KOIYAL Inc. ("we," "us," or "the Company") regards the protection of personal information and data of users of its AI survey creation and analysis service "Repoan" ("the Service") as a top priority. We comply with the Act on the Protection of Personal Information ("the APPI") and other applicable laws of Japan, and establish the following Privacy Policy ("this Policy").

Article 1 (Definition of personal information)

In this Policy, "personal information" refers to personal information as defined in the APPI — information about a living individual that can identify the specific individual by name, email address, or other descriptions, and information containing an individual identification code. The terms "personal-related information," "pseudonymously processed information," "anonymously processed information," and "special-care-required personal information" used in this Policy each have the meanings given to them by the APPI.

Article 2 (Information we collect)

In providing the Service, we collect the following information.

2-1. Account information

• Name, email address, profile picture (when using Google sign-in)
• Group (organization) information
• Sign-in credentials (we use Clerk as our identity provider)

2-2. Payment information

• Subscription status, billing history
• Credit card information is processed directly by Stripe, Inc. and is never stored on our servers.

2-3. Survey-related data

• Questions and settings of surveys created by users
• Response data collected from respondents (raw data)
• AI-generated analysis results and reports

2-4. Service usage data

• IP address, browser information, access logs
• Service usage patterns (operation logs, feature usage frequency, etc.)

2-5. External integration data

• OAuth tokens required for integrations with external services such as Google Calendar
• Webhook destination URLs, API keys, and other integration settings

Article 3 (Purposes of use)

We use the information we collect for the following purposes.

1. Providing, operating, maintaining, and improving the Service
2. Verifying user identity and managing user accounts
3. Billing and payment processing
4. Supporting survey creation; collecting, storing, and aggregating response data
5. AI-driven analysis of survey responses and automated report generation
6. Sending event notifications to webhooks configured by users
7. Providing and operating embedded forms (iframe and JS widgets)
8. Responding to user inquiries and requests
9. Sending important service notifications (terms changes, maintenance, etc.)
10. Detecting and preventing fraud and ensuring security
11. Analyzing service usage and generating statistical data (in a non-identifiable form)

Article 4 (AI data processing and zero-retention policy)

The Service uses AI for survey creation support, response analysis, and report generation. We strictly apply the following policies to AI data processing.

1. Zero retention: Data sent to AI models (survey questions, response data, etc.) is not retained by the AI provider after processing is complete. We have contractual agreements with AI providers that prohibit the use of data for training.
2. No use for AI training: User survey data and response data are never used to train AI models.
3. Scope of data sent: Data sent to AI is limited to the minimum necessary for the processing requested by the user (question generation, response analysis, etc.).
4. AI providers used: Google LLC (Gemini), Anthropic, PBC (Claude). We will update this Policy if providers change.

Article 5 (Storage and management of response data)

Survey response data (raw data) submitted by respondents is stored in our database (Cloudflare D1).

1. Data storage: Response data is stored linked to the survey ID so that survey creators can view, analyze, and export it (e.g., as CSV). The retention period is until the user deletes the data or until the purpose of use is achieved.
2. Time-series analysis: Stored historical response data is used for comparative analysis and trend analysis at the user's request.
3. Data ownership: Ownership of response data belongs to the user (or the group they belong to) who created the survey. We do not use response data for secondary purposes without the user's permission.
4. Right to export: Users have the right to export response data for their surveys at any time in CSV or similar formats.

Article 6 (Data deletion and lifecycle management)

To prevent the "shadow data" problem of unnecessary residual data, we implement the following data lifecycle management.

6-1. Soft delete

When a user deletes a survey, response data, report, etc., we do not immediately perform physical deletion. We record the deletion timestamp and hide the item from the UI. During this period, the user can request restoration from the admin screen.

6-2. Hard delete

Data that has been in soft-delete state for 30 days is automatically and permanently deleted by a batch process, becoming unrecoverable. Database records and related stored files (images, PDFs, etc.) are all erased.

6-3. Data handling on account closure

When a user closes (deletes) their account, all data associated with that account (surveys, responses, reports, integration settings, etc.) is soft-deleted and hard-deleted 30 days later.

6-4. Retention period for access logs

Access logs such as IP addresses and operation logs are kept for up to 12 months for fraud detection and security purposes, and then deleted on a rolling basis.

Article 7 (Provision to third parties)

We do not provide personal information to third parties without the user's consent, except in the following cases.

