KANATA Privacy Policy
1. Introduction
Third Scope Asia PTE. LTD. (the "Company") is committed to protecting your personal information. This Privacy Policy (the "Policy") describes how the Company collects, uses, discloses, protects, and retains personal information in connection with the use of our service "KANATA" (the "Service"). Legal and privacy matters under this Policy are jointly administered with the Company's parent, ThirdScope Co., Ltd. (a Japanese corporation).
This Policy is primarily based on the Act on the Protection of Personal Information of Japan (the "APPI"). The Service is available to users worldwide, and this Policy is also designed to comply with the personal information and data protection laws of the jurisdictions in which our users reside, including the European Economic Area, the United Kingdom, and the United States.
This Policy forms an integral part of the KANATA Terms of Service (the "Terms"). Capitalized terms not defined in this Policy shall have the meanings ascribed to them in the Terms.
2. Personal Information Protection Manager
In accordance with the APPI, the Company has appointed a Personal Information Protection Manager. For inquiries, complaints, or any requests concerning the handling of personal information, please contact:
Email: ga@third-scope.com
Mailing Address: ThirdScope Co., Ltd.
Japan, Postal Code 150-0002
3F Aoyama SI Building, 1-1-11 Shibuya, Shibuya-ku, Tokyo
Personal Information Protection Manager: Toshiki Aburatani
3. International Contacts and Offices
UK Contact: https://eu.third-scope.com/inc-cnt/
Email: info.eu@third-scope.com
4. Personal Information We Collect
In providing the Service, the Company may collect the following categories of personal information. For users residing in the United States, the corresponding categories under U.S. state laws are also indicated.
| Category | Examples | U.S. State Law Category | Purpose of Use |
|---|---|---|---|
| Account Information | Name, email address, company name, job title, phone number, password (hashed) | Identifiers, Professional Information | Service provision, authentication, support |
| Usage Information | Login history, feature usage, content creation history | Internet Activity | Service provision, improvement |
| Technical Information | IP address, browser type, OS, device identifiers, time zone, language settings | Identifiers, Internet Activity, Geolocation (approximate) | Service provision, security |
| Payment Information | Billing information, transaction history (credit card numbers are managed by payment processors) | Commercial Information | Billing, payment processing |
| Content Data | Text, video, images, and other content uploaded by users | Internet Activity | Service provision (AI content generation) |
| Communications | Support inquiry content, survey responses | Identifiers | Customer support, improvement |
| Cookie Data | Session cookies, analytics cookies, and similar technologies | Internet Activity | Service provision, analytics |
| Inference Information | Preference profiles derived from usage patterns | Inferences | Service improvement |
The Company will not collect special-care personal information as defined under the APPI without the prior consent of the data subject (except where permitted by law). The Company does not collect or process, in connection with the Service, special-care personal information under the APPI or special categories of personal data under Article 9 of the GDPR or Article 9 of the UK GDPR (information concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life, or sexual orientation; collectively, "Sensitive Information"). Users shall not provide Sensitive Information to the Company through input, upload, or any other means in the Service. If a user provides Sensitive Information, the Company will not actively use such information for the purpose of providing the Service, and will take appropriate measures, including deletion, in accordance with applicable laws and the Terms.
5. Legal Basis for Processing
5.1 All Users
Pursuant to the APPI, the Company specifies the purposes of use for personal information (Article 6) and does not handle personal information beyond the scope necessary to achieve those purposes, except as permitted under exceptions provided by the APPI or by the personal information / data protection laws of each applicable jurisdiction. Consent is obtained at the time of registration for the Service. For requests to suspend use or third-party provision, please refer to Section 13.
5.2 European Economic Area and the United Kingdom
For users residing in the EEA and the United Kingdom, we process personal data on the following legal bases.
| Processing Purpose | Legal Basis |
|---|---|
| Service provision and account management | Performance of a contract |
| Billing and payment processing | Performance of a contract |
| Security and fraud prevention | Legitimate interests |
| Service improvement and analytics | Legitimate interests |
| Legal and regulatory compliance | Legal obligation |
| Marketing communications | Consent |
| AI content generation | Performance of a contract / Consent |
For processing based on legitimate interests, the Company conducts balancing tests to confirm that the rights and freedoms of users are not unduly affected.
5.3 United States
Under U.S. state privacy laws, the Company acts as a "business" or "controller" when processing your personal information in connection with the Service. When processing personal information on behalf of corporate users, the Company acts as a "service provider" or "processor".
