KARTE PRIVACY POLICY

Introduction:

“KARTE,” as provided by PLAID, Inc. (the “Company”), is a CX (customer-experience) platform which enables communication tailored to individual users visiting websites, apps, etc. through analyzing in real time their data of attributes, behaviors, etc., as a one-stop service. The Company has been engaged in the mission of the protection of user data and information security, recognizing them as extremely important agendas, through acquiring third party certifications such as ISO/IEC 27001 (international standard of information security management system), IS/IEC 27017 (international standard of cloud security) and the Japanese PrivacyMark System. The Company shall, for the purpose of thorough protection of user data, comply with the Japanese Act on Protection of Personal Information (the “Personal Information Protection Act”), relevant guidelines and other regulations (the “Personal Information-related Laws”), and has established this privacy policy (this “Policy”) with respect to the Personal Information of users, etc. provided to the Company through KARTE.

Chapter 1 General Provisions

1. Definitions:

The following terms used herein shall have the following meanings:

• (1) “Personal Information” means those information defined in Article 2, Paragraph 1 of the Personal Information Protection Act;
• (2) “Website Usage Data and User Attribute Data” means data or information concerning individuals which when used alone cannot identify a specific individual. The Company considers, as examples for Website Usage Data and User Attribute Data, cookies”(*1), IP address information, website/apps browsing histories, activity logs, purchase histories, device IDs, user agents(*2)、referrers(*3), and analogical reasoning information of attributes, etc. (which means data or information prepared independently by the Company regarding users’ attributes, preferences, etc. through analogical reasoning from their genders, ages, browsing histories, activity logs, purchase histories, advertisement IDs for mobile device, location information, etc.; the same shall apply hereinafter).

2. Compliance with Laws and Regulations

The Company shall comply with the Personal Information-related Laws, and adapt the rules concerning protection of Personal Information, including this Policy, to conform to the Personal Information-related Laws.

3. Management of Personal Information, etc.

• (1) The Company will endeavor to keep accurate and updated Personal Information, Website Usage Data and User Attribute Data (collectively, “Personal Information, etc.”), and take necessary and appropriate measures for security management in order to protect Personal Information, etc. from unauthorized access, alteration, leakage, loss and damage.
• (2) The Company will exercise the utmost care in the security management for information handled through KARTE. The details of security management system of KARTE is described in the “KARTE Security White Paper”.
• (3) The Company has established the rule that employees allowed to access to Personal Information, etc. shall be limited to those having the need to access such information in performing their duties. In addition, when employees process Personal Information, the Company shall perform necessary and appropriate supervision over such employees to ensure the sufficient security management of Personal Information, etc.

Chapter 2 Policy for Processing of Personal Information

4. Restriction on Collection of Personal Information

• (1) The Company will not directly collect users’ Personal Information such as names, addresses, places of work and e-mail addresses through KARTE.
• (2) For a Partner (which means an enterprise using KARTE; same hereafter) to use KARTE, the Partner shall enter into an agreement for use of KARTE with the Company in advance and entrust the Company with certain processing of Personal Information to the extent necessary for such use. The Company may process Personal Information within the scope of such entrusting.

5. Purpose of Use of Personal Information

The Company may, within the scope of entrusting with regard to the processing of Personal Information on behalf of Partners, use the Personal Information of users for the following purposes:

• (1) Analysis of the attributes, preferences, etc. of users by the Company and the entrusting Partner, and sending messages by posting of contents, advertisements, etc., optimized for such Visitors’ attributes or preferences, etc., and/or by e-mail, SMS, online chat and notification on browser, etc.;
• (2) Accurate understanding of inquiries to the Company and the Partner, and communication such as sending responses, relevant information, etc.;
• (3) Supervision for preventing improper acts by users;
• (4) Preparation of analogical reasoning information of attributes, etc. and statistical information. In such preparation, the Company shall take appropriate de-identification measures so that users may not be identified as specific individuals; and
• (5) In the case of Partners using the function to review the activities of users on its Partner Services, browsing, record and analysis of data necessary for identifying causes of system-related problems and improvement of services provided by the Partner.

6. Prohibition on Provision of Personal Information to Third Party

The Company shall not disclose or provide to any third party any Personal Information of users it processes without the consent by relevant users, except in the following cases:

Where such disclosure or provision is in line with applicable laws and regulations or where otherwise the provision of Personal Information to a third party(ies) without the user’s consent is permitted in accordance with each Item of Paragraph 1 of Article 23 of the Personal Information Protection Act;

Where the Company further entrusts, in whole or in part, the processing of Personal Information entrusted from a Partner, within the scope necessary for the achievement of purposes of use set forth in Section 5 above; and

Where Personal Information is provided as the result of a merger or any other type of business succession.

