• HOME
  • Privacy Policy

Privacy Policy

Personal Information Protection Policy

kaonavi, inc. (hereinafter the “Company”) believes that, amid an economic environment that is becoming increasingly globalized, Japan’s companies should pursue a new management style, and we are the company that provides various services such as the cloud-type talent management system “Kaonavi” to companies. As a company that handles companies’ employee information in the cloud, we believe that the most important elements are building a management system for personal information and strictly operating it. Therefore, we have stipulated a policy related to personal information protection as stated below, and we will work to have all employees be thoroughly knowledgeable and strive to protect personal information.

  • 1 In order to comply with the laws and ordinances of Japan, related to the handling of personal information, guidelines stipulated by the Japanese government, and other standards, the Company will formulate and appropriately operate a personal information protection management system that conforms to the Japanese Industrial Standard titled Personal Information Protection Management System – Requirements (JIS Q 15001).
  • 2 The Company will obtain, use, and provide appropriate personal information based on consideration of the content and the scale of business. This includes not handling personal information beyond the scope that is necessary for accomplishing the specified purposes of use and taking precautions for that purpose.
  • 3 In the event that the Company will consign all or a portion of the handling of personal information, it will conduct the necessary and appropriate supervision of the party that received the consignment in order to ensure the safe management of the personal information for which that handling was consigned.
  • 4 Excluding cases in which the relevant person has agreed, or cases based on laws and ordinances, the Company will not provide personal information to third parties.
  • 5 The Company will take precautions to prevent and rectify leaks, loss, and damage to personal information.
  • 6 The Company will strive to appropriately and quickly handle complaints and consultations related to the handling of personal information. We also accept requests for the disclosure (notification of purposes of use, disclosure, correction, addition, deletion, or suspension of use or provision) of personal information that is subject to disclosure and in the possession of the Company. For information about the procedures for requesting disclosure, please contact the office responsible for complaints or consultations about personal information as stated below.
  • 7 The company will conduct continuous improvements of the personal information protection management system.

Hiroyuki Sato
Representative Director, President & Co-CEO kaonavi, inc

Formulation: May 27, 2008
Revision: August 14, 2024

Our handling of personal information

1 Purpose of use of personal information

The purposes of use of the personal information we handle are as follows.

  • 1 Personal information provided by the customers who concluded a contract for our service

    1.1 Employee information stated by the customer in the contract documents, such as the application form

    ・Provide, manage, and operate our service

    ・Provide the necessary communication to the customer for using our service

    ・Provide information about services, events, and seminars related to our service

    1.2 Customer employee information provided by the customer through our service
    ・Perform the contracted service
    The storage period shall be for the duration of the contract, and deletion shall take place after contract ends.
  • 2 Personal information provided by the member through the kaonavi campus online

    * Includes information directly input by the member in the kaonavi campus online, as well as information about the actions taken through use by the member.

    • ・Provide, manage, and operate our service and the kaonavi campus online
    • ・Provide the necessary communication to the member for using the kaonavi campus online
    • ・Provide information about our products, services, events, and seminars by postal mail, telephone, email, and advertisement distribution
    • ・Marketing activities, customer engagement activities, and other sales activities, such as usage proposals to members
  • 3 Personal information about persons who receive information related to our services and events

    3.1 Personal information about customers who participated in our PR activities, such as an event, seminar, or campaign

    ・Operate and manage the provision of our services (including event and seminar co-sponsors, provision of participant information and questionnaire information to supporting companies and operation and management of campaigns)

    ・Provide information about our products, services, events, and seminars by postal mail, telephone, email, and advertisement distribution (In the course of providing you with information, we may outsource a part of the handling of personal data to external contractors, such as ad-serving companies.)

    ・Create, use, disclose, and provide statistical data about our services to the extent it is not possible to identify specific individuals

    ・Improve and enhance our services and create, use, and provide marketing materials using data that has been processed so it can no longer be used to identify specific individuals

    3.2 Personal information about customers who are considering using our services

    ・Provide information about our services and respond to inquiries from customers

    ・Perform work duties in relation to the above and contact the potential customers

    ・Provide information about our products, services, events, and seminars by postal mail, telephone, email, and advertisement distribution (In the course of providing you with information, we may outsource a part of the handling of personal data to external contractors, such as ad-serving companies.)