6. Purposes of Use of Personal Information
The Company uses personal information for the following purposes:
- To provide, operate, and maintain the Service (including account creation, identity verification, and customer support)
- To process billing and payments
- To improve the Service, develop new features, and enhance quality (including analysis of usage patterns)
- To ensure security and to prevent and detect misuse
- To comply with applicable laws and regulatory requirements
- To send notifications and updates regarding the Service
The Company will not use personal information beyond the scope necessary to achieve the purposes set forth above (data minimization principle).
7. Consent and Withdrawal of Consent
The Company obtains your consent to this Policy at the time of registration for the Service. For matters that require separate consent under the APPI (such as third-party provision and the handling of special-care personal information), the Company will obtain consent on a case-by-case basis.
You may withdraw your consent at any time through the contact in Section 2 or via the "Privacy Settings" page within the Service. Please note that withdrawing your consent may render the Company unable to provide all or part of the Service.
8. Third-Party Provision
The Company may provide personal information to third parties only in the following cases:
- Service providers (entrusted parties): cloud hosting, payment processors, analytics providers, and AI service providers. Under the APPI, these arrangements constitute entrustment of handling and do not constitute "third-party provision."
- Where required by law: when required by law or in response to lawful requests from courts, regulatory authorities, or law enforcement
- Business succession: in connection with a merger, acquisition, or business transfer
- With your consent: where prior consent has been obtained
The Company enters into agreements with entrusted parties that obligate them to implement appropriate safeguards in accordance with applicable laws.
9. Sale and Sharing of Personal Information
The Company does not sell your personal information. The Company also does not provide personal information to third parties for the purpose of cross-context behavioral advertising.
The Company will not process sensitive personal information without your consent beyond what is necessary to provide the Service. If this practice changes in the future, the Company will update this Policy and provide the necessary opt-out mechanisms.
10. Cross-Border Data Transfers
Because the Service is provided globally, personal information may be transferred outside Japan. Depending on the jurisdiction, the Company applies the following safeguards:
- Japan: Under the APPI, when providing personal data to third parties located outside Japan, the Company will obtain prior consent from the data subject, confirm that the recipient has implemented measures meeting the standards prescribed by the rules of the Personal Information Protection Commission, or confirm that the recipient is located in a country recognized as having an equivalent level of protection.
- EEA and UK: For personal data of EEA and UK users, the Company implements Standard Contractual Clauses or other appropriate safeguards.
- Other jurisdictions: The Company enters into data processing agreements or other legally binding instruments to ensure an appropriate level of protection.
11. Data Security
In accordance with the safeguards required under the APPI (organizational, personnel, physical, and technical measures), the Company implements security measures including the following:
- Data encryption in transit (TLS/SSL) and at rest
- Access control and authentication management
- Regular security assessments and audits
- Employee training and education on personal information protection
No method of transmission over the Internet or method of electronic storage is completely secure, and absolute security cannot be guaranteed.
12. Data Retention
The Company retains personal information for the period necessary to achieve the purposes of collection or for the period required by law. Following termination of the service contract, the Company will delete or anonymize user data within 30 days in accordance with Article 9 of the Terms (except where retention is required by law).
13. Your Rights
You may exercise the following rights with respect to your personal information. The application of each right depends on the law applicable to your place of residence.
| Right | Description | All Users | EEA / UK | U.S. |
|---|---|---|---|---|
| Disclosure / Access | Request disclosure of personal information held by the Company | ✓ | ✓ | ✓ |
| Correction | Request correction of inaccurate personal information | ✓ | ✓ | ✓ * |
| Suspension of Use / Deletion | Request suspension of use or deletion of personal information | ✓ | ✓ | ✓ |
| Suspension of Third-Party Provision | Request suspension of provision of personal data to third parties | ✓ | — | — |
| Notification of Purpose of Use | Request notification of the purpose of use of personal information | ✓ | — | — |
| Data Portability | Receive data in a portable, machine-readable format | ✓ ** | ✓ | ✓ |
| Restriction of Processing | Request restriction of processing under certain conditions | — | ✓ | — |
| Objection to Processing | Object to processing based on legitimate interests | — | ✓ | — |
| Opt-out of Sale / Sharing | Opt out of the sale or sharing of personal information (the Company does not currently sell or share) | — | — | ✓ |
| Opt-out of Targeted Advertising | Opt out of targeted advertising (the Company does not engage in targeted advertising) | — | — | ✓ |
| Opt-out of Profiling | Opt out of automated decision-making with legal or similarly significant effects | — | ✓ | ✓ |
| Non-discrimination | The right not to receive discriminatory treatment for exercising rights | — | — | ✓ |
| Complaint to Supervisory Authority | Lodge a complaint with a data protection authority | ✓ | ✓ | ✓ *** |
* May not be available in all U.S. states. ** Disclosure in electronic record format is available under the APPI. *** Filed through the State Attorney General.
