Personal Information Protection Policy

kaonavi, inc. (hereinafter the “Company”) believes that, amid an economic environment that is becoming increasingly globalized, Japan’s companies should pursue a new management style, and we are the company that is providing the cloud-type human resources management tool “Kaonavi” to companies. As a company that handles companies’ employee information in the cloud, we believe that the most important elements are building a management system for personal information and strictly operating it. Therefore, we have stipulated a policy related to personal information protection as stated below, and we will work to have all employees be thoroughly knowledgeable and strive to protect personal information.

  1. In order to comply with the laws and ordinances of Japan, related to the handling of personal information, guidelines stipulated by the Japanese government, and other standards, the Company will formulate and appropriately operate a personal information protection management system that conforms to the Japanese Industrial Standard titled Personal Information Protection Management System – Requirements (JIS Q 15001).

  2. The Company will obtain, use, and provide appropriate personal information based on consideration of the content and the scale of business. This includes not handling personal information beyond the scope that is necessary for accomplishing the specified purposes of use and taking precautions for that purpose.

  3. In the event that the Company will consign all or a portion of the handling of personal information, it will conduct the necessary and appropriate supervision of the party that received the consignment in order to ensure the safe management of the personal information for which that handling was consigned.

  4. Excluding cases in which the relevant person has agreed, or cases based on laws and ordinances, the Company will not provide personal information to third parties.

  5. The Company will take precautions to prevent and rectify leaks, loss, and damage to personal information.

  6. The Company will strive to appropriately and quickly handle complaints and consultations related to the handling of personal information. We also accept requests for the disclosure (notification of purposes of use, disclosure, correction, addition, deletion, or suspension of use or provision) of personal information that is subject to disclosure and in the possession of the Company. For information about the procedures for requesting disclosure, please contact the office responsible for complaints or consultations about personal information as stated below.

  7. The company will conduct continuous improvements of the personal information protection management system.

Formulation: May 27, 2008
      Revision: November 24, 2020 Hiroki Yanagihashi
President and Representative Director kaonavi, inc.

Our handling of personal information

  1. Purpose of use of personal information

    The purposes of use of the personal information we handle are as follows.

    • Personal information provided by the customers who concluded a contract for the kaonavi service

      • Employee information stated by the customer in the contract documents, such as the application form

        • Provide, manage, and operate the kaonavi service

        • Provide the necessary communication to the customer for using the kaonavi service

        • Provide information about services, events, and seminars related to the kaonavi service

      • Customer employee information provided by the customer through the kaonavi service

        • Perform the contracted service

    • Personal information provided by the member through the kaonavi campus online
      * Includes information directly input by the member in the kaonavi campus online, as well as information about the actions taken through use by the member.

      • Provide, manage, and operate the kaonavi service and the kaonavi campus online

      • Provide the necessary communication to the member for using the kaonavi campus online

      • Provide information about our products, services, events, and seminars by postal mail, telephone, email, and advertisement distribution

      • Marketing activities, customer engagement activities, and other sales activities, such as usage proposals to members

    • Personal information about customers who are interested in our services and events

      • Personal information about customers who participated in our PR activities, such as an event, seminar, or campaign

        • Operate and manage the provision of our services (including event and seminar co-sponsors, provision of participant information and questionnaire information to supporting companies and operation and management of campaigns)

        • Provide information about our products, services, events, and seminars by postal mail, telephone, email, and advertisement distribution

        • Create, use, disclose, and provide statistical data about our services to the extent it is not possible to identify specific individuals

        • Improve and enhance our services and create, use, and provide marketing materials using data that has been processed so it can no longer be used to identify specific individuals

      • Personal information about customers who are considering using our services

        • Provide information about our services and respond to inquiries from customers

        • Perform work duties in relation to the above and contact the potential customers

        • Provide information about our products, services, events, and seminars by postal mail, telephone, email, and advertisement distribution

        • Create, use, disclose, and provide statistical data about our services to the extent that it is not possible to identify specific individuals

        • Improve and enhance our services and create, use, and provide marketing materials using data that has been processed so it can no longer be used to identify specific individuals

    • Personal information about business partners, such as sales partners, introduction partners, contractors, and other cooperative and affiliated companies

      • Appropriately manage the details of the contracts concluded with our business partners (“Appropriately manage the details of the contracts” includes “the use of information prior to concluding the contract” and “the use of information after termination of the contract”).

