PRIVACY POLICY

BBF Inc. (hereinafter referred to as “Our company”) answers to diversified customer needs and recognizes the importance of personal information management in the information and communications business by appropriately incorporating the latest information and communication technologies such as the Internet into the business in the mail order industry. Based on the lessons learned from the recent occurrence of incidents involving personal information, to prevent accidents and incidents, privacy policy is defined and declared as follows for building an environment and system in which customers can use our services safely.

1. Compliance with laws and regulations concerning personal information protection

Our company complies with laws and regulations regarding the handling of personal information, national guidelines, “Personal Information Protection Management System-Requirements” (JIS Q 15001: 2017) and other standards.

2. Acquisition and use of personal information

When acquiring personal information, our company will clarify the purpose of use and obtain it in a lawful and fair manner and will not handle it beyond the scope of the purpose of use. Appropriate measures will be taken to prevent usage outside the purpose. The purpose of use defined by our company is as described in “Handling of Personal Information”. In addition, unless otherwise permitted by law, personal information will not be provided to a third party without consent. Our company has formulated internal rules regarding the handling of personal information, and has all employees, employees, contract employees, etc., engaged in the company's business (hereinafter referred to as “employees”) thoroughly informed and operate according to the following rules.

3. Safe management of personal information

In order to ensure the accuracy and safety of personal information, our company will implement safety management measures for the protection of personal information and comply with the leakage, loss or damage of personal information, related laws, national guidelines and other standards. Effort will be made to prevent violations, possible economic disadvantages, loss of social credibility, and possible impact on the principal. In addition, safety management measures will be reviewed regularly, and if there are any deficiencies, corrections will be made as appropriate. When consigning or subcontracting the handling of personal information, the contract is signed with thoroughly supervised content of the consignment contract for protecting personal information and the subcontractor, and the management of the consignee and the subcontractor is performed with thorough supervision.

4. Handling complaints and issues consultation

Our company will sincerely handle complaints and consultation regarding personal information without delay.

5. Continuous improvement of personal information protection management system

Our company will comply with laws and regulations regarding the handling of personal information to protect and properly handle personal information, national guidelines and other standards. In addition, a personal information protection management system that complies with the Japanese Industrial Standards “Personal Information Protection Management System-Requirements” (JIS Q 15001: 2017) will be established, implemented and maintained , with continuous improvements planned for our personal information protection management system. When there are important changes to the privacy policy of our company, it will be announced and posted on our website.

<Handling of personal information>

- Purpose of use when obtaining personal information
In relation to usage of this service, our company will use the obtained information only for the following purposes and will neither disclose nor provide them to a third party. Sufficient measures are being taken for this. However, in order to achieve the purpose of use, the information may be outsourced or subcontracted to a subcontractor selected by our company. In that case, our company will perform necessary and appropriate procedures and supervision based on the Personal Information Protection Law for the contractor.

1. Personal information of applicants and employees

(1) For recruitment selection
(2) For various operations
(3) For emergency response
(4) For labor management

2. Personal information related to business partners, executives and employees of other companies, etc.

(1) For various communications and business negotiations necessary for business
(2) For conclusion of various contracts
(3) For business partner information management and payment/revenue processing

3. Personal information of customers using our services

(1) For member, user management
(2) For packaging and shipping products
(3) For notification (including e-mail) of matters necessary for our business operations
(4) For advertising, promotion and sales promotion activities (including e-mail)
(5) For projects such as campaigns and conducting surveys
(6) For issuing and sending e-mail newsletters
(7) For purchase of products and services, purchase related to usage, billing information management and charges
(8) For handling various inquiries and after-sales service
(9) For research and analysis of marketing data and development of new services
(10) For research of usage status related to products and various services
(11) To create statistical data to be provided to business partners
(12) For executing business operations when entrusted with the handling of personal information
(13) For exercising rights and fulfilling obligations based on laws, etc.

4. Regarding optionality of providing personal information

The decision is up to the user to provide personal information to us. However, if the necessary items are not provided, it may be not be possible to conclude a contract or provide sufficient services.

5. Regarding revision

In order to continually improve the customer's personal information protection management system and respond to changes in laws and regulations, our company will revise the privacy policy and review our personal information protection rules as appropriate.

6. Regarding cookies

In our company website, cookies (an industry standard technology for the web server to identify customer’s computer) are not used for management of personal information.

7. Regarding access logs and files

In our company website, in order to research user trends, access logs and files will be used. Although we will be able to obtain statistical website usage information such as access date/time, IP address, domain name, browser type, cookies etc., it will not be used to collect and analyze personal information. While there may be cases where other companies' services may be used for access analysis and web beacons, the web beacons will not identify individuals.

8. Regarding security

In our company website, upon registering important personal information of customers, they will be managed with a dedicated server that is protected by encrypted communication such as SSL, with measures taken to prevent unauthorized access from outside and information leakage. In addition, internal education on personal information protection is periodically conducted to further strengthen the personal information management system.

<Information regarding retained personal data or records provided to third parties>

1. Inquiries related to retained personal data

In our company, When we receive a request from an individual for notification or disclosure of the purpose of use, correction,addition, deletion, suspension of use, or elimination (hereinafter collectively referred to as "disclosure, etc.") of retained personal data or records provided to a third party, we will respond to the request in accordance with laws and regulations.