    ・Create, use, disclose, and provide statistical data about our services to the extent that it is not possible to identify specific individuals

    ・Improve and enhance our services and create, use, and provide marketing materials using data that has been processed so it can no longer be used to identify specific individuals

    3.3 Personal information about persons who disclose information

    ・Provide information about our products, services, events, and seminars by postal mail, telephone, email, and distribution of advertisements (when providing such information, part of the handling of personal data may be outsourced to an external party such as an advertisement distributor.)

  • 4 Personal information about business partners, such as sales partners, introduction partners, contractors, and other cooperative and affiliated companies

    ・Appropriately manage the details of the contracts concluded with our business partners (“Appropriately manage the details of the contracts” includes “the use of information prior to concluding the contract” and “the use of information after termination of the contract”).

  • 5 Personal information about persons who consider joining our company

    ・Provide information about employment and job opportunities and communicate with applicants and persons who are interested in joining our company

    ・Employment screening

  • 6 Personal information about our executive officers and employees

    • ・Business related communication, creation of employee registries, other procedures required by law (including after resignation of the employee), and other employment management.
    • ・Personnel evaluations and deciding where the employee will be assigned, loaned, or dispatched
    • ・Decide and pay the consideration, perform the tax and social insurance related procedures, and provide the benefit program
    • ・Take security management measures through surveillance cameras or online monitoring
    • ・Our PR activities, PR in advertising materials or advertising activities
    • ・Our sales activities and customer support
    • ・Appropriate health management (health information about workers, such as the results of the health checkup, will not be acquired, used, or provided unless such is based on law)
    • ・Acquire licenses, permissions, and certification and perform audit procedures
  • 7 Personal information about the family of our executive officers and employees

    ・Emergency contact

    ・Perform the social insurance related procedures and provide the benefit program

  • 8 Personal information about resigning employees

    ・Create personnel data and communication after resignation

  • 9 Personal information about shareholders

    ・Exercise the rights and perform duties under the Companies Act and commercial law

    ・Implement various measures for securing a better relationship with our shareholders

    ・Create shareholder data in accordance with the designated standards based on the laws and regulations and other shareholder management.

  • 10 Personal information of persons who submitted an inquiry

    ・Reply to and communicate in relation to the inquiry

    ・Improve the quality of telephone support and accurately grasp the details of the inquiry

* Above information other than 1.2 is personal data in our possession.

2 Personal data in our possession

  • 1. Name, address, and name of the representative of the entity responsible for handling personal information

    kaonavi, inc.
    2-24-12 Shibuya, Shibuya-ku, Tokyo
    Representative Director, President & Co-CEO
    Hiroyuki Sato

  • 2. Title, affiliated division and contact information of Personal Information Protection Administrator

    Division Manager, Corporate Division
    Please click here to contact us with any inquiries concerning personal information.

  • 3. Purpose of use of the personal data in our possession

    Of the purposes of use indicated in the above paragraph 1 “Purpose of use of personal information,” items other than 1.2 are the purposes of use of the personal data in our possession.

  • 4. Provision of personal information to third parties

    • (1) Provision of personal information to third parties when holding an event or seminar

      When holding an event or seminar and we plan to provide personal information to a third party, such as a co-sponsor, we will do so after obtaining prior consent.

      [a] Information recipients
      Co-sponsors of the event or seminar
      [b] Purpose of use at the recipients
      • 1)Provide information about our services and the services provided by the recipients
      • 2)Provide information about the products, services, events, and seminars of our company or the recipient by postal mail, telephone, and email
      • 3)Perform work duties in relation to the above, provide communication, carry out procedures, and respond to inquiries
      [c] Details of the personal information to be provided
      • 1)Company name, name of the affiliated organization, name of the affiliated division, job title, such as the name of the position, name, address, telephone number, email address, and other contact information
      • 2)Other information acquired through events and seminars
        The above items do not include data stored on our services.
      [d] Method of third-party provision
      Provide as a written document or data
      [e] In the event any matters not stipulated above occur, when obtaining consent for the third-party provision of personal information, the specific matters will be individually indicated in advance.
    • (2) In addition to the above, unless consent is obtained from the subject person or provision is conducted in accordance with the laws and regulations, acquired personal information will not be provided to third parties.
  • 5. Contracting the handling of personal information

    • (1) All or part of the handling of acquired personal information may be contracted. External contractors will be an entity that conforms to the criteria set forth by the company. By concluding an agreement concerning the handling of personal information and grasping the status of handling of personal information by the contractor, the necessary and appropriate supervision will be provided for the security management of personal information.
    • (2) Our subcontractors based on the provision of Article 20 of the Terms of Use of the kaonavi Service shall be as follows:
    • [a] Caster Co., Ltd.
      Details of the contracted service: Responses to the security status questionnaires
      [b] Bell System 24, Inc.
      Details of the contracted service: Respond to customer inquiries at the support desk
  • 6. Security management measures for the personal data in our possession

    As stated in the “Matters concerning security management measures for personal data” below.

  • 7. Point of contact for complaints concerning the handling of personal data in our possession

    “Point of contact for complaints and consultations regarding personal information” (stated at the end of the document)

  • 8. Name of the accredited personal information protection organization and point of contact for complaint resolution

    The company is a target entity of an accredited personal information protection organization of the Japan Institute for Promotion of Digital Economy and Community (JIPDEC).
    Name of the accredited personal information protection organization: JIPDEC
    Point of contact for complaint resolution: Accredited Personal Information Protection Organizations Administrative Office (Only available in Japanese)
    Address
    Roppongi First Building, 1-9-9 Roppongi, Minato-ku, Tokyo 106-0032
    Telephone number:
    03-5860-7565
    0120-700-779

  • 9. Procedure for responding to requests for disclosure

    • (1) Point of contact for requesting disclosure

      “Point of contact for complaints and consultations regarding personal information” (stated at the end of the document)

    • (2) Forms to be submitted when requesting disclosure and other procedures for requesting disclosure

      Submit the following documents to the “Point of contact for complaints and consultations regarding personal information.” We will process your request as quickly as possible.

      [a] Disclosure request form designated by our company
      Person requesting disclosure
      [b] Identity verification document
      • 1)When requested by the subject person

        The subject person’s public certificate (copy)

      • 2)When requested by a proxy

        Of the documents listed below, all that apply.

        ●1 In the case of a person with parental authority (or minor ward)

        ・A copy of a public certificate that can be used to confirm the subject person’s current address and permanent address

        ・A copy of the family register (certificate of all matters)

        ・A copy of a public certificate that can be used to confirm the proxy’s current address and permanent address

        ●2 In the case of an adult guardian (legal representative of an adult ward)

        ・A copy of a public certificate that can be used to confirm the subject person’s current address

        ・A copy of the certificate of registered matters (that indicate the proxy is the legal representative of the subject person)

        ・A copy of a public certificate that can be used to confirm the proxy’s current address

        ●3 In the case of a proxy with letter of attorney

        ・A copy of the seal-impression certificate

        ・Letter of attorney designated by the company (impressed with the subject person’s registered seal)
        A letter of attorney

        ・A copy of a public certificate that can be used to confirm the proxy’s current address (in the case of a lawyer, the registration number is also acceptable). “Public certificate” refers to a driver’s license, health insurance card or pension booklet, basic resident’s registration card with photo, passport, special permanent resident certificate, residency card, seal impression certificate, certified copy of the resident register, copy of the family register or a partial excerpt of the family register, copy of the certificate of information recorded in the foreign resident registration file, and other documents. The submitted identity verification document will be used as follows. Please send such documents only when you consent to the following use.

        ・The personal information will be used for responding to requests for disclosure from the subject person.

        ・Depending on the identity verification document submitted, the company may acquire personal information requiring special care.

        ・Unless required by law or regulation, the personal information will not be provided to a third party without consent from the subject person.

        ・When the identity of the subject person cannot be verified using the identity verification document, the company may not be able to fulfill the request for disclosure.

      [c] Fees
      Requests for the notification of the purpose of use or disclosure will be charged a fee of 1,000 yen per request. Please enclose a 1,000-yen postal money order along with the above documents. When the fee is not enclosed as instructed above, the requestor will be notified to that effect, and if the requestor fails to make the payment within the designated period of time, the request for disclosure will be deemed not to have been made. The submitted documents will not be returned, in principle.
    • (3) When disclosure is unable to be made

      In the event any of the following applies, the disclosure will not be made. When it is decided not to disclose the information, such decision will be reported to the requester in writing. Please note that even in the case of nondisclosure, the designated fee will be charged.