    • Personal information about persons who consider joining our company

      • Provide information about employment and job opportunities and communicate with applicants and persons who are interested in joining our company

      • Employment screening

    • Personal information about our executive officers and employees

      • Business related communication, creation of employee registries, other procedures required by law (including after resignation of the employee), and other employment management.

      • Personnel evaluations and deciding where the employee will be assigned, loaned, or dispatched

      • Decide and pay the consideration, perform the tax and social insurance related procedures, and provide the benefit program

      • Take security management measures through surveillance cameras or online monitoring

      • Our PR activities, PR in advertising materials or advertising activities

      • Our sales activities and customer support

      • Appropriate health management (health information about workers, such as the results of the health checkup, will not be acquired, used, or provided unless such is based on law)

      • Acquire licenses, permissions, and certification and perform audit procedures

    • Personal information about the family of our executive officers and employees

      • Emergency contact

      • Perform the social insurance related procedures and provide the benefit program

    • Personal information about resigning employees

      • Create personnel data and communication after resignation

    • Personal information about shareholders

      • Exercise the rights and perform duties under the Companies Act and commercial law

      • Implement various measures for securing a better relationship with our shareholders

      • Create shareholder data in accordance with the designated standards based on the laws and regulations and other shareholder management.

    • Personal information of persons who submitted an inquiry

      • Reply to and communicate in relation to the inquiry

      • Improve the quality of telephone support and accurately grasp the details of the inquiry

    * Above information other than 1.2 is personal data in our possession.

  2. Personal data in our possession

    • Name, address, and name of the representative of the entity responsible for handling personal information

      kaonavi, Inc.
      1-3-1 Toranomon, Minato-ku, Tokyo
      Representative Director, President & CEO Hiroki Yanagihashi

    • Title, affiliated division and contact information of the Personal information protection manager

      Division Manager, Corporate Division
      Please click here to contact us with any inquiries concerning personal information.

    • Purpose of use of the personal data in our possession

      Of the purposes of use indicated in the above paragraph 1 “Purpose of use of personal information,” items other than 1.2 are the purposes of use of the personal data in our possession.

    • Provision of personal information to third parties

      • Provision of personal information to third parties when holding an event or seminar

        When holding an event or seminar and we plan to provide personal information to a third party, such as a co-sponsor, we will do so after obtaining prior consent.

        • Information recipients

          Co-sponsors of the event or seminar

        • Purpose of use at the recipients

          • Provide information about our services and the services provided by the recipients

          • Provide information about the products, services, events, and seminars of our company or the recipient by postal mail, telephone, and email

          • Perform work duties in relation to the above, provide communication, carry out procedures, and respond to inquiries

        • Details of the personal information to be provided

          • Company name, name of the affiliated organization, name of the affiliated division, job title, such as the name of the position, name, address, telephone number, email address, and other contact information

          • Other information acquired through events and seminars

            The above items do not include data stored by kaonavi.

        • Method of third-party provision

          Provide as a written document or data

        • In the event any matters not stipulated above occur, when obtaining consent for the third-party provision of personal information, the specific matters will be individually indicated in advance.

      • In addition to the above, unless consent is obtained from the subject person or provision is conducted in accordance with the laws and regulations, acquired personal information will not be provided to third parties.

    • Contracting the handling of personal information

      All or part of the handling of acquired personal information may be contracted. External contractors will be an entity that conforms to the criteria set forth by the company. By concluding an agreement concerning the handling of personal information and grasping the status of handling of personal information by the contractor, the necessary and appropriate supervision will be provided for the security management of personal information.

    • Security management measures for the personal data in our possession

      As stated in the “Matters concerning security management measures for personal data” below.

    • Point of contact for complaints concerning the handling of personal data in our possession

      “Point of contact for complaints and consultations regarding personal information” (stated at the end of the document)

    • Name of the accredited personal information protection organization and point of contact for complaint resolution

      The company is a target entity of an accredited personal information protection organization of the Japan Institute for Promotion of Digital Economy and Community (JIPDEC).
      Name of the accredited personal information protection organization: JIPDEC
      Point of contact for complaint resolution: Personal Information Protection Consultation Service Office
      Address
      Roppongi First Building, 1-9-9 Roppongi, Minato-ku, Tokyo 106-0032
      Telephone number:
      03-5860-7565
      0120-700-779

    • Procedure for responding to requests for disclosure

      • Point of contact for requesting disclosure

        “Point of contact for complaints and consultations regarding personal information” (stated at the end of the document)

      • Forms to be submitted when requesting disclosure and other procedures for requesting disclosure

        Submit the following documents to the “Point of contact for complaints and consultations regarding personal information.” We will process your request as quickly as possible.

