newji Platform
Privacy Policy
This Policy sets forth the handling of Personal Information and Business Data
by NEWJI INC.
This is a reference English translation. The Japanese-language version of this document is the sole legally binding text. In the event of any discrepancy or inconsistency between the Japanese and English versions, the Japanese version shall prevail. View the Japanese original.
NEWJI INC. (hereinafter "we" or "the Company") sets forth this Privacy Policy (hereinafter "this Policy") as follows regarding the handling of Personal Information and customer data in connection with the cloud service "newji" (hereinafter "the Service") and the Company's website (hereinafter "the Website") provided by the Company.
Table of Contents
- Definitions
- Collection of Personal Information
- Purposes of Use of Personal Information
- Handling of Business Data
- Data Storage Location
- Transmission of Data to External AI Services
- Cookies and Analytics Tools
- Security Control Measures for Personal Information
- Response to Data Breaches, etc.
- Data Export and Deletion Requests by Customers
- Handling of Data upon Contract Termination
- Entrustment
- Provision to Third Parties
- Personal Information of Minors
- Amendments to this Policy
- Contact
Article 1 (Definitions)
The terms used in this Policy have the following meanings.
- Personal Information — Refers to personal information as defined in the Act on the Protection of Personal Information (APPI), and in this Policy includes names, email addresses, telephone numbers, and other identifying information of Users of the Service (employees of Customer Companies, etc.).
- User — Refers to an individual who holds an account for the Service and uses the Service.
- Customer Company — Refers to a legal entity that has adopted the Service. A Customer Company is the employer or affiliated organization of Users.
- Business Data — Refers to operational data registered or generated by Users or Customer Companies on the Service (item information, trading partner information, quotations, purchase orders, contracts, inventory, attached files, etc.). Business Data may contain trade secrets or confidential business information of a Customer Company.
Article 2 (Collection of Personal Information)
We collect Personal Information of Users in the following ways.
- Account registration and login to the Service
- Inquiry and document request forms on the Website
- Contact through the Service's support channel
- Automatic recording of operation history and access logs associated with use of the Service
Article 3 (Purposes of Use of Personal Information)
We use collected Personal Information for the following purposes, to the minimum extent necessary.
- Provision, operation, and improvement of the Service
- Account management, identity verification, and two-factor authentication
- Detection and prevention of unauthorized access and misuse
- Communication with Users and Customer Companies, and handling of inquiries
- Billing and confirmation of payment of usage fees
- Analysis of Service usage and quality improvement (in the form of statistical information that does not identify individuals)
- Notification regarding new features and related services (unless a request to unsubscribe has been received)
- Response to requests under applicable laws or from government authorities
Article 4 (Handling of Business Data)
The handling of Business Data of Customer Companies is governed by the following principles.
- Respect for Ownership — Ownership of Business Data belongs to the Customer Company. We process Business Data only to the extent necessary for the provision of the Service.
- Prohibition of Use for Other Purposes — We will not use Business Data for purposes other than the provision of the Service. Even when used for statistical, analytical, or research and development purposes, we will not use Business Data in a form that identifies individual Customer Companies.
- Restriction on Provision to Third Parties — We will not provide Business Data to third parties except with the explicit consent of the Customer Company or when required by law.
- Tenant Isolation — Business Data is structurally separated from the data of other companies by company ID (companyId) scope and is designed to be inaccessible to other Customer Companies.
Article 5 (Data Storage Location)
Personal Information and Business Data of customers in the Service are stored in the following locations.
- Storage Location — Within Japan (AWS Tokyo Region ap-northeast-1)
- Principle Prohibition on Cross-Border Transfer — We will not, in principle, transfer customer business data outside of Japan. However, to the extent necessary for the operation of the Service, we use the following overseas subcontractors. Transmission to these subcontractors shall be treated as having obtained consent for provision to a third party in a foreign country pursuant to Article 28 of the APPI, at the time the customer uses the Service having agreed to this Policy and the Terms of Service.