1. When required by law (court orders, requests from investigative authorities, etc.)
2. When necessary to protect the life, body, or property of a person and it is difficult to obtain the consent of the individual
3. When particularly necessary for improving public health or promoting the sound growth of children and it is difficult to obtain the consent of the individual
4. When cooperation with national or local government bodies (or those commissioned by them) is necessary to carry out legally prescribed duties
5. When disclosure to subcontractors is necessary within the scope required to provide the Service (see next article)
6. When personal information is transferred due to business succession such as mergers or business transfers

Article 8 (Provision to third parties located abroad and subcontracting)

In providing the Service, we entrust the handling of personal data to the following businesses located abroad. The personal data protection systems in the countries where each business is located and the measures taken by each business to protect personal information are as follows.

Note on the personal data protection system in the United States: The United States does not have a comprehensive federal law equivalent to Japan's APPI. Personal information is regulated by sector-specific federal laws (HIPAA, GLBA, etc.) and state laws (such as the California CCPA / CPRA). We have entered into contracts (DPAs, etc.) with the above subcontractors regarding the appropriate handling of personal data and ensure safe management. For details, please refer to the country-by-country materials published by Japan's Personal Information Protection Commission.

Article 9 (Handling of data in Google Calendar integration)

The Service uses the Google Calendar API for its scheduling feature. We define the handling of Google user data as follows.

9-1. Scope of data accessed

• calendar.readonly: Via the FreeBusy API, we retrieve only free/busy status. We do not access event details such as titles, attendees, or locations.
• calendar.events: When a respondent books a time slot, a calendar event is created.

9-2. Purpose of data use

Data obtained from Google Calendar is used only for the following purposes.

• Checking the form creator's availability and presenting selectable time slots to respondents
• Creating a calendar event when a respondent confirms a booking

9-3. Data storage

Availability data obtained from the FreeBusy API is processed in real time and not stored on our servers. OAuth access tokens and refresh tokens are stored encrypted only for as long as needed to maintain the calendar integration.

9-4. Data sharing and transfer

Data obtained from Google Calendar is not provided to, sold to, or transferred to third parties. It is not used for advertising, sold to data brokers, used for creditworthiness decisions, or used for training AI models.

9-5. Disconnecting the integration

Users can disconnect their Google Calendar integration from the Service's settings screen at any time. Stored OAuth tokens are immediately deleted upon disconnection.

The Service's use of Google user data complies with the Google API Services User Data Policy (including Limited Use requirements).

Article 10 (Handling of data in external integrations and embedding)

10-1. Embedded forms (iframe and JS widgets)

When users embed a survey form on an external website, response data collected through that form is managed by us in accordance with this Policy. The operator of the embedding website is responsible for appropriately notifying respondents that data collection under this Policy is taking place.

10-2. API and webhook integrations

When a user sends data to an external system via the API or webhooks, the user is responsible for the handling of personal information at the destination. We treat data transmission to webhook URLs configured by the user as processing performed at the user's instruction.

10-3. Shared report URLs

When a user issues a view-only shared URL for an analysis report, any third party who knows the URL can view the report. The user is responsible for managing the shared URL and choosing whom to share it with.

10-4. Use of external CDNs

The Service uses external CDNs such as cdn.tailwindcss.com, cdn.jsdelivr.net (FontAwesome), and cdnjs.cloudflare.com to render its UI. When connecting to these CDNs, IP addresses and browser information may be transmitted to the respective CDN operators.

Article 11 (Handling of data for guest access)

When a user invites a guest to a specific survey (granting view permissions), the guest's account information (such as their email address) is collected and retained as part of the inviting user's survey management. This Policy applies equally to guest users.

Article 12 (Cookies, analytics, and ad measurement)

12-1. Cookies and similar technologies we use

The Service uses cookies, local storage, device identifiers, and similar technologies for the following purposes.

• Essential cookies: Maintaining the sign-in session, CSRF protection, retaining UI state
• Analytics cookies: Analyzing usage with Google Analytics 4 (page views, time on site, feature usage frequency, etc.)
• Measurement tags: Ad performance measurement via Google Tag Manager (Google Ads conversion tracking, etc.)

12-2. How to opt out

• You can refuse cookies through your browser settings, but this may cause functional limitations such as inability to maintain the sign-in session.
• To opt out of Google Analytics, you can use the Google Analytics Opt-out Browser Add-on.
• You can disable Google ad personalization from Google Ad Settings.

Article 13 (Handling of personal-related information)

We collect personal-related information such as cookies, device identifiers, behavioral history, and IP addresses, and handle it within the scope of the purposes of use set out in Article 3. Where such personal-related information is expected to be acquired as personal data by the recipient (e.g., via ad measurement tags to Google Ads or similar), we treat consent to this Policy as the individual's consent for such transfer, in accordance with Article 31 of the APPI. Continued use of the Service is deemed consent to this provision.