        • Disclosure request form designated by our company

          Person requesting disclosure

        • Identity verification document

          • When requested by the subject person

            The subject person’s public certificate (copy)

          • When requested by a proxy

            Of the documents listed below, all that apply.

            • In the case of a person with parental authority (or minor ward)

              • A copy of a public certificate that can be used to confirm the subject person’s current address and permanent address

              • A copy of the family register (certificate of all matters)

              • A copy of a public certificate that can be used to confirm the proxy’s current address and permanent address

            • In the case of an adult guardian (legal representative of an adult ward)

              • A copy of a public certificate that can be used to confirm the subject person’s current address

              • A copy of the certificate of registered matters (that indicate the proxy is the legal representative of the subject person)

              • A copy of a public certificate that can be used to confirm the proxy’s current address

            • In the case of a proxy with letter of attorney

              • A copy of the seal-impression certificate

              • Letter of attorney designated by the company (impressed with the subject person’s registered seal)
                A letter of attorney

              • A copy of a public certificate that can be used to confirm the proxy’s current address (in the case of a lawyer, the registration number is also acceptable). “Public certificate” refers to a driver’s license, health insurance card or pension booklet, basic resident’s registration card with photo, passport, special permanent resident certificate, residency card, seal impression certificate, certified copy of the resident register, copy of the family register or a partial excerpt of the family register, copy of the certificate of information recorded in the foreign resident registration file, and other documents. The submitted identity verification document will be used as follows. Please send such documents only when you consent to the following use.

              • The personal information will be used for responding to requests for disclosure from the subject person.

              • Depending on the identity verification document submitted, the company may acquire personal information requiring special care.

              • Unless required by law or regulation, the personal information will not be provided to a third party without consent from the subject person.

              • When the identity of the subject person cannot be verified using the identity verification document, the company may not be able to fulfill the request for disclosure.

        • Fees

          Requests for the notification of the purpose of use or disclosure will be charged a fee of 1,000 yen per request. Please enclose a 1,000-yen postal money order along with the above documents. When the fee is not enclosed as instructed above, the requestor will be notified to that effect, and if the requestor fails to make the payment within the designated period of time, the request for disclosure will be deemed not to have been made. The submitted documents will not be returned, in principle.

      • When disclosure is unable to be made

        In the event any of the following applies, the disclosure will not be made. When it is decided not to disclose the information, such decision will be reported to the requester in writing. Please note that even in the case of nondisclosure, the designated fee will be charged.

        • When it is likely to harm the life, physical well-being, property, or other rights and interests of the subject person or a third party

        • When it is likely to significantly hinder the proper operation of the company’s business

        • When another law or regulation will be violated

        • When there is an omission in the designated request form or some of the designated documents are not submitted

        • When the fee is not paid in full

  3. Matters concerning security management measures for personal data

    • Formulation of a privacy policy

      In order to secure the proper handling of personal data, the company has formulated a privacy policy for compliance with the related laws, regulations, and guidelines, as well as the formulation and operation of a personal information protection management system in conformity to the Japanese Industrial Standards Personal Information Protection Management System – Requirements (JIS Q 15001) and acceptance of complaints and consultations.

    • Establishment of guidelines concerning the handling of personal data

      The company has formulated standards and rules concerning the handling method, responsible persons and persons in charge, and the assigned work duties for each phase of acquisition, use, storage, provision, deletion, and disposal.

    • Organizational security management measures

      • Establishment of organizational structures

        The company has appointed a Personal information protection manager for the handling of personal data and clarified the responsibilities.

        The company has clarified the scope of personal data handling by the employees and business partners who handle personal data.

      • Operation in accordance with the rules concerning the handling of personal data

        The company acquires a log of the use of the personal database and status of output.

        In addition to conducting regular self-inspections concerning the status of personal data handling, the company conducts an internal audit or certification audit by an external institution at least once a year.

      • Establishment of means for confirming the status of personal data handling

        The personal data items, responsible person, purpose of use, and other handling status are recorded in a ledger.

      • Establishment of a system for responding to incidents, such as information leaks

        The company has established a flow for responding to incidents, as well as a reporting line to the Personal information protection manager in the event of an accident, violation, or the risk thereof set forth in our laws and regulations, such as Personal Information Protection Act and company rules.

      • Grasping the status of handling and reviewing the security management measures

        In addition to conducting regular self-inspections concerning the status of personal data handling, the company conducts an internal audit or certification audit by an external institution at least once a year.

    • Human security management measures

      Regarding the points to note in relation to the handling of personal data, the company provides educational training to its employees after initially joining the company and at least once a year.

      Matters concerning the confidentiality of personal data are included in the written pledge submitted when joining/ leaving the company and in the Work Rules.

    • Physical security management measures

      • Control of the areas where personal data is handled

        Entry and exit to and from offices is controlled.

        The kaonavi service data center complies with the provisions of Amazon Web Services that serve as our data center.

      • Measures implemented against the loss of a device or electronic media

        Personal data is stored in cloud storage, and measures are implemented against the theft or the loss of a device through HDD encryption.

      • Prevention of information leaks when carrying around electronic media

        Devices are controlled to prevent storage of data using portable storage media, such as USB memory sticks.

      • Deletion of personal data and disposal of devices and electronic media

        When disposing of personal data, the company selects an appropriate entity, implements logical deletion, and obtains a certificate of disposal.

    • Technical security management measures

      • Access controls

        Accounts that can be used to access the data are only granted to the minimum necessary persons who are approved by the Personal information protection manager, and usage logs are monitored.

      • Identification and authentication of users

        The company issues and authenticates accounts individually.

      • Prevention of unauthorized access by external parties

        The company has installed a firewall and antivirus software on the devices.

        The infrastructure used for kaonavi service is equipped with traffic-based intrusion detection and protection.

      • Prevention of leaks through the use of information systems

        The company uses antimalware and Web filtering.

        The company uses TLS(1.2) and VPN for encrypting the communication channels, and for the data storage area, the database data is encrypted at the storage layer.

    • Grasping the external environment

      For overseas countries where personal data in our possession is stored, the company understands the regulations concerning personal information protection in those countries and implements security management measures. Please refer to section 2 “Storage of personal data in our possession on overseas servers” in 4 below.

  4. Handling of personal data overseas

    • Contracting the handling of personal data overseas

      • Method of establishing the system set forth in Article 28 (1) of the Personal Information Protection Act

        The company examines the details of the contract agreement, such as the contractor’s terms of use, in advance and determines whether or not to use the contractor.

      • Outline of the corresponding measures taken by the contractor

        The agreement sets forth that the personal data will be used within the scope of the specified purpose of use, improper use is prohibited, the appropriate security management measures will be implemented, and the necessary and appropriate supervision will be implemented for the employees, as well as the criteria for selecting subcontractors and prohibition of third-party provision of personal data.

      • Frequency and method of confirming system establishment

        Every time the terms of use are revised, the details of the terms of use are confirmed.

        The legal system is confirmed every year based on the information announced by the Personal Information Protection Commission and other government institutions in Japan.

      • Names of the countries where contractors are located

        As shown in the list of contractors in ⑻ below.

      • Existence and outline of the systems in overseas countries that may impact the implementation of the corresponding measures by the contractors

        There are no such systems.

      • Existence and outline of the obstacles for the implementation of the corresponding measures by the contractors

        There are no such obstacles.

      • Outline of the measures implemented by the company in the event there is an obstacle for the implementation of the corresponding measures

        When a contractor handles personal information in violation of the contract agreement, including the abovementioned corresponding measures, in accordance with the contract agreement, the contractor will be requested to promptly correct such handling.

        In the event such violation is not corrected within a reasonable period of time and it is deemed difficult to ensure continuous implementation of the corresponding measures, the company will suspend the provision of personal information to the contractor.

        When it is confirmed that a law is amended as described below in a foreign country where the contractor is located, the company will suspend the handling of personal information by the contractor.