Subcontractor Country Information Transmitted Purpose of Use Legal Framework and Safeguards for Protection of Personal Information Functional Software, Inc. (Sentry) United States Error stack traces, request URLs, and user IDs (email addresses, passwords, and business data content are not transmitted) Error monitoring and incident response for the Service The United States does not have a comprehensive personal information protection law; however, Sentry holds SOC 2 Type II certification and has contractually committed to continuously implementing measures equivalent to the standards set forth in Article 28, paragraph 1 of the APPI. Resend, Inc. (Resend) United States Recipient email addresses, subject lines, body text, and attached files Delivery of notification emails, transactional emails, etc. The United States does not have a comprehensive personal information protection law; however, Resend holds SOC 2 Type II certification and has contractually committed to continuously implementing measures equivalent to the standards set forth in Article 28, paragraph 1 of the APPI. External AI Providers (Anthropic, PBC / OpenAI, LLC / Google LLC) United States Data within the scope set forth in Article 6, paragraph 1 Provision of AI functions Each provider continuously implements security control measures such as SOC 2 Type II certification under the terms of their commercial API agreements. See Article 6 for details. - Response to Changes in Subcontractors — If there are material changes to the name, country of location, or service content of the above subcontractors, we will update this Policy and notify customers.
- Backup — Backup data is also stored within Japan.
- Provision of Information upon Request of Data Subject — If a data subject requests provision of information based on Article 18, paragraph 3 of the Enforcement Rules of the APPI regarding the handling of Personal Information by the above subcontractors, we will respond through the contact channel set forth in Article 15.
Article 6 (Transmission of Data to External AI Services)
The Service uses external AI services (Anthropic Claude / OpenAI GPT / Google Gemini, etc.) for the purpose of improving operational efficiency.
- Data Transmitted — When using AI functions, the minimum necessary operational data (e.g., item information, purchase order data, quotation data, company and user metadata) is transmitted to each AI provider. The scope of transmission is minimized according to the nature of the operation.
- Data Not Transmitted — Passwords, API keys, two-factor authentication secrets, login history, and binary content of attached files are not transmitted.
- Prohibition on Use as Training Data — We operate under commercial API agreement terms with each AI provider whereby data transmitted by us will not be used for training AI models on the provider's side.
- Connection Methods for AI Providers — There are two connection methods for AI functions that coexist.
- Company-Provided — Some AI functions necessary for the basic operation of the Service operate through APIs of external AI providers contracted by us. In this case, data is transmitted to the external AI provider via the API key provided by us.
- Customer-Provided — The majority of AI functions operate by the customer registering their own API key for an external AI provider they have contracted directly with the Service. In this case, data is transmitted to the external AI provider via the customer's API key. The customer's API key is stored by us in encrypted form and will not be accessed by other customers or third parties.
- Disabling AI Functions — Customer Companies may disable all AI functions through the settings in the management console. When AI functions are disabled, no data is transmitted to external AI providers.
- Treatment as Entrustment — Transmission of data to AI providers pursuant to this Article constitutes "entrustment" as defined in Article 27, paragraph 5, item 1 of the APPI and does not constitute provision to third parties.
Article 7 (Cookies and Analytics Tools)
We use cookies and analytics tools on the Website to improve the user experience and understand usage patterns.
- Tools Used — Google Analytics / Google Tag Manager / Meta (Facebook / Instagram) / X / YouTube / LinkedIn
- Information Collected — IP addresses, browser types, pages viewed, time spent, referral URLs, etc. (collected in a form that does not identify individuals)
- Opt-Out — You may refuse to receive cookies through your browser settings. However, some features may become unavailable.
- The Service (after login) — Within the Service screens after login, behavioral tracking by the above external analytics tools does not occur.
Article 8 (Security Control Measures for Personal Information)
We implement the following security control measures to prevent leakage, loss, or damage of Personal Information and Business Data.
- Technical Security Measures
- Encryption of all communications using TLS (HTTPS)
- Encrypted storage of databases and backups
- Provision of two-factor authentication (TOTP / 2FA)
- Rate limiting of login attempts and API usage
- Continuous monitoring of abnormal access and logging
- Role-based access control (RBAC)
- Verification of company ID scope for each endpoint
- Organizational Security Measures
- Regular security training for employees
- Execution of non-disclosure agreements (NDAs) upon hiring and departure
- Minimization of privileged accounts
- Locked storage and secure disposal of confidential documents
- Operational Quality Assurance
- Automated testing, type checking, and full-item checks before release
- Continuous application of vulnerability patches
- Early detection of anomalies through error monitoring
- Log Collection and Retention Period — We collect and retain the following logs for the purposes of detecting unauthorized access, investigating failures, and responding to audits.