7. Our Principles for Accepting Entrusting of Personal Information Processing

• (1) The Company shall perform the processing of Personal Information entrusted from Partners in accordance with this Policy, with the due care of a prudent manager. When entrusted with the processing of Personal Information by a Partner, the Company will require the Partner to ensure that the subject Personal Information is collected in legal and appropriate manners, and that provision of the subject Personal Information does not violate any applicable laws and regulations, etc. (including foreign laws and regulations) nor infringe any third party’s rights.
• (2) The Company shall specify the scope and purpose, etc. of entrusting of processing of Personal Information in the service agreement for KARTE entered into with each Partner (the “KARTE Agreement”), and perform the processing of Personal Information in accordance with such KARTE Agreement. The Company will not process users’ Personal Information beyond the scope of entrusting by each Partner.
• (3) In processing the Personal Information entrusted by a Partner, the Company will be subject to the necessary and appropriate supervision by the Partner.

8. Supervision over Further Trustee Party

The Company may further entrust to a third party (for example, a third-party e-mail distributor) with all or part of the processing of Personal Information entrusted from a Partner, in order to achieve purposes set forth in Section 5 above. In such case, the Company shall select a suitable trustee from the viewpoint of protection of Personal Information, enter into a entrusting agreement including the provisions for the trustee’s confidentiality obligation and perform necessary and appropriate supervision over the trustee to ensure it performs sufficient security management of Personal Information.

9. Deletion of Personal Information

In the case where a KARTE Agreement is terminated, the Company will delete the Personal Information provided by the Partner based on the entrusting of its processing within ninety (90) days after such termination.

10. Disclosure, Correction, etc. of Personal Information

In the event that the Company’s contact receives from a user a request for disclosure, correction, deletion, stop of use, etc. (“Disclosure, etc.”) of Personal Information of the user entrusted by a Partner, after receiving a form and/or document designated by the Company from the requesting user and confirming his/her identity, the Company will investigate such request during a reasonable period of time and deal with such request pursuant to applicable laws and regulations. Please note that a fee specified by the Company will be charged in such case.

Chapter 3 Processing Policy of Website Usage Data and User Attribute Data

11. Collection of Website Usage Data and User Attribute Data

• (1) In providing the services of KARTE to Partners, the Company will collect Website Usage Data and User Attribute Data of users who have visited websites and apps operated by Partners. The Company cannot identify users by the cookie which is issued by the Company for referring to browsing histories, activity logs, purchase histories, etc. The Company will maintain a cookie and collect Website Usage Data and User Attribute Data for up to two (2) years from the date when a user last accessed the relevant website using the device such as a computer, etc. in which the cookie is embedded.
• (2) The Company may collect Website Usage Data and User Attribute Data from third parties operating an advertising network, etc.

12. Purpose of Use of Website Usage Data and User Attribute Data

The Company may use Website Usage Data and User Attribute Data of users for the following purposes:

• (1) Purposes set forth in Section 5 of this Policy;
• (2) Evaluation and improvement of effectiveness with regard to services, advertisement and marketing of the Company and Partners;
• (3) Market analysis and marketing; and
• (4) Improvement of services of the Company and development of its new services, etc.

13. Prohibition of Provision of Website Usage Data and User Attribute Data to Third parties

In the event that the Company discloses or provides Website Usage Data and User Attribute Data collected by the Company to a third party, it will comply with the privacy policy of the Partner operating the website and apps in which such Website Usage Data and User Attribute Data have been collected, except in the cases specified in Section 6 of this Policy or where the relevant user agrees thereon.

14. Supervision over Trustees

The Company may entrust to a third party with all or part of processing of Website Usage Data and User Attribute Data in order to achieve the purposes set forth in Section 12. In such case, the Company shall select a suitable trustee from the viewpoint of protection of Website Usage Data and User Attribute Data, enter into an entrusting agreement including the provisions of the trustee’s confidentiality obligation and perform necessary and appropriate supervision over the trustee to ensure it performs sufficient security management of Website Usage Data and User Attribute Data.

15. Stopping Collection of Website Usage Data and User Attribute Data, etc.

• (1) The Company will provide users with the option to stop the Company’s collection of Website Usage Data and User Attribute Data. If such stoppage of collection is activated, the Company will thereafter stop collecting any Website Usage Data and User Attribute Data of the relevant user.
• (2) The setting for stoppage of collection of Website Usage Data and User Attribute Data set forth in the preceding Paragraph needs to be made in each browser or device used by the user. In addition, after stoppage of collection of Website Usage Data and User Attribute Data in accordance with the preceding Paragraph, the Company will not collect such information; provided, however, that the collection of Website Usage Data and User Attribute Data may be resumed in the case where such setting for stoppage is invalidated due to a removal of the cookie or change of setting of a relevant computer or other device, etc.

Chapter 4 Supplementary Provisions

16. Continuous Improvement of this Policy

The Company will, for the purpose of maintaining the appropriate processing of Personal Information, etc., review and continue to improve this Policy from time to time so that the processing system and operating methods for Personal Information, etc. meet the needs of the times. If any Personal Information-related Law is established or revised, the Company will set up a system fulfilling the requirement thereby at each such time.

17. Revision of this Policy

• (1) The Company may from time to time revise this Policy without prior approvals by users. In the event that the Company revises this Policy, such revision will be posted on this Policy itself and any appropriate place of the Company’s website decided by the Company.
• (2) Any revision of this Policy under the preceding Paragraph shall apply from the date when one (1) week has passed since the posting of such revision on the Company’s website.

18. Inquiry

Please contact the following for any inquiries concerning this Policy and Disclosure, etc. of Personal Information: