Privacy policy

Last Updated: February 13, 2026

This Privacy Policy is an independent document that explains how This Is Earth Inc. collects, uses, stores, protects, and shares your personal data. This Policy is established separately from the Company’s Confidentiality Policy, which governs the protection of business and commercial confidential information. Because both documents complement each other, please review them together.

This Privacy Policy (the “Policy”) is established by This Is Earth Inc. (the “Company,” “we,” “us,” or “our”) and describes how the Company collects, uses, processes, stores, transfers, and protects personal data relating to customers, website visitors, Participants, and all other individuals in connection with the video recording, digital archiving, and future delivery services provided by the Company (the “Service”).

The Company is committed to responsible and transparent data management. This Policy complies with all applicable national, regional, and sector-specific data protection laws and regulations, including the Act on the Protection of Personal Information of Japan (APPI, Act No. 57 of 2003, as amended), the European Union General Data Protection Regulation (GDPR) (EU) 2016/679, the UK General Data Protection Regulation (UK GDPR), the Swiss Federal Act on Data Protection (FADP / revised FADP), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA).

Article 1 Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below.

  • “Personal Data”
    Any information relating to an identified or identifiable natural person (the “Data Subject”). An identifiable natural person means an individual who can be identified, directly or indirectly, by reference to a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
  • “Personal Information”
    Has the meaning defined under the Act on the Protection of Personal Information of Japan (APPI), and includes information relating to a living individual that can identify a specific individual by name, date of birth, or other descriptions contained in such information.
  • “Special Category Data”
    Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying an individual, health data, or information concerning a person’s sex life or sexual orientation. Such information corresponds to sensitive personal information under the APPI.
  • “Data Controller”
    An entity that determines the purposes and means of processing Personal Data. The Company acts as the Data Controller for Personal Data collected in connection with the Service.
  • “Data Processor”
    An entity that processes Personal Data on behalf of, or under the instructions of, a Data Controller.
  • “Processing”
    Any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • “Data Subject”
    An identified or identifiable natural person to whom Personal Data relates.
  • “Consent”
    Any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which the Data Subject signifies agreement to the Processing of their Personal Data for a specific purpose.
  • “Sub-processor”
    A third-party entity engaged by the Company to process Personal Data on behalf of the Company, including but not limited to Shopify Inc. and DocuSign Inc.
  • “Third Party”
    Any individual, corporation, or other organization other than the Data Subject, the Company, or a Sub-processor authorized by the Company.
  • “Supervisory Authority”
    An independent public authority responsible for supervising compliance with data protection laws, including the Personal Information Protection Commission of Japan (PPC), the relevant data protection supervisory authorities of EU Member States, and the UK Information Commissioner’s Office (ICO).

Article 2 Information Regarding the Data Controller

The Company acts as the Data Controller for Personal Data collected in connection with the Service. Under the Act on the Protection of Personal Information of Japan (APPI), the Company is a business operator handling personal information.

  • Name of Data Controller
    This Is Earth Inc.
  • Representative Director
    Katashi Nishida
  • Registered Address
    Win Aoyama 942, 2-2-15 Minami-Aoyama, Minato-ku, Tokyo 107-0062, Japan
  • Data Protection Contact
    privacy@this-is-earth.com
  • Telephone Number — Japan
    03-5734-1171
  • Support Hours
    Weekdays: 10:00–20:00 Japan Standard Time (JST)
  • Supervisory Authority — Japan
    Personal Information Protection Commission
  • Website
    www.this-is-earth.com

Article 3 Categories of Personal Data Collected by the Company

The Company collects the following categories of Personal Data in connection with the Service, the Company’s website, and the Company’s business operations. The Company collects only the minimum Personal Data necessary to achieve each purpose, in accordance with the principle of data minimization.

  • Identification Information
    Legal name, date of birth, nationality, gender (optional), and information relating to photo identification documents
    Purpose of Use: Service booking and provision, identity verification, and legal compliance
  • Contact Information
    Address, email address, telephone number, and emergency contact information
    Purpose of Use: Service provision, user communications, and emergency response
  • Financial Information
    Payment method type, billing address, and transaction records. Card information is processed only through PCI DSS-compliant payment gateways.
    Purpose of Use: Payment processing, accounting and tax compliance, and fraud prevention
  • Service Usage Information
    Recording preferences, delivery instructions, scheduled dates, and the names and contact information of designated recipients
    Purpose of Use: Service provision and future content delivery
  • Video and Audio Data
    Video and audio recordings captured during recording sessions, including any personal information contained in such recordings
    Purpose of Use: Storage of video Deliverables and future delivery
  • Identity Document Information
    Type and identifying information of government-issued photo identification presented at the studio
    Purpose of Use: Studio entry management and identity verification
  • Usage and Technical Information
    IP address, browser type and version, operating system, viewed pages, time spent on pages, device identifiers, and cookies
    Purpose of Use: Website usage analysis, security monitoring, and service improvement
  • Communications Information
    Emails, support tickets, feedback form contents, and other communications with the Company
    Purpose of Use: Customer support, complaint and dispute resolution, and service improvement
  • Special Category Personal Data
    Health information or information relating to religious or dietary accommodations voluntarily provided by a client for accessibility purposes
    Purpose of Use: Accessibility and dietary accommodations, based on the individual’s consent

Video and Audio Data and Biometric Identifiers:
Video and audio data recorded during recording sessions may incidentally include biometric identifiers such as facial images or voice patterns of Participants or third parties present during the recording. The Company does not process such data for biometric identification or identity verification purposes. If biometric data is processed for identification purposes, the Company will obtain the explicit consent of the Data Subject in accordance with Article 9 of the GDPR and applicable laws.

Special Category Personal Data:
The Company collects Special Category Data, including sensitive personal information, only where the Data Subject voluntarily provides it for a specific and limited purpose, such as accessibility accommodation. Such Processing is conducted based on the explicit consent of the Data Subject. The Company does not require or make the provision of Special Category Data a condition for using the Service.

3.1 Information Automatically Collected

When you visit the Company’s website, certain technical information may be automatically collected through cookies and similar tracking technologies. This may include the following information.

  • IP address and approximate location information at the country or regional level
  • Browser type, version, and language settings
  • Device type, operating system, and screen resolution
  • Pages viewed, time spent on each page, and navigation paths within the site
  • Referring URL, meaning the website that directed you to the Company’s website
  • Session identifiers and authentication tokens

3.2 Information Obtained from Third Parties

The Company may obtain Personal Data about you from third parties in the following cases.

  • Payment processors, from which the Company receives only transaction confirmation and payment status information. The Company does not obtain or store raw card information such as credit card numbers.
  • Identity verification service providers, where used for security purposes
  • Referral partners or Corporate Customers, where your information is provided by your organization as a Participant
  • Publicly available sources, used only for due diligence regarding Corporate Customers

Article 4 — Cookies and Other Tracking Technologies

4.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. Cookies are widely used to enable websites to operate properly and efficiently, and to provide website operators with analytical and functional information. The Company uses cookies and similar technologies, including web beacons, pixel tags, and local storage objects, on its website.

4.2 Types of Cookies Used by the Company

  • Strictly Necessary Cookies for Providing Basic Website Functions
    These cookies are essential to maintain the basic operation of the website. They provide basic functions such as page navigation, secure login, and shopping cart functionality. These cookies cannot be disabled.
  • Analytics Cookies
    These cookies are used only with your consent to collect anonymized information about how visitors use the Company’s website, such as pages viewed, navigation paths, and time spent on each page. These cookies help improve the performance and user experience of the Company’s website.
  • Functional Cookies
    These cookies are used to remember your settings, such as language, region, and display preferences, and to provide a more convenient and personalized user experience.
  • Session Cookies
    These temporary cookies are automatically deleted when you close your browser. They are used to maintain your session while browsing the website.
  • Persistent Cookies
    These cookies are stored on your device for a certain period and are used to remember your settings across multiple visits.

4.3 Cookie Settings and Management

When you visit the Company’s website, only strictly necessary cookies are enabled by default. Analytics cookies are enabled only if you provide explicit consent through the cookie consent banner.

You may manage or control your cookie preferences through your browser settings. Many browsers allow you to do the following.

  • View currently stored cookies
  • Block all cookies
  • Block third-party cookies
  • Delete cookies when closing the browser
  • Configure cookie permissions for specific websites

If certain cookies are disabled, some functions of the Company’s website may not operate properly. Essential cookies are necessary for the operation of the website and cannot be disabled through the website’s cookie settings.

Where required by applicable law, including the EU ePrivacy Directive and its national implementing laws, a cookie consent banner will be displayed before non-essential cookies are stored on the user’s device, allowing the user to accept, reject, or manage such cookies. This provision applies only where a cookie consent banner is implemented.

For more information on managing and configuring cookies, please visit www.allaboutcookies.org. Where required by applicable law, the Company retains records of cookie consent for the purpose of demonstrating compliance with applicable data protection regulations.

Article 5 — Legal Bases for Processing Personal Data

The Company processes Personal Data only where there is a valid legal basis under applicable law. The following is an overview of the legal bases relied upon for each type of Processing activity conducted by the Company.

  • Performance of a Contract
    Processing of Personal Data necessary to perform the Company’s obligations under the service contract with you, pursuant to Article 18, Paragraph 3, Item 1 of the APPI and Article 6(1)(b) of the GDPR.
    Examples: Booking management, service provision, identity verification, and delivery of Deliverables
  • Legal Obligation
    Processing of Personal Data necessary to comply with applicable laws and regulations, pursuant to Article 18, Paragraph 3, Item 2 of the APPI and Article 6(1)(c) of the GDPR.
    Examples: Preparation and retention of tax records, financial reporting, regulatory compliance, and response to lawful requests from competent authorities
  • Legitimate Interests
    Processing of Personal Data necessary for the Company’s legitimate business interests, provided that such interests are not overridden by your rights and freedoms, pursuant to Article 6(1)(f) of the GDPR.
    Examples: Fraud prevention, security monitoring, and service improvement
  • Consent
    Processing of Personal Data based on your freely given, specific, informed consent, pursuant to Article 18 of the APPI, Article 6(1)(a) of the GDPR, and Article 9(2)(a) of the GDPR for Special Category Data.
    Examples: Marketing communications on an opt-in basis, Processing of Special Category Data, and analytics cookies or other optional cookies where consent is required
  • Vital Interests
    Processing of Personal Data necessary to protect the vital interests of the Data Subject or another individual, pursuant to Article 6(1)(d) of the GDPR.
    Examples: Emergency response and response to health or safety incidents occurring in the studio

For Japan — APPI:
In addition to the above, the Company processes Personal Data in accordance with Articles 17 through 27 of the APPI. This includes provisions relating to restrictions on acquisition under Article 17, notification or publication of the purpose of use under Article 18, and restrictions on third-party provision under Articles 23 through 24.

Article 6 — How the Company Uses Personal Data

The Company uses Personal Data collected in connection with the Service only for the specific and clear purposes set forth below. If the Company uses your Personal Data for purposes other than those listed below, the Company will obtain your prior consent or establish another valid legal basis under applicable law.

  • Acceptance and Confirmation of Service Bookings
    To process service applications, confirm bookings, issue receipts, and send pre-session guidance communications
  • Provision of the Service and Performance of Contract
    To conduct recording sessions, create Deliverables, archive content, and deliver recorded videos to designated recipients
  • Identity Verification
    To verify the identity of Participants at the studio using government-issued identification documents
  • Payment Processing
    To process and manage financial transactions through PCI DSS-compliant payment gateways
  • Inquiry Response and Customer Support
    To respond to inquiries, handle complaints, and provide post-service support
  • Legal Compliance and Regulatory Obligations
    To comply with applicable legal obligations, including tax, accounting, employment, and anti-money laundering obligations
  • Security and Fraud Prevention
    To detect, investigate, and prevent fraud, unauthorized access, and security incidents
  • Service Improvement and Usage Analysis
    To analyze usage patterns and improve the quality and functionality of the Company’s services and website, including the use of anonymized or aggregated data and analytics cookies used only with your consent where required by applicable law
  • Marketing — Only with Consent
    To send promotional information regarding the Company’s services only where you have provided explicit opt-in consent. You may unsubscribe at any time.
  • Complaint Handling and Dispute Resolution
    To investigate and resolve disputes, complaints, and legal claims relating to the Company’s services
  • Regulatory Response and Legal Proceedings
    To respond to lawful requests from courts, regulatory authorities, or law enforcement agencies
  • Emergency and Safety Response
    To respond to health emergencies or safety incidents occurring in the studio

The Company will clearly inform you of the purposes of use when collecting Personal Data. The Company will not use Personal Data for new purposes or purposes incompatible with the original purposes without prior notice and, where necessary, your consent.

Article 7 — Sharing and Third-Party Disclosure of Personal Data

The Company does not sell, rent, or trade your Personal Data to third parties for commercial purposes. The Company may share your Personal Data only in the limited and clearly defined circumstances set forth below.

7.1 Sub-processors and Service Providers

The Company uses the following principal Sub-processors and service providers that may access Personal Data in connection with the Company’s services. Each Sub-processor processes Personal Data under a written data processing agreement (DPA).

  • Shopify Inc. — Canada / United States
    E-commerce platform for payment processing and order management. Shopify is PCI DSS-compliant. Personal Data is processed under Shopify’s Data Processing Agreement. Data is hosted in data centers in Canada and the United States.
  • DocuSign Inc. — United States
    Platform for electronic signatures and contract execution. DocuSign has SOC 2 Type II certification. Personal Data is processed under DocuSign’s Data Processing Agreement. Data is processed in the United States.
  • Credit Card Payment Networks
    VISA, Mastercard, and American Express — payment authorization networks. Raw card data, such as card numbers, is not processed or stored by the Company.
  • Cloud Storage Service Providers
    Encrypted cloud storage used to store archived video content. AES-256 encryption is applied at rest, and TLS 1.2 or higher encryption is applied in transit.
  • Email and Communications Service Providers
    TLS-encrypted email delivery services for communications and digital content delivery.
  • Website Analytics Service Providers — If Applicable
    Analysis of anonymized website usage. The Company does not share Personal Data with analytics service providers in an identifiable form.

The Company maintains an up-to-date list of Sub-processors used by the Company. This list is provided to Data Subjects or Data Controllers upon written request to privacy@this-is-earth.com.

7.2 Disclosure for Legal Reasons

The Company may disclose your Personal Data to courts, regulatory authorities, law enforcement agencies, or government bodies in the following cases.

  • Where disclosure is required by applicable law, court order, or request from a government authority
  • Where necessary for the establishment, exercise, or defense of legal claims
  • Where necessary to protect personal safety or prevent fraud

Where permitted by law, the Company will notify you before making such disclosure. The Personal Data disclosed will be limited to the minimum extent strictly necessary.

7.3 Corporate Transactions and Business Transfers

In the event of a merger, acquisition, corporate reorganization, sale of assets, or similar transaction, your Personal Data may be transferred to a successor entity subject to equivalent privacy protections. The Company will provide prior notice of such transfer and your rights in connection with it.

7.4 Sharing of Personal Data Based on Your Explicit Consent

The Company may share your Personal Data with third parties in other circumstances only where it has obtained your prior informed and explicit consent. Such consent will be obtained separately in a clear and transparent manner, and you may withdraw it at any time.

7.5 Links to Third-Party Websites

The Company’s website may contain links to third-party websites, platforms, or services. The Company is not responsible for the privacy practices or content of such third-party sites. The Company strongly recommends that you review the privacy policy of each third-party site before providing Personal Data.

Article 8 — International Data Transfers

8.1 Overview of International Data Transfers

In connection with the provision of the Service, your Personal Data may be transferred to and processed in countries outside Japan and the European Economic Area (EEA), including the United States and Canada, by Sub-processors or service providers used by the Company. These countries may have data protection standards different from those of Japan or the EEA. The Company takes necessary measures to ensure that such international transfers are conducted lawfully and subject to appropriate safeguards in accordance with applicable data protection laws.

8.2 Appropriate Safeguards for International Data Transfers

The Company ensures that appropriate legal safeguards, including the following, are applied to all international transfers of Personal Data in accordance with applicable data protection laws.

  • Adequacy Decisions:
    Where the destination country has been recognized as providing an adequate level of data protection by the Personal Information Protection Commission of Japan (PPC), the European Commission, or the UK Information Commissioner’s Office (ICO), the Company uses such adequacy decision as the legal basis for the data transfer.
  • Standard Contractual Clauses (SCCs) and Other Transfer Mechanisms:
    For transfers of Personal Data to countries without an adequacy decision, the Company may use Standard Contractual Clauses approved by the relevant supervisory authorities or other legally recognized transfer mechanisms. This may include the EU Standard Contractual Clauses under Article 46(2)(c) of the GDPR, the UK International Data Transfer Agreement (IDTA), or internationally recognized data transfer frameworks.
  • Compliance with APPI:
    For transfers of Personal Data from Japan, the Company complies with Article 24 of the APPI concerning provision to third parties located in foreign countries and other applicable laws, and ensures that overseas recipients implement protective measures equivalent to those required under the APPI.
  • Other Appropriate Safeguards:
    Where applicable, the Company may transfer Personal Data based on Binding Corporate Rules (BCRs) or internationally recognized certification systems, such as the APEC Cross-Border Privacy Rules (CBPR).

8.3 Principal Cross-Border Data Transfer Destinations

  • United States
    The location of service providers such as Shopify Inc. for payment processing and DocuSign Inc. for electronic signatures. Transfers of Personal Data to these providers are conducted subject to appropriate safeguards, including Standard Contractual Clauses or other legally recognized transfer mechanisms, in accordance with applicable data protection laws.
  • Canada
    The location of Shopify Inc. for primary data hosting. Canada is recognized by the European Commission as providing an adequate level of data protection for certain commercial organizations.
  • European Economic Area (EEA) Member States
    Applicable where services are provided to EU customers, in accordance with data transfer rules under the GDPR.
  • Other Countries
    Personal Data may be transferred to other countries only where necessary for specific service provision and subject to appropriate safeguards in accordance with applicable data protection laws.

Article 9 — Data Security

9.1 Security Measures Implemented by the Company

The Company implements comprehensive technical and organizational security measures to protect your Personal Data against unauthorized access, loss, destruction, alteration, leakage, or misuse. The Company’s security framework includes the following measures.

  • Encryption at Rest
    All Personal Data and audiovisual content stored on the Company’s servers and cloud storage are protected using AES-256 encryption.
  • Encryption in Transit
    All data transmitted between the Company’s systems and external services or users is protected by encrypted communications using TLS 1.2 or higher (HTTPS).
  • Payment Information Security
    All payment card information is processed only through PCI DSS-compliant payment gateways. The Company does not receive, store, or transmit raw card information such as card numbers.
  • Access Control
    Role-based access control (RBAC) and multi-factor authentication (MFA) are implemented for all systems containing Personal Data. Access privileges are restricted based on a strict need-to-know principle.
  • Network Security
    The Company protects its network infrastructure through firewalls, intrusion detection systems (IDS), and continuous network security monitoring.
  • Vulnerability Management
    The Company conducts regular security assessments, penetration testing, and patch management processes for software updates.
  • Employee Training
    All employees and contractors who access Personal Data are required to receive training on data protection and information security.
  • Vendor Assessment
    The Company conducts security due diligence on all Sub-processors and imposes contractual data protection requirements.
  • Security Incident Response
    The Company maintains a documented incident response plan for responding to Personal Data breaches, including procedures for notifying relevant authorities and affected individuals where necessary.
  • Physical Security
    Access to studio facilities and server infrastructure is limited to authorized personnel only, and CCTV monitoring is implemented at studio entrances.

9.2 Limitations of Security

Although the Company implements commercially reasonable security measures, no method of electronic transmission or storage is completely secure. Therefore, the Company cannot guarantee the absolute security of your Personal Data. The Company recommends that you use strong and unique passwords, keep login credentials confidential, and promptly notify the Company if you suspect unauthorized use or a security breach.

Article 10 — Data Retention and Deletion

The Company retains Personal Data only for as long as necessary to achieve the purposes for which it was collected or for the period required by applicable law. The Company’s principal data retention periods are as follows.

  • Identification and Contact Information — Contracting Party
    For the duration of the service relationship and for five years after termination, for the fulfillment of legal obligations and dispute resolution.
  • Financial and Payment Records
    For seven years from the transaction date in accordance with Japanese bookkeeping and tax laws.
  • Audiovisual Content — Video Recordings
    Securely retained until future delivery is confirmed or for up to five years from the recording date, whichever occurs first, unless a longer retention period has been agreed in writing with the contracting party. Once delivery is confirmed or the retention period expires, the content will be deleted within 90 days.
  • Communications and Support Records
    For three years from the date of the communication or the date on which the related matter is resolved.
  • Identity Document Information
    Verified at the studio for identity verification purposes and not retained after completion of the session unless retention is required by law.
  • Website Analytics Data
    For up to 26 months in anonymized or aggregated form.
  • Marketing Data — Opt-In
    Until consent is withdrawn or for the period required by applicable law.
  • Legal Compliance Records
    For the period required by applicable law, including at least seven years for accounting records under Japanese law.
  • Incident and Security Logs
    For three years from the date of the incident or log entry.

When the applicable retention period expires, Personal Data will be securely deleted, anonymized, or returned to the Data Subject where technically feasible and agreed. If you wish to request early deletion of Personal Data, you may submit a written request in accordance with Article 11.

In determining the retention period for Personal Data, the Company considers the nature of the data, the purposes of Processing, legal obligations, contractual requirements, dispute response needs, and legitimate business necessity.

Article 11 — Your Rights as a Data Subject

You have the following rights with respect to your Personal Data. The Company endeavors to facilitate the exercise of these rights promptly and without undue restriction.

  • Right of Access
    You may request a copy of your Personal Data held by the Company and information about how it is processed.
    Legal Basis: Article 28 of the APPI; Article 15 of the GDPR
  • Right to Rectification
    You may request correction of inaccurate, incomplete, or outdated Personal Data.
    Legal Basis: Article 29 of the APPI; Article 16 of the GDPR
  • Right to Erasure — Right to Be Forgotten
    You may request deletion of your Personal Data under the conditions set forth by applicable law.
    Legal Basis: Article 30 of the APPI; Article 17 of the GDPR
  • Right to Restriction of Processing
    You may request that the Company restrict the use or Processing of your Personal Data under certain conditions.
    Legal Basis: Article 18 of the GDPR
  • Right to Data Portability
    You may request to receive your Personal Data in a structured, commonly used, machine-readable format and to transfer it to another Data Controller.
    Legal Basis: Article 20 of the GDPR
  • Right to Object
    You may object to Processing based on legitimate interests or Processing for direct marketing purposes.
    Legal Basis: Article 30, Paragraph 2 of the APPI; Article 21 of the GDPR
  • Right to Withdraw Consent
    Where Processing of Personal Data is based on consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of Processing conducted before withdrawal.
    Legal Basis: Article 18 of the APPI; Article 7(3) of the GDPR
  • Right to Opt Out of the Sale of Personal Information — CCPA
    The Company does not sell, share, or rent Personal Data to third parties for commercial advertising purposes.
    Legal Basis: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Right to Lodge a Complaint with a Supervisory Authority
    You may lodge a complaint with the competent supervisory authority for personal data protection, such as the Personal Information Protection Commission of Japan (PPC), an EU Data Protection Authority (DPA), or the UK Information Commissioner’s Office (ICO).
    Legal Basis: Article 40 of the APPI; Article 77 of the GDPR
  • Rights Relating to Automated Decision-Making
    You have the right not to be subject to decisions based solely on automated processing without human review where such decisions produce legal effects or similarly significant effects.
    Legal Basis: Article 22 of the GDPR

Article 11.1 How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to the following contact.

Email: privacy@this-is-earth.com
Postal Address: Win Aoyama 942, 2-2-15 Minami-Aoyama,
Minato-ku, Tokyo 107-0062, Japan
This Is Earth Inc.

Upon receiving your request, the Company will acknowledge receipt within five business days and respond within the period prescribed by applicable law, generally within 30 days; however, this may be extended by up to two months under the GDPR where the request is complex.

The Company may request identity verification before processing your request. The Company does not generally charge a fee unless the request is manifestly unfounded, excessively repetitive, or excessive. In such cases, the Company reserves the right to charge a reasonable administrative fee or refuse to process the request.

Article 11.2 Right to Lodge a Complaint with a Supervisory Authority

If you are not satisfied with the Company’s response to your Data Subject rights request, or if you believe that the Company has processed your Personal Data unlawfully, you have the right to lodge a complaint with the competent data protection supervisory authority.

  • Japan
    Personal Information Protection Commission (PPC)
    Website: www.ppc.go.jp
    Telephone: +81-3-6457-9849
  • European Union
    The data protection supervisory authority of the EU Member State where you reside. A list is available at www.edpb.europa.eu.
  • United Kingdom
    Information Commissioner’s Office (ICO)
    Website: www.ico.org.uk
    Telephone: 0303 123 1113
  • Switzerland
    Federal Data Protection and Information Commissioner (FDPIC)
    Website: www.edoeb.admin.ch
  • California
    California Privacy Protection Agency (CPPA)
    Website: www.cppa.ca.gov

Article 12 Children’s Privacy

The Company’s services are not primarily directed to individuals under the age of 16, or under the applicable age of digital consent in the relevant jurisdiction. The age of digital consent may vary by jurisdiction. For example, in the United States, the general threshold is 13 years old, while in the EU / EEA it may vary from 13 to 16 depending on Member State law.

The Company does not intend to collect Personal Data directly from minors and does not knowingly collect Personal Data from children below the applicable age of digital consent without verifiable consent from a parent or legal guardian. Where a child participates in a recording session as part of a legitimate organizational use or family use of the Service, the applicant or accompanying adult must obtain the necessary and lawful consent from the child’s parent or legal guardian.

If you become aware that a child under the applicable age of digital consent has provided Personal Data to the Company without verifiable parental consent, please contact privacy@this-is-earth.com immediately. The Company will promptly investigate and, if confirmed, delete such Personal Data.

Where the Company knowingly handles Personal Data of minors under a specific service contract, such as a recording project at an educational institution for which appropriate consent has been obtained, the Company applies the highest level of safeguards regarding data minimization, security, and retention limitations, taking into account the best interests of the child.

Where individuals other than the contracting party are involved in a recording session, including but not limited to family members, organizational Participants, group Participants, or any other persons appearing in the recording, the contracting party is solely responsible for obtaining all necessary and legally valid consents from such individuals before the recording session. If such individual is a minor, consent must be obtained from their parent or legal guardian.

The Company handles Audiovisual Data on the basis of the contracting party’s representation that all necessary consents have been obtained.

Article 13 Personal Data Breach Notification

13.1 Internal Response

If an actual or suspected Personal Data breach occurs, the Company will immediately take the following measures.

  • Activate the incident response plan
  • Take containment measures to prevent further spread of the breach and prevent unauthorized access or disclosure
  • Assess the scope, nature, and anticipated impact of the breach
  • Record all response measures taken

13.2 Notification to Supervisory Authorities

If a Personal Data breach is likely to result in a risk to the rights and freedoms of natural persons, the Company will notify the competent supervisory authority within the period prescribed by applicable law.

  • Under the GDPR for the EU / UK, the Company will notify the competent data protection supervisory authority within 72 hours after becoming aware of the Personal Data breach, pursuant to Article 33 of the GDPR.
  • Under the APPI of Japan, the Company will notify the Personal Information Protection Commission (PPC) without delay where necessary in accordance with the amended APPI effective April 2022.
  • Under California law, including the CCPA / CPRA, the Company will provide notice where necessary in accordance with California data breach notification laws, including California Civil Code Sections 1798.29 and 1798.82.

13.3 Notification to Affected Individuals

If a Personal Data breach is likely to result in a high risk to the rights and freedoms of affected individuals, the Company will notify such individuals directly and without undue delay. The notification will include the following matters.

  • The nature of the breach and the categories of Personal Data involved
  • The name and contact details of the Company’s data protection contact
  • The possible consequences of the breach
  • The measures taken or proposed to be taken to address the breach and mitigate its effects
  • Guidance on measures the individual may take to protect themselves

13.4 Personal Data Breach Recordkeeping

The Company maintains a comprehensive internal breach register recording the facts, effects, and remedial actions taken for all Personal Data breaches. All Personal Data breaches are recorded in this register regardless of whether notification was required. The register will be made available for inspection upon request from relevant supervisory authorities.

Article 14 — Marketing Communications and Opt-Out

The Company sends marketing or promotional communications only where you have provided explicit opt-in consent to receive such marketing or promotional communications. The Company will not add you to a marketing distribution list without your clear consent.

All marketing communications sent by the Company include a clear and functional opt-out mechanism. You may withdraw your consent to receive marketing communications at any time by any of the following methods.

  • Clicking the unsubscribe link included in each marketing email
  • Sending an email to unsubscribe@this-is-earth.com with the subject line “Unsubscribe”
  • Contacting the Company by telephone at 03-5734-1171

Withdrawal of consent to receive marketing communications does not affect the lawfulness of marketing-related Processing conducted before withdrawal. It also does not affect the Processing of your Personal Data for non-marketing purposes, such as service provision or legal compliance.

The Company does not use Personal Data obtained in connection with the Service for automated profiling or targeted advertising purposes without separate and explicit consent.

Article 15 — Regional Privacy Supplementary Provisions

The following regional provisions supplement the general provisions of this Privacy Policy. If there is any conflict between regional provisions and general provisions, the provision that provides the higher level of protection shall apply.

15.1 Japan — APPI

The Company is a business operator handling personal information under the Act on the Protection of Personal Information and handles Personal Information and Personal Data appropriately in accordance with the Act, other applicable laws and regulations, and guidelines published by the Personal Information Protection Commission (PPC).

The purposes of use of Personal Information are as set forth in Article 6 of this Privacy Policy. The Company will not use Personal Information beyond the scope of such purposes of use unless it has obtained the individual’s prior consent or is required by law.

Individuals may request disclosure, correction, deletion, or suspension of use of their Personal Information by contacting the Company at privacy@this-is-earth.com.

Provision of Personal Information to third parties located outside Japan shall comply with the requirements of Article 24 of the APPI, including ensuring that overseas recipients implement protective measures equivalent to those required under the APPI.

The Company will promptly respond to requests from the Personal Information Protection Commission (PPC) and fully cooperate with any regulatory inquiry or investigation.

15.2 European Economic Area (EEA) and United Kingdom — GDPR / UK GDPR

With respect to customers and Data Subjects located in the European Economic Area (EEA) or the United Kingdom, the Company acts as a Data Controller under the GDPR and UK GDPR, respectively. The legal bases for Processing Personal Data are as set forth in Article 5 of this Privacy Policy.

Where Personal Data is transferred from the EEA or the United Kingdom to a third country, the Company conducts such transfer using appropriate safeguards, such as Standard Contractual Clauses or adequacy decisions, as described in Article 8 of this Policy.