After contract termination, logs are handled in accordance with Article 10. Information required to be retained by law is stored for the statutory retention period, anonymized to the extent possible.Log Type Contents Retention Period Authentication Logs Login, logout, API authentication successes/failures, IP addresses, User-Agent 1 year AI Execution Logs AI function execution history, user IDs, providers, token counts, and execution times 1 year (individual records) / 7 years (anonymized aggregate data) Email Transmission Logs Recipient, subject, transmission time, and transmission status 1 year Operation Logs User, subject, and time of important business operations (order finalization, approval, contract execution, etc.) 1 year (as a business record, subject to the statutory retention period under the Companies Act and tax laws) Error Logs Stack traces and request URLs (with Personal Information masked) 90 days
Article 8-2 (Response to Data Breaches, etc.)
If a serious incident related to the security management of Personal Information, including leakage, loss, or damage of Personal Information or any other serious accident (hereinafter "a data breach, etc."), has occurred or is suspected to have occurred, we will respond as follows.
- Internal Escalation — We will escalate to the Company's management and legal personnel within 24 hours of detecting a data breach, etc.
- Report to the Personal Information Protection Commission — If a data breach, etc. falling under Article 26, paragraph 1 of the APPI has occurred, we will report to the Personal Information Protection Commission (PPC) in accordance with the Enforcement Rules of the APPI: an initial report within approximately 3 to 5 days of the occurrence or discovery, and a final report within approximately 30 days (or within 60 days for incidents involving leakage, etc. of special care-required personal information or incidents with a high risk of being caused by unlawful purposes).
- Notification to Data Subjects — If the requirements of paragraph 2 of the same Article are met, we will notify the affected data subjects as promptly as possible of the facts of the data breach, etc., the cause, preventive measures, and other matters. If it is difficult to notify a data subject because their contact information is unknown or for similar reasons, we will take alternative measures such as posting on the Website.
- Determination of Serious Incidents — Serious incidents falling under paragraph 2 of this Article include: leakage, etc. of special care-required personal information; leakage, etc. likely to result in property damage; leakage, etc. with a high risk of being caused by unlawful purposes; and leakage, etc. affecting more than 1,000 data subjects (as specified in each item of Article 7 of the Enforcement Rules of the APPI).
- Method of Notification — Notification to data subjects will, in principle, be made by sending an email to the registered email address, supplemented as necessary by notices within the Service and postings on the Website.
- Recurrence Prevention — In the event of a data breach, etc., we will promptly investigate the cause, identify the scope of impact, consider and implement preventive measures, and notify customers of the results.
- Damages — Regarding liability for damages arising from a data breach, etc. caused by our willful misconduct or gross negligence that directly damages customers or data subjects, Article 13, paragraph 5 of the Terms of Service applies.
Article 9 (Data Export and Deletion Requests by Customers)
- Full Data Export — Administrators of Customer Companies may download all of their own Business Data in CSV format at any time from the management console. The downloadable scope includes items, trading partners, inventory, quotations, purchase orders, contracts, and user information (excluding confidential information such as passwords, API keys, and two-factor authentication secrets).
- Disclosure Request for Personal Information — Users may request disclosure, correction, suspension of use, or deletion of their own Personal Information from the contact set forth at the end of this Policy. Identity verification will be performed upon request.
- Deletion Request for Business Data — Customer Companies may request deletion of Business Data through our designated procedures, whether upon contract termination or during the contract term.
Article 10 (Handling of Data upon Contract Termination)
Upon termination of the contract for the Service, Business Data and Personal Information will be handled in the following manner.
- Retention Period — Business Data and account information will be retained for 30 days from the date of contract termination. This period is for responding to inadvertent operations, restoration requests, and facilitating smooth data handover.
- Physical Deletion — After the 30-day retention period, Business Data and account information will be physically deleted from the production database.
- Deletion from Backups — Data contained in backups will be completely purged upon the next backup rotation (within a maximum of 90 days).
- Retention Required by Law — Information required to be retained by law (transaction records, invoices, etc.) will be retained for the statutory retention period in anonymized form.
- Request for Early Deletion — If a Customer Company requests early deletion prior to contract termination or within the 30-day period, we will respond promptly (deletion from backups is subject to the rotation schedule).