        • System that enables a wide range of information collection by the government concerning the personal information possessed by entities through the imposition of a broad obligation for entities to cooperate with the government’s information collection activities

        • System concerning the obligation to store personal information within the country in a manner that may preclude entities from responding to requests for deletion of personal information from the subject person

      • List of contractors

        Meta Platforms, Inc. (The United States)

        Qualtrics, LLC (The United States)

        Zoom Video communications, Inc. (The United States)

    • Storage of personal data on servers overseas

      Service Service provider Server location Information about the legal systems in server locations
      Facebook Meta Platforms, Inc. The United States of America The United States of America (Federal)
      https://www.ppc.go.jp/files/pdf/USA_report.pdf
      Google workplace Google LLC The United States of America, Republic of Chile, Taiwan, Republic of Singapore,(*) The United States of America (Federal)
      https://www.ppc.go.jp/files/pdf/USA_report.pdf
      Taiwan
      https://www.ppc.go.jp/files/pdf/taiwan_report.pdf
      Republic of Singapore
      https://www.ppc.go.jp/files/pdf/singapore_report.pdf
      Marketo Engage Adobe Systems Software Ireland Limited The United States of America, Commonwealth of Australia The United States of America (Federal)
      https://www.ppc.go.jp/files/pdf/USA_report.pdf
      Commonwealth of Australia
      https://www.ppc.go.jp/files/pdf/australia_report.pdf
      Qualtrics Qualtrics, LLC Commonwealth of Australia Commonwealth of Australia
      https://www.ppc.go.jp/files/pdf/australia_report.pdf
      Zendesk Zendesk, Inc. The United States of America The United States of America (Federal)
      https://www.ppc.go.jp/files/pdf/USA_report.pdf

      * Under the terms of use, storage is not limited to servers in Japan, and since Google LLC does not specify the location of the servers on which the data is stored, the possible countries are listed in this table.

      * The data stored in the kaonavi service is stored in the data center in the AWS Tokyo Region and not handled on servers located overseas.

      * The data stored in the kaonavi campus online is stored in the SFDC Tokyo Instance data center and not handled on servers located overseas.

  5. Use of Cookies and acquisition of status of use and attribute information of customers

      The company may acquire the status of use and attribute information of customers (limited to information that cannot be used to identify a specific individual through a combination with other such information) using Cookies, Web beacons, or similar technology (hereinafter referred to as “Cookies”) in order to protect the privacy of customers who use the services provided by our company and who use this homepage, improve usability, distribute advertisements and acquire statistical data. The company uses behavior targeted advertising services provided by the following companies through the use of Cookies in order to distribute optimum advertisements to customers. To invalidate these services, it is necessary to access the website of each company and follow the indicated instructions.

      Google LLC
      You may opt out of the advertising from the website below.
      https://www.google.com/intl/ja/policies/technologies/ads/

      Yahoo Japan Corporation
      You may opt out of the advertising from the website below.
      https://btoptout.yahoo.co.jp/optout/index.html

      Meta Platforms, Inc.
      You may opt out of the advertising from the website below.
      https://www.facebook.com/ads/website_custom_audiences

      Adobe Inc.
      You may opt out of the advertising from the website below.
      https://www.adobe.com/jp/privacy/policy.html?id=cookie-policy

      User Local, Inc.
      You may opt out of the advertising from the website below.
      https://ui.userlocal.jp/notice/

      Landscape Co., Ltd.
      You may opt out of the advertising from the website below.
      https://www.landscape.co.jp/privacy/optout.html


      We use Google Analytics for the collection and analysis of access logs on our homepage. Google Analytics uses Cookies sent from this website to the user’s browser to collect the access log of the homepage without information that can be used to identify specific individuals. The access log collected in Google Analytics is managed in accordance with the Privacy Policy of Google. Cookies can be invalidated by changing your browser settings. Also, you can suspend the collection of customer information using Google Analytics by installing Google Analytics Opt-out Ad-on and changing your browser ad-on settings.
      Google Analytics Terms of Use
      Google Privacy Policy
      Google Analytics Opt-out Ad-on

< Point of contact for complaints and consultations regarding personal information >

Company name: kaonavi, Inc.
Personal information protection manager: Division Manager, Corporate Division
Address:
Tokyo Toranomon Global Square 15F, 16F 1-3-1 Toranomon, Minato-ku, Tokyo 105-0001 Please contact us from here with any inquiries concerning personal information.

< Inquiries concerning personal information in relation to the services >

Administrator inquiry form

Revised on: April 1, 2022