13.1 How to Exercise Your Rights
- Email: ga@third-scope.com
- Web form: via the "Privacy Settings" page within the Service
The Company will process your request after verifying your identity. The Company will respond within 30 days.
Under the personal information protection laws of certain jurisdictions, fees may be charged for disclosure requests. The amount will be communicated at the time of the request. U.S. users may submit requests through an authorized agent.
13.2 Supervisory Authorities
If you are not satisfied with the Company's response, you may lodge a complaint with the following supervisory authorities:
- Japan: Personal Information Protection Commission (PPC) — https://www.ppc.go.jp
- EEA: The data protection supervisory authority of your member state — https://edpb.europa.eu/about-edpb/about-edpb/members_en
- UK: Information Commissioner's Office (ICO) — https://ico.org.uk
- U.S.: The Attorney General's Office of your state
14. Universal Opt-Out Mechanisms
The Company recognizes and respects browser-based universal opt-out mechanism signals, including the Global Privacy Control (GPC). Where you access the Service from a browser or device that transmits such signals, the Company will treat them as valid opt-out requests in accordance with applicable laws.
15. Cookies and Tracking Technologies
The Service uses cookies and similar technologies. For details, please refer to our Cookie Policy. For users in the EEA and the UK, the Company obtains consent through a cookie consent banner before placing non-essential cookies.
16. Generative AI — Special Provisions
KANATA AI uses generative AI technology to create content. The following provisions apply:
- Text input and content uploaded by users may be transmitted to third-party AI service providers for the purpose of content generation
- The Company does not use user input data for training AI models
- Users shall not include in inputs or uploads to the Service any Sensitive Information (special-care personal information and special categories of personal data) as defined in Section 4. The Service is not intended to process Sensitive Information; if a user inputs such information, the Company will not actively use such information for the purpose of providing the Service, and will take appropriate measures, including deletion, in accordance with applicable laws. Users should also avoid inputting personal information that is not necessary for business purposes. Where a corporate user inputs personal information of its employees or related parties, that corporate user shall be responsible for providing appropriate notice to and securing a legal basis with respect to such data subjects.
For users in the EEA and the UK, the legal basis for this processing is performance of a contract or consent. Under the APPI, this processing falls within the purposes of use specified in Section 6.
17. Children's Privacy
The Service is primarily intended for business use and is not directed to children.
- Under 13: The Company does not knowingly collect personal information from children under the age of 13. If the Company becomes aware that such information has been collected, it will be promptly deleted in accordance with applicable laws.
- Under 16: The Company will not sell or share personal information of minors under the age of 16 in accordance with applicable laws.
18. Data Protection Impact Assessments
The Company conducts data protection impact assessments for processing activities that may pose a high risk to the rights and freedoms of individuals (including the generative AI content processing features). The results of such assessments will be provided upon request from the relevant supervisory authority.
19. Data Breach Response
In the event of a data breach, the Company will promptly assess the scope and impact of the breach and submit a confirmed report to the competent supervisory authority within 72 hours of becoming aware of the breach. Where the risk to the rights and freedoms of individuals is high, notification to affected individuals will be made without undue delay.
Where a breach may pose a risk to the rights and freedoms of individuals, the Company will notify the competent supervisory authority within the period prescribed by the applicable laws of your place of residence and will take measures to contain the breach and prevent recurrence.
20. Financial Incentives
The Company does not offer any financial incentive program in connection with the collection, retention, sale, or sharing of personal information.
21. Changes to This Policy
The Company may update this Policy from time to time. Updated policies will be published on our website. For material changes, the Company will notify users by email or in-app notice. Where a material change requires a new legal basis, the Company will obtain consent before such change takes effect.
22. Complaints and Inquiries
If you have any questions, complaints, or concerns regarding this Policy, please contact us via the contact in Section 2. If you are not satisfied with the Company's response, you may lodge a complaint with the relevant supervisory authority (Section 13.2).
23. Governing Law
This Policy is governed by the laws of Japan. Any dispute arising from or related to this Policy shall be resolved in accordance with Article 29 of the Terms. This governing law provision does not limit your rights under any mandatory data protection laws applicable in your place of residence.
Last updated: May 7, 2026 | Effective: May 7, 2026