APPI Compliance

APPI Compliance Statement

This statement explains how Algaplay handles personal information of individuals in Japan in accordance with the Act on the Protection of Personal Information (Act No. 57 of 2003, as amended) ("APPI") and the guidelines issued by the Personal Information Protection Commission of Japan (the "PPC").

1. Personal Information Handling Business Operator

For the purposes of the APPI, the personal information handling business operator responsible for the processing carried out through algaplay.com is:

  • Algaplay [TBD: full legal entity name]
  • Registered office: [TBD]
  • Privacy contact: privacy@algaplay.com
  • Representative in Japan (if applicable under Art. 166): [TBD — required if Algaplay is established outside Japan and handles personal information of data subjects in Japan]

Algaplay handles personal information in compliance with the APPI in respect of personal information collected from individuals in Japan in connection with the supply of goods or services to them, irrespective of where the processing physically takes place (Art. 171 APPI).

2. Personal Information We Handle

We handle the following categories of personal information, as defined in Article 2(1) of the APPI:

  • Account information: name, email address, password (hashed), language preference.
  • Order information: billing and shipping address, telephone number, items purchased, order history.
  • Payment information: handled by certified payment service providers; we do not store full card numbers.
  • Customer-service information: the content of your enquiries and our responses.
  • Marketing information: newsletter subscription and engagement data, where you have opted in.
  • Technical and usage information: IP address, device identifiers, browser type, cookies and similar technologies.

We do not intentionally collect special-care-required personal information ("yō-hairyo kojin jōhō", Art. 2(3) APPI), which includes information on race, creed, social status, medical history, criminal record, or being a victim of a crime. Where such information may incidentally be contained in a customer-service enquiry initiated by you, we will handle it only to the extent strictly necessary to respond.

3. Purposes of Use (Art. 17 APPI)

We have specified the following purposes of use of personal information as required by Article 17 of the APPI:

  • To create and manage your account.
  • To process orders, payments, deliveries, returns, and refunds.
  • To provide customer support.
  • To send transactional and, where consent is given, marketing communications.
  • To operate, secure, and improve our website and product offering.
  • To comply with legal and regulatory obligations.
  • To prevent fraud and protect our rights and the rights of others.

We will not use personal information beyond the scope necessary to achieve these purposes without first obtaining your consent, except where permitted by Article 18 APPI.

4. Acquisition (Art. 20 APPI)

We acquire personal information by lawful and fair means. We do not acquire special-care-required personal information without consent, except in the cases listed in Article 20(2) of the APPI.

5. Provision to Third Parties (Art. 27 APPI)

We do not provide personal data to third parties without your prior consent, except in the cases permitted by Article 27(1) of the APPI (e.g. compliance with law, protection of life or property, public-health considerations, or cooperation with public authorities).

The following are not considered "provision to a third party" under the APPI and therefore do not require separate consent:

  • Entrustment of handling (Art. 27(5)(i)): we entrust the handling of personal data to service providers for the purposes set out above (e.g. our hosting platform Shopify, payment processors, shipping carriers, marketing platforms — see list below). We supervise these entrusted parties to ensure secure handling, as required by Article 25.
  • Joint use (Art. 27(5)(iii)): [TBD: indicate "not applicable" or describe joint-use partners, items shared, scope of users, purposes, and the controller responsible — required disclosures].

Recipients in their capacity as entrusted handlers include:

  • Shopify Inc. (e-commerce hosting and order management).
  • Payment service providers [TBD].
  • Shipping carriers and logistics partners [TBD].
  • Email and marketing platforms [TBD].
  • Analytics providers [TBD].

6. Cross-Border Transfers (Art. 28 APPI)

Some of our entrusted handlers and joint-use partners are located outside Japan. Where personal data is transferred to a third party in a foreign country, we comply with Article 28 of the APPI by relying on one of the following:

  • Your prior consent, after providing you with information about the country of the recipient, the personal-information protection regime of that country, and the measures taken by the recipient to protect personal information.
  • Transfer to a country designated by the PPC as having a data-protection system equivalent to that of Japan (currently the EEA and the United Kingdom).
  • Implementation by the recipient of measures equivalent to those required of a personal information handling business operator under the APPI, ensured by contract or by participation in an applicable certification scheme (e.g. APEC CBPR), with ongoing monitoring as required by the 2020 amendments.

Information about a specific cross-border transfer, including the recipient country and the safeguards in place, is available on request from privacy@algaplay.com.

7. Security Control Measures (Art. 23 APPI)

We implement organisational, human, physical, and technical security control measures appropriate to the risk, as set out in the PPC's guidelines, including encryption in transit, access controls and logging, employee training, and contractual safeguards with entrusted handlers.

8. Your Rights as a Data Subject

You have the following rights with respect to your retained personal data ("hoyū kojin dēta", Art. 16(4) APPI):

  • Disclosure of your retained personal data, including in electronic form (Art. 33).
  • Disclosure of records of provision to third parties, where applicable (Art. 33(5)).
  • Correction, addition, or deletion of inaccurate retained personal data (Art. 34).
  • Cessation of use or deletion of your retained personal data, in the cases set out in Article 35(1) and (5), including where data was acquired or used unlawfully, where the purpose of use no longer exists, where there has been a leak, or where there is a risk that your rights or legitimate interests will be harmed.
  • Cessation of provision of your retained personal data to third parties, in the cases set out in Article 35(3).

9. How to Exercise Your Rights

You may submit a request relating to any of the rights above by emailing privacy@algaplay.com. We may ask you to provide reasonable information to verify your identity. We will respond within a reasonable period and in any event without undue delay. A statutory fee may apply only to disclosure and disclosure-of-records requests; we will inform you in advance.

10. Retention

We retain personal information only for as long as necessary to fulfil the purposes of use, and in accordance with applicable Japanese tax, accounting, and consumer-protection laws. Indicative retention periods:

  • Account data: lifetime of the account plus up to 24 months of inactivity.
  • Order, invoice, and accounting records: at least 7 years, in line with applicable record-keeping requirements.
  • Customer-service correspondence: up to 24 months from the last interaction.
  • Marketing data: until consent is withdrawn or 24 months of inactivity.
  • Logs and security data: typically 6–12 months.

11. Breach Notification (Art. 26 APPI)

Where a leak, loss, or damage of personal data occurs that is likely to harm the rights and interests of an individual, we will report the incident to the PPC and notify the affected individuals as required by Article 26 of the APPI and the related PPC rules in force since 1 April 2022.

12. Cookies and Anonymously Processed Information

We use cookies and similar identifiers as described in our Cookie Policy. Where such identifiers are linked to personal information, they are handled as personal data under the APPI. We may also create anonymously processed information ("tokumei kakō jōhō", Art. 2(6)) or pseudonymously processed information ("kamei kakō jōhō", Art. 2(5)) for analytical purposes, in accordance with the relevant PPC standards.

13. Children

We do not knowingly collect personal information from children below the age at which they can validly provide consent under Japanese law (generally considered to be 15 years for online services in PPC guidance) without the consent of a parent or guardian.

14. Complaints

You may direct any complaint regarding our handling of personal information to privacy@algaplay.com. You also have the right to file a complaint with the Personal Information Protection Commission (ppc.go.jp/en) or with an authorised personal-information protection organisation.

15. Changes

We may update this statement to reflect changes in our practices or in the law. The date below indicates the most recent revision.

Last updated: 28 April 2026.