logs	1 year from acquisition
Inquiry records	3 years after completion of the response
Marketing delivery history (send/open/click/bounce)	2 years from acquisition
Consent records (Terms of Service / Privacy Policy / Marketing Communications)	The retention period required by law or 7 years after deletion of the corresponding account, whichever is longer

After the retention period elapses, personal information is promptly deleted or anonymized. With respect to consent records, because they need to function as evidence of obtaining consent, even after the corresponding account is deleted, the Company may — for the periods above only — retain them in a pseudonymized state in which personally identifying information is separated from other operational data (a state in which re-identification requires matching with separately managed identifiers) and under strict access control.

9. International Data Transfers

The Company's subcontractors are located in the United States and Singapore. Users' personal information may be transferred to these countries to the extent necessary to provide the Service.

9.1 Personal Information Protection Systems in the Destination Countries

Destination country	Overview of the system
United States	There is no comprehensive federal data protection law; sectoral legal regulations apply. Some state laws exist, such as the California Consumer Privacy Act (CCPA/CPRA), but they do not provide comprehensive protection equivalent to Japan's APPI.
Singapore	The Personal Data Protection Act (PDPA) is in force, and there are comprehensive regulations regarding the collection, use, and disclosure of personal data.

9.2 Protective Measures Taken by the Destinations

The Company has concluded a Data Processing Agreement (DPA) with each subcontractor and has confirmed that the following protective measures are in place.

Subcontractor	Measures in place
Supabase, Inc.	SOC 2 Type II certification, data encryption (at rest / in transit), DPA concluded
Stripe, Inc.	PCI DSS Level 1 certification, SOC 2 certification, data encryption, DPA concluded
Vercel, Inc.	SOC 2 Type II certification, data encryption, DPA concluded
Render Services, Inc.	SOC 2 Type II certification, data encryption, DPA concluded
Cloudflare, Inc.	SOC 2 Type II certification, ISO 27001 certification, data encryption, DPA concluded
Twilio Inc. (SendGrid)	SOC 2 Type II certification, ISO 27001 certification, data encryption, DPA concluded

10. Reporting of Leaks, etc.

If a leak, loss, or damage of personal data, or any other situation relating to the security of personal data that poses a significant risk of harm to the rights and interests of individuals occurs, the Company will take the following actions.

1. Report to the Personal Information Protection Commission: The Company will provide a preliminary report (generally within approximately 3 to 5 days from the day it became aware of the situation) and a final report (within 30 days, or within 60 days in cases such as unauthorized access).
2. Notification to the individual: After becoming aware of the situation, the Company will promptly notify the individual of an overview of the situation, the items of personal data involved in the leak, etc., the cause, the risk of secondary harm, and other matters for reference.

11. Changes to This Policy

The Company may change this Policy as necessary in response to changes in laws and regulations, changes in service content, or otherwise. The changed Policy takes effect at the time it is posted on the Service. For important changes, the Company will provide advance notice by email or other appropriate methods.

12. Inquiry Desk

For inquiries regarding the handling of personal information, please contact us at the following.

• Business name: FeelFlow Inc.
• Address: Shibuya Mark City W 22F, 1-12-1 Dogenzaka, Shibuya-ku, Tokyo 150-0043, Japan
• Representative: Jun Hattori, Representative Director
• Personal Information Protection Manager: Representative Director
• Email: contacts@feelflow.net

---

Established: February 17, 2026 Revised: April 16, 2026 (v1.1.0: added handling of inquiry information, shadow accounts, and marketing delivery; added SendGrid as a subcontractor) Revised: April 19, 2026 (v1.2.0: removed shadow account provisions; reflected Double Opt-in, the Anonymous Subscriber (newsletter_subscribers) model, and independent management of Subscription Categories) FeelFlow Inc.