2. Purpose of use of Retained Personal Data

The "Purpose of use of retained personal data" is other than 1,2, and 3 (12) of "Purpose of use of personal information when acquiring personal information" above, and the "Purpose of use of personal information acquired other than directly in writing" is as in 3 (12).

3. Procedures

For procedures regarding complaints and consultation of personal information and disclosure of personal information, etc., a document is required for checking that it is done by the actual person or agent.

4. Fees

A specified fee for notification of purpose of use or disclosure of personal information will be charged.

5. Contact us

For complaints and consultation regarding personal information or to apply for disclosure of personal information, contact the following [Contact us]

6. Measures taken for secure management of retained personal data

(1) Formulation of Basic Policy
In order to ensure the proper handling of personal data, the Company has formulated basic policies regarding "compliance with relevant laws, regulations, guidelines, etc." and "point of contact for questions and complaint handling.

(2) Establishment of rules for the handling of personal data
The Company has established rules for handling personal data at each stage of acquisition, use, storage, provision, deletion, disposal, etc., including handling methods, responsible persons/persons in charge, and their duties.

(3) Organizational Safety Control Measures
In addition to appointing a person responsible for the handling of personal data, the Company clarifies the employees who handle personal data and the scope of personal data handled by such employees, and has established a system for reporting to the person responsible in the event that a violation of the law or handling regulations is detected or any indication of such a violation is detected.
The Company conducts periodic self-inspections of the status of personal data handling, as well as audits by other departments and outside parties.

(4) Personal Safety Control Measures
Employees receive periodic training on matters to keep in mind regarding the handling of personal data.
The Company enters into confidentiality agreements with its employees regarding the confidentiality of personal data.

(5) Physical security control measures
In areas where personal data is handled, the Company controls employee access to rooms and equipment, and implements measures to prevent unauthorized persons from viewing personal data.
Measures are taken to prevent theft or loss of equipment, electronic media, and documents that handle personal data, and measures are taken to prevent personal data from being easily identified when such equipment, electronic media, etc. are carried, including during transportation within the business site.

(6) Technical safety control measures
Access control is implemented to limit the scope of persons in charge and the personal information database, etc. handled. A system is in place to protect the information system handling personal data from unauthorized external access or unauthorized software.

(7) Understanding the external environment
We use cloud services whose servers are located in foreign countries, and for the safe management of retained personal data, we confirm that the location of the server is within the EU or the UK, which is recognized by the Personal Information Protection Commission Regulations as a foreign country with a personal information protection system recognized as being of a similar level to that in Japan, or If none of the above applies to the server, we will implement appropriate safety management measures, such as confirming the information security of the cloud service in question, based on our understanding of the systems of the relevant foreign country.
The following is a list of foreign countries to which personal data is currently provided and the systems, etc. in place in those countries.

United States
https://www.ppc.go.jp/files/pdf/USA_report.pdf

Singapore
https://www.ppc.go.jp/files/pdf/singapore_report.pdf

Australia
https://www.ppc.go.jp/files/pdf/australia_report.pdf

[Contact us]

BBF Inc. Complaint/Consultation Information Desk
Uchisaiwai-cho Tokyu Bldg.7F, 1-3-2, Uchisaiwai-cho,
Chiyoda-ku, Tokyo 100-0011 Japan
Chief Officer of Personal Information
Tel: 03-5202-4700

Name of authorized personal information protection organization

JIPDEC

Where to file a complaint

JIPDEC Personal Information Protection Consultation Service Office
Roppongi First Building, 9-9 Roppongi 1-chome,
Minato-ku Tokyo, 106-0032 Japan
Tel: 03-5860-7565 0120-700-779
For disclosures, disclosing personal information of fees related to charges of notification for purpose of use and billing notifications, the following fees will be charged.
800 JPY (including tax) per charge
Enclose 800 yen in postal flat-rate money order in the submitted documents. The customer is responsible for paying for the purchase of postal flat-rate money orders and postage.
* There will be notification when the fee is either insufficient or not included in the submitted documents. However, if the payment is not made within the predetermined period, we will handle it as if there was no request for notification of disclosure or purpose of use.

Purposes of use of personal information obtained for requests for disclosure, etc.

Personal information obtained due to requests for disclosure are treated only within the required range of requested disclosure, etc. In principle, the submitted documents will not be returned. After the response to the request for disclosure, etc. is completed, it will be properly managed and discarded.

Regarding free disclosure of personal information

For the reasons specified below, our company cannot respond to disclosure of personal information requested by customers. Reason will be notified if non-disclosure, etc. is decided. The prescribed fee will also be charged for non-disclosure and non-notification of the purpose of use.
(1) When the actual person cannot be confirmed, such as when the address described in invoice, identity confirmation document, address in our registration, etc. does not match.
(2) When proxy rights cannot be confirmed upon request by an agent.
(3) When predetermined submission documents are incomplete.
(4) When personal information retained by our company cannot be identified due to the contents of invoice.
(5) If the subject of disclosure request not correspond to the retained personal data referred to in Article 2, paragraph 5 of the law.
(6) When there is a risk of harming the life, body, property or other rights and interests of the person or a third party
(7) When there are violations to other laws and regulations
(8) When there is a risk of significant hindrance to the proper implementation of our company’s business