Article 11 (Entrustment)
We may entrust the handling of Personal Information to third-party businesses to the extent necessary to achieve the purposes of use. We require subcontractors to implement security control measures equivalent to or greater than those in this Policy and exercise necessary and appropriate supervision.
- Major Subcontractors and Certification Status (as of publication; this Policy will be updated in case of changes)
Category Subcontractor Country of Location Key Third-Party Certifications Cloud Infrastructure Amazon Web Services Japan G.K. (AWS) Japan (Region: ap-northeast-1) ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1/2/3, PCI DSS Email Delivery Resend, Inc. United States SOC 2 Type II Error Monitoring Functional Software, Inc. (Sentry) United States SOC 2 Type II, ISO/IEC 27001 AI Functions (Company-Provided) Anthropic, PBC / OpenAI, LLC / Google LLC (whether used and which provider depends on the Customer Company's settings) United States SOC 2 Type II, etc. under each provider's commercial API terms. See each provider's publicly available information for details. - Supervision of Subcontractors — Based on Article 25 of the APPI, we exercise the following supervision over subcontractors.
- We establish, through a subcontracting agreement or equivalent document, provisions regarding security control measures for the handling of Personal Information, prohibition of use for other purposes, restrictions on sub-subcontracting, and reporting obligations in the event of a data breach, etc.
- We periodically verify the handling of Personal Information by subcontractors based on agreements, terms of service, publicly available materials, and the status of third-party certifications.
- If there are material changes in a subcontractor's certification status or location, we will update this Policy and notify customers as necessary.
- Customer Inquiries Regarding Entrustment Status — For inquiries and audit requests from customers (particularly enterprise contract customers) regarding entrustment status and security control measures, we will respond through the contact channel in Article 15. If a detailed audit or execution of a Data Processing Agreement (DPA) is required, we will coordinate separately.
- Customer Review of Audit Logs — Administrators of customers may view the login history and key operation history of their own users through the Service's management console. Regarding logs on the Service infrastructure side, these may be individually requested through the contact channel in Article 15.
Article 12 (Provision to Third Parties)
We will not provide Personal Information or Business Data to third parties except in the following cases.
- When prior consent has been obtained from the User themselves or the Customer Company
- When required by law
- When necessary for the protection of a person's life, body, or property, and it is difficult to obtain the consent of the data subject
- When especially necessary for the improvement of public health or the sound development of children, and it is difficult to obtain the consent of the data subject
- When it is necessary to cooperate with a national government agency or local public entity, or a person entrusted by them, in performing affairs stipulated by law
In addition, in the event that we undergo a business succession due to a merger, corporate split, business transfer, or other reason, we may transfer Personal Information and Business Data to the successor to the extent within the scope of the purposes of use set forth in this Policy. In such a case, the successor shall bear protective obligations equivalent to or greater than those set forth in this Policy.
Article 13 (Personal Information of Minors)
The Service is intended for use by businesses and is not designed for personal use by minors. If a minor provides Personal Information to the Service, prior consent from a guardian is required.
Article 14 (Amendments to this Policy)
We may amend this Policy as necessary. If there are material changes, we will notify customers in advance on the Service or the Website. If you continue to use the Service after any such amendment, you will be deemed to have agreed to the amended content.
Article 15 (Contact)
For inquiries regarding Personal Information and privacy, please contact us at the following.
Company Name: NEWJI INC.
Address: 1-1-17 Minamidai, Nakano-ku, Tokyo, Japan
Contact Form: https://company.newji.ai/contact/
Revision History
| 2020-04-01 | Initial version |
| 2026-04-01 | Comprehensive revision — Added newji Platform compatibility, external AI data transmission policy, data portability, and account cancellation flow. |
| 2026-04-29 | Amendment to Article 5 (disclosure of overseas subcontractors in table format; explicit indication of consent acquisition scheme pursuant to Article 28 of the APPI) / Addition of Article 8, paragraph 4 (log retention period table) / Establishment of Article 8-2 (response to data breaches, etc.) / Amendment to Article 11 (supervision of subcontractors, status of acquisition of third-party certifications, and response to audit requests) (in compliance with the Ministry of Economy, Trade and Industry "Contract Checklist Regarding the Use and Development of AI" (February 2025)) |