      • [a] When it is likely to harm the life, physical well-being, property, or other rights and interests of the subject person or a third party
      • [b] When it is likely to significantly hinder the proper operation of the company’s business
      • [c] When another law or regulation will be violated
      • [d] When there is an omission in the designated request form or some of the designated documents are not submitted
      • [e] When the fee is not paid in full

3 Matters concerning security management measures for personal data

  • 1. Formulation of a privacy policy

    In order to secure the proper handling of personal data, the company has formulated a privacy policy for compliance with the related laws, regulations, and guidelines, as well as the formulation and operation of a personal information protection management system in conformity to the Japanese Industrial Standards Personal Information Protection Management System – Requirements (JIS Q 15001) and acceptance of complaints and consultations.

  • 2. Establishment of guidelines concerning the handling of personal data

    The company has formulated standards and rules concerning the handling method, responsible persons and persons in charge, and the assigned work duties for each phase of acquisition, use, storage, provision, deletion, and disposal.

  • 3. Organizational security management measures

    • (1) Establishment of organizational structures

      The company has appointed a Personal Information Protection Administrator for the handling of personal data and clarified the responsibilities.
      The company has clarified the scope of personal data handling by the employees and business partners who handle personal data.

    • (2) Operation in accordance with the rules concerning the handling of personal data

      The company acquires a log of the use of the personal database and status of output.
      In addition to conducting regular self-inspections concerning the status of personal data handling, the company conducts an internal audit or certification audit by an external institution at least once a year.

    • (3) Establishment of means for confirming the status of personal data handling

      The personal data items, responsible person, purpose of use, and other handling status are recorded in a ledger.

    • (4) Establishment of a system for responding to incidents, such as information leaks

      The company has established a flow for responding to incidents, as well as a reporting line to the Personal Information Protection Administrator in the event of an accident, violation, or the risk thereof set forth in our laws and regulations, such as Personal Information Protection Act and company rules.

    • (5) Grasping the status of handling and reviewing the security management measures

      In addition to conducting regular self-inspections concerning the status of personal data handling, the company conducts an internal audit or certification audit by an external institution at least once a year.

  • 4. Human security management measures

    Regarding the points to note in relation to the handling of personal data, the company provides educational training to its employees after initially joining the company and at least once a year.
    Matters concerning the confidentiality of personal data are included in the written pledge submitted when joining/ leaving the company and in the Work Rules.

  • 5. Physical security management measures

    • (1) Control of the areas where personal data is handled

      Entry and exit to and from offices is controlled.
      Data center that our services use complies with the provisions of Amazon Web Services that serve as our data center.

    • (2) Measures implemented against the loss of a device or electronic media

      Personal data is stored in cloud storage, and measures are implemented against the theft or the loss of a device through HDD encryption.

    • (3) Prevention of information leaks when carrying around electronic media

      Devices are controlled to prevent storage of data using portable storage media, such as USB memory sticks.

    • (4) Deletion of personal data and disposal of devices and electronic media

      When disposing of personal data, the company selects an appropriate entity, implements logical deletion, and obtains a certificate of disposal.

  • 6. Technical security management measures

    • (1) Access controls

      Accounts that can be used to access the data are only granted to the minimum necessary persons who are approved by the Personal Information Protection Administrator, and usage logs are monitored.

    • (2) Identification and authentication of users

      The company issues and authenticates accounts individually.

    • (3) Prevention of unauthorized access by external parties

      The company has installed a firewall and antivirus software on the devices.
      The company manages intrusion detection such as monitoring system and access control for an information system that handles critical data.

    • (4) Prevention of leaks through the use of information systems

      The company uses antimalware and Web filtering.
      The company uses TLS(1.2) and VPN for encrypting the communication channels, and for the data storage area, the database data is encrypted at the storage layer.

  • 7. Grasping the external environment

    For overseas countries where personal data is stored, the company understands the regulations concerning personal information protection in those countries and implements security management measures. Please refer to section 2 “Storage of personal data on overseas servers” in 4 below.

