Privacy Policy

The Service collects the following information:

• Account Information: Via Firebase Authentication with Google, we obtain your email address, display name, and profile image URL.
• Payment Information: Information required for subscription payments through Stripe (card details are managed directly by Stripe and are not stored on our servers).
• Subscription Status: The active/inactive state, start date, and cancellation date of your subscription are managed in our database.
• Usage Logs: Access logs, error logs, and learning progress may be recorded to improve the Service.
• Online Identifiers & Personal-Related Information: Cookies, local storage, IP addresses, browser type, device information, referrer URLs, and ad-click information.

Collected information is used for the following purposes:

• Providing, operating, and maintaining the Service
• User authentication and access control
• Processing and managing subscription payments
• Controlling access to course content based on subscription status
• Sending product keys and important notices by email
• Responding to user support requests
• Improving the Service, developing new features, and analyzing usage statistics
• Detecting and preventing fraudulent use, and complying with legal obligations

For users residing in the EU/UK, we process personal data on the following legal bases under Article 6(1) of the GDPR:

• Performance of a contract (Art. 6(1)(b)): Account creation, payment processing, and provision of course content
• Legal obligation (Art. 6(1)(c)): Record-keeping required by tax and accounting laws
• Legitimate interests (Art. 6(1)(f)): Ensuring security, fraud detection, and improving the Service
• Consent (Art. 6(1)(a)): Use of cookies and identifiers for marketing purposes including ad-effectiveness measurement, and certain international transfers of personal data

The Service uses the following third-party services, and information is processed in accordance with each service's privacy policy. Some of these providers are located outside Japan (primarily the United States).

• Firebase Authentication (Google LLC, USA): User authentication
• Stripe (Stripe, Inc., USA): Subscription payment processing (credit card details are managed directly by Stripe)
• Vercel (Vercel Inc., USA): Website hosting
• Supabase (Supabase, Inc., USA): Database and storage management (Tokyo region is used)

None of the above countries have been designated by the Personal Information Protection Commission of Japan as providing a level of personal data protection equivalent to that of Japan, so we provide the required information under the following section on cross-border transfers.

In connection with the use of the third-party services listed in the previous section, users' personal data may be provided to entities located outside Japan (primarily the United States).

• Recipient country: United States
• Personal data protection regime in the recipient country: The United States does not have a comprehensive federal law equivalent to Japan's APPI; it is regulated by state laws (such as the California Consumer Privacy Act) and sector-specific federal laws. For the latest overview, please refer to the public materials of the Personal Information Protection Commission of Japan (https://www.ppc.go.jp/personalinfo/legal/kaiseihogohou/).
• Measures taken by recipients: Each provider complies with international security standards such as SOC 2 and ISO/IEC 27001, implementing safeguards such as encryption, access controls, and audit logs.

For transfers of EU/UK residents' personal data to Japan, we rely on adequacy decisions by the European Commission or the UK Government, or on appropriate safeguards such as Standard Contractual Clauses (SCCs) or the International Data Transfer Agreement (IDTA). For details, please contact us using the contact information below.

For the purpose of measuring advertising effectiveness, the Service may obtain information about advertisements clicked before visiting the Service (such as click date and the site where the advertisement was displayed) from tools operated by third parties, and match such information with order details.

Use of cookies and identifiers for marketing purposes beyond what is necessary for ad-effectiveness measurement is carried out only to the extent that user consent has been obtained. Consent can be withdrawn at any time, and cookies can also be disabled via browser settings.

Collected personal information is stored on servers with appropriate security measures for the longer of the period necessary to achieve the purpose of use or the period required by law.

• Account information: Deleted in principle within 90 days of account deletion or withdrawal.
• Payment and subscription information: Retained for seven years from the date of the last transaction in accordance with tax and accounting laws.
• Access logs and error logs: Deleted or anonymized in principle within one year of collection.

To prevent unauthorized access, loss, destruction, alteration, and leakage, we implement SSL/TLS for all communications, encrypted storage, access controls based on the principle of least privilege, and periodic vulnerability assessments. Credit card information is not stored on our servers and is securely managed by PCI DSS-compliant Stripe.

We will not provide personal information to third parties without the user's consent, except in the following cases:

• When required by law
• When necessary to protect the life, body, or property of a person
• When specifically necessary to improve public health or promote the sound upbringing of children
• When cooperation with a national or local government agency (or a person entrusted by them) is required for the performance of statutory duties
• In connection with outsourcing, business succession, or joint use within the scope permitted by Article 27(5) of the APPI

The Service uses cookies and similar technologies (local storage, SDK-based identifier transmission) to maintain authentication, manage sessions, analyze usage, and measure advertising effectiveness.

The following is an overview of externally transmitted information, provided pursuant to Article 27-12 of the Japanese Telecommunications Business Act:

• Firebase Authentication (Google LLC): Authentication tokens, user ID, language settings. Sent to maintain authentication state.
• Stripe (Stripe, Inc.): Payment session ID, browser information. Sent for secure payment processing.
• Vercel Analytics (Vercel Inc.): Access URL, referrer, browser type, country. Sent as anonymized statistical information to improve the Service.
• A8.net (Fan Communications, Inc.): Order identifier, amount, currency, timestamp. Sent only upon conversion for affiliate tracking purposes.

Consent Model for Cookies (Region-Based)

Our approach to cookie consent depends on the user's region of residence and applicable law:

• Users residing in the EU/EEA, the UK, or Switzerland: In accordance with the GDPR, UK-GDPR, and the Swiss Federal Act on Data Protection (FADP), non-essential cookies (analytics, advertising effectiveness measurement) are sent only after prior explicit consent (opt-in). Until you select “Accept all” or customize your preferences through the cookie consent banner, such cookies will not be transmitted.
• Users residing in Japan or other regions: We adopt a notice model (opt-out) in accordance with Article 27-12 of the Japanese Telecommunications Business Act (rules on external transmission). Cookies are transmitted after notice through this Policy and the notice bar at the bottom of the screen. You may opt out at any time via the cookie settings panel.
• Where the region of residence cannot be determined, the notice model (opt-out) applies.

Cookies can be disabled in your browser settings, but some features of the Service (such as persistent login and payments) may become unavailable.

Users have the following rights under the APPI:

• The right to request notification of the purpose of use of retained personal data
• The right to request disclosure, correction, addition, or deletion of retained personal data
• The right to request suspension of use, erasure, or cessation of third-party provision
• The right to request disclosure of records of third-party provision
• The right to cancel the subscription at any time
• The right to request account deletion

To exercise the above rights, please contact us using the contact information below. We will respond within the period specified by law after verifying your identity.

Users residing in the EU/EEA or the UK have the following additional rights under the GDPR:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16)
• Right to erasure / right to be forgotten (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right not to be subject to automated decision-making including profiling (Art. 22)
• Right to withdraw consent at any time for processing based on consent

Where users believe our processing violates applicable law, they have the right to lodge a complaint with their local supervisory authority (such as the Irish Data Protection Commission or the UK Information Commissioner's Office (ICO)). We have not currently appointed an EU representative under Article 27 GDPR; inquiries from EU/UK residents can be directed to the contact information below.

The content of this Policy may be revised in response to changes in laws or the Service. When significant changes are made, we will provide advance notice on the Service. The revised Policy takes effect when posted on this page.

• Business name: AI Brain Partners Inc.
• Address: Miyamasu-zaka Building 609, 2-19-15 Shibuya, Shibuya-ku, Tokyo 150-0002, Japan
• Representative: Kohei Nakamura
• Personal Information Protection Manager: Kohei Nakamura
• Contact form: https://form.run/@aiagent-camp