Data Subjects in the EEA or the United Kingdom have all rights set forth in Article 11 of this Privacy Policy, including the right to lodge a complaint with their national supervisory authority. The Company’s data protection contact for EU-related matters can be reached at privacy@this-is-earth.com.

The Company does not conduct automated decision-making or profiling that produces legal effects or similarly significant effects on individuals without human review.

15.3 Switzerland — Federal Act on Data Protection (FADP / nFADP)

With respect to Swiss Data Subjects, the Company processes Personal Data in accordance with the Swiss Federal Act on Data Protection (FADP / nFADP). Swiss Data Subjects have rights equivalent to those described in Article 11 of this Privacy Policy and may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).

15.4 California, United States — CCPA / CPRA

California residents have certain rights under the CCPA and CPRA. These include the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing of Personal Information, and the right to non-discrimination for exercising privacy rights.

The Company does not “sell” or “share” Personal Information as defined under the CCPA / CPRA. The Company also does not use Personal Information for cross-context behavioral advertising without explicit consent.

California residents may submit requests regarding rights under the CCPA / CPRA to privacy@this-is-earth.com. The Company will verify the identity of the requester and respond within 45 days, which may be extended by an additional 45 days for complex requests.

In the past 12 months, the Company has not “sold” or “shared” Personal Information and does not intend to do so. The Company does not “sell” Personal Information as defined under California law.

The categories of Personal Information collected by the Company in the past 12 months and the categories of Personal Information disclosed for business purposes are as set forth in Articles 3 and 7 of this Privacy Policy.

15.5 All Other International Customers

For customers and Data Subjects located outside Japan, the European Economic Area (EEA), the United Kingdom, Switzerland, and California, the Company applies the general principles and standards set forth in this Privacy Policy. This includes the full set of Data Subject rights described in Article 11. The Company also complies, to the extent possible, with obligations under applicable local data protection laws.

Article 16 — Changes to This Privacy Policy

The Company reserves the right to update, amend, or replace this Privacy Policy at any time to reflect changes in applicable laws, changes in the Company’s Personal Data Processing practices, or changes in the Company’s services.

If there are material changes to this Privacy Policy, the Company will provide notice by the following methods.

  • Posting the revised Policy on the Company’s official website with the updated effective date clearly indicated
  • Sending notification emails to registered customers
  • Where required by applicable law, obtaining new consent before implementing material changes to the purposes for which the Company processes your Personal Data

The date stated at the beginning of this Policy, namely the effective date, indicates the date on which the current version of this Policy was last revised. The Company recommends that you review this Policy periodically to stay informed about how the Company protects your Personal Data.

If you continue to use the Company’s services after being notified of material changes to this Privacy Policy, you will be deemed to have agreed to the revised Policy to the extent permitted by applicable law. Where explicit consent to changes is required by applicable law, such as for new or expanded Processing purposes under the GDPR, the Company will obtain such consent separately.

Article 17 Contact Information

If you have any questions regarding this Privacy Policy, requests to exercise Data Subject rights, complaints, or other privacy-related inquiries, please contact the Company at the following.

  • Data Controller / Company
    This Is Earth Inc.
  • Data Protection Contact
    privacy@this-is-earth.com
  • Postal Address
    Win Aoyama 942, 2-2-15 Minami-Aoyama, Minato-ku, Tokyo 107-0062, Japan
  • Telephone Number — Japan
    03-5734-1171
  • Telephone Number — International
    +81-3-5734-1171
  • Support Hours
    Weekdays: 10:00–20:00 Japan Standard Time (JST)
  • Subject Line for Rights Requests
    “Data Subject Rights Request — [Your Name]”
  • Subject Line for Privacy Inquiries
    “Privacy Inquiry — [Your Name]”
  • Subject Line for Data Breach Reports
    “Urgent: Data Security Incident Report”
  • Japanese Personal Information Protection Supervisory Authority
    Personal Information Protection Commission (PPC) — www.ppc.go.jp
  • List of EU Data Protection Supervisory Authorities
    European Data Protection Board (EDPB) — www.edpb.europa.eu
  • UK Data Protection Supervisory Authority
    Information Commissioner’s Office (ICO) — www.ico.org.uk

Thank you for entrusting your Personal Data to This Is Earth Inc. The Company is committed to maintaining the highest standards in protecting your privacy, respecting your rights as a Data Subject, and properly managing Personal Data. If you have any questions, concerns, or comments regarding this Privacy Policy, please contact the Company.