4 Handling of personal data overseas

  • 1. Contracting the handling of personal data overseas

    • (1) Method of establishing the system set forth in Article 28 (1) of the Personal Information Protection Act

      The company examines the details of the contract agreement, such as the contractor’s terms of use, in advance and determines whether or not to use the contractor.

    • (2) Outline of the corresponding measures taken by the contractor

      The agreement sets forth that the personal data will be used within the scope of the specified purpose of use, improper use is prohibited, the appropriate security management measures will be implemented, and the necessary and appropriate supervision will be implemented for the employees, as well as the criteria for selecting subcontractors and prohibition of third-party provision of personal data.

    • (3) Frequency and method of confirming system establishment

      Every time the terms of use are revised, the details of the terms of use are confirmed.
      The legal system is confirmed every year based on the information announced by the Personal Information Protection Commission and other government institutions in Japan.

    • (4) Names of the countries where contractors are located

      As shown in the list of contractors in ⑻ below.

    • (5) Existence and outline of the systems in overseas countries that may impact the implementation of the corresponding measures by the contractors

      There are no such systems.

    • (6) Existence and outline of the obstacles for the implementation of the corresponding measures by the contractors

      There are no such obstacles.

    • (7) Outline of the measures implemented by the company in the event there is an obstacle for the implementation of the corresponding measures

      When a contractor handles personal information in violation of the contract agreement, including the abovementioned corresponding measures, in accordance with the contract agreement, the contractor will be requested to promptly correct such handling.
      In the event such violation is not corrected within a reasonable period of time and it is deemed difficult to ensure continuous implementation of the corresponding measures, the company will suspend the provision of personal information to the contractor.
      When it is confirmed that a law is amended as described below in a foreign country where the contractor is located, the company will suspend the handling of personal information by the contractor.

      • 1)System that enables a wide range of information collection by the government concerning the personal information possessed by entities through the imposition of a broad obligation for entities to cooperate with the government’s information collection activities
      • 2)System concerning the obligation to store personal information within the country in a manner that may preclude entities from responding to requests for deletion of personal information from the subject person
    • (8) List of contractors

      Meta Platforms, Inc. (The United States)
      Zoom Video communications, Inc. (The United States)
      Mailgun Technologies, Inc. (The United States) *Contractor for the “roummate” service
      Okta Inc. (The United States) *Contractor for the “yojitsutics” service

  • 2. Storage of personal data on servers overseas

5 Recording of calls

When you call us or when we contact you, we may record the content of the call in order to accurately understand your request or inquiry and to improve our services in the future.

6 Use of Cookies and acquisition of status of use and attribute information of customers

The company may acquire the status of use and attribute information of customers (limited to information that cannot be used to identify a specific individual through a combination with other such information) using Cookies, Web beacons, or similar technology (hereinafter referred to as “Cookies”) in order to protect the privacy of customers who use the services provided by our company and who use this homepage, improve usability, distribute advertisements and acquire statistical data. The company uses behavior targeted advertising services provided by the following companies through the use of Cookies in order to distribute optimum advertisements to customers. To invalidate these services, it is necessary to access the website of each company and follow the indicated instructions.

Use of Google Analytics
We use Google Analytics for the collection and analysis of access logs on our homepage. Google Analytics uses Cookies sent from this website to the user’s browser to collect the access log of the homepage without information that can be used to identify specific individuals. The access log collected in Google Analytics is managed in accordance with the Privacy Policy of Google. Cookies can be invalidated by changing your browser settings. Also, you can suspend the collection of customer information using Google Analytics by installing Google Analytics Opt-out Ad-on and changing your browser ad-on settings.
Google Analytics Terms of Use
Google Privacy Policy
Google Analytics Opt-out Ad-on

< Point of contact for complaints and consultations regarding personal information>

Company name: kaonavi, inc.
Personal Information Protection Administrator: Division Manager, Corporate Division
Address:
SHIBUYA SCRAMBLE SQUARE 38F 2-24-12 Shibuya, Shibuya-ku, Tokyo 150-6138

Please contact us from here with any inquiries concerning personal information.

< Inquiries concerning personal information in relation to the services>

Revised on: July 12, 2024