Article 14 (Handling of special-care-required personal information)

1. As a general rule, we do not collect special-care-required personal information — information whose handling requires special care to prevent unjust discrimination, prejudice, or other disadvantages to the individual, such as race, creed, social status, medical history, criminal record, or facts of being harmed by a crime.
2. If a user collects special-care-required personal information from respondents through their survey design, the user is responsible for obtaining individual consent from respondents. We process such data at the user's direction, but the user is responsible for the lawfulness of such data collection.

Article 15 (Personal information of minors)

1. Account registration for the Service is, in principle, intended for individuals aged 18 or older. Minors who use the Service must do so with the consent of a parent or other legal guardian.
2. If a user collects personal information from minors through a survey, the user is responsible for obtaining the necessary consent in accordance with applicable law.
3. If we become aware that personal information has clearly been obtained from a minor without consent, we will promptly delete that information.

Article 16 (Requests regarding retained personal data)

1. Users may make the following requests regarding their own retained personal data held by us:
   • Notice of purpose of use
   • Disclosure (including provision in electronic form)
   • Correction, addition, or deletion
   • Suspension of use, erasure, or suspension of provision to third parties
   • Disclosure of records of provision to third parties
2. How to request: Please send your request by email or in writing to the contact point in Article 21. We may require documentation to verify that you are the individual or an authorized legal representative.
3. Response timeline: After identity verification is complete, we will respond in writing or electronic form, in principle within 30 days.
4. Fees: A fee of 1,000 yen (tax included) per request applies to requests for notice of purpose of use and to disclosure requests. Other requests are free of charge.
5. Grounds for non-disclosure: We may be unable to comply with disclosure requests under the APPI or other laws. In such cases, we will notify you of the fact and the reason without undue delay.
6. You can delete your account at any time from the account settings screen. Data handling after deletion follows Article 6. For disconnecting the Google Calendar integration, see Article 9.

Article 17 (Safety management measures)

To prevent leakage, damage, or loss of personal information, we have implemented the following safety management measures.

17-1. Organizational measures

• Designation of a person responsible for handling personal information and maintenance of internal handling rules
• Periodic checks and audits of how personal information is handled

17-2. Human measures

• Training and education of employees on the appropriate handling of personal information
• Thorough communication of confidentiality obligations

17-3. Physical measures

• Restrictions on access rights to information systems that handle personal information
• Measures to prevent theft or loss of equipment and devices

17-4. Technical measures

• Encryption of communications (TLS/SSL)
• Access control and authentication management for databases
• Application of security headers (CSP, X-Frame-Options, etc.)
• Non-retention of payment data (delegated to PCI DSS-compliant Stripe)
• Detection and prevention of unauthorized access (rate limiting, WAF, etc.)

17-5. Awareness of the external environment

As described in Article 8, we entrust the handling of personal data to businesses located in the United States. We are aware of the personal data protection system in that country (lack of a comprehensive federal law, the existence of state laws, government access regimes, etc.), and we ensure the safe management of personal data through contracts and technical measures.

Article 18 (Response in the event of a leak or similar incident)

1. If a leakage, loss, damage, or other incident affecting the security of personal data ("leakage etc.") occurs, we will promptly take the necessary measures to minimize the harm.
2. In the case of a leakage etc. that meets the requirements of the APPI Enforcement Regulations, we will report to the Personal Information Protection Commission and notify the affected individuals within the periods prescribed by law.
3. If notification to the individuals is difficult, we will take alternative measures such as public disclosure on our website.

Article 19 (Data storage location)

Data for the Service is stored and processed on the global infrastructure operated by Cloudflare, Inc. (Cloudflare D1 database, Cloudflare R2 object storage, etc.). Given the nature of Cloudflare's architecture, data center locations span multiple regions worldwide, and data is processed at the most appropriate data center based on the geographic location of the user or respondent. For details on Cloudflare's data handling, see the Cloudflare Trust Hub.

Article 20 (Changes to this Policy)

1. We may change this Policy due to amendments to laws, changes in service content, or other reasons.
2. Minor changes take effect when the revised Policy is posted on this page.
3. For changes that materially affect users' rights, we will notify users at least 30 days before the effective date by email to the registered email address or by an announcement within the Service.

Article 21 (Complaints and contact)

For inquiries about this Policy, requests for disclosure, or to file a complaint, please contact us at:

If your inquiry about our handling of personal information cannot be resolved with us, you may also consult Japan's Personal Information Protection Commission.