GDPR Privacy Policy

1.Our Privacy Statement

The protection of your personal data is of great importance to TANSEISHA Co., Ltd. (“Company”). This GDPR Privacy Policy (the “Privacy Policy”) therefore intends to inform you about how the Company entities, acting as data controller, collect and process your personal data that you submit or disclose to us. We also act as data controller when we process your personal data received or obtained through third-parties. We process this personal data in accordance with the applicable EU and Member State regulations on data protection, in particular, the General Data Protection Regulation No 2016/679 (the “GDPR”).
This GDPR privacy policy, in addition to the “TANSEISHA privacy policy”, explains in particular the policy concerning the EU General Data Protection Regulations.
We encourage you to read this Privacy Policy carefully. If you do not wish your personal data to be used by us as set out in this Privacy Policy, please do not provide us with your personal data. Please note that in such a case, we may not be able to provide you with our services, you may not have access to and/or be able to use some features of the Website, and your customer experience may be impacted.

2. How Do We Use Your Personal Data?

We will always process your personal data based on one of the legal bases provided for in the GDPR (Articles 6 and 7).
We may collect and process your personal data for the purposes detailed below, which are required so that we can pursue our legitimate interests and provide you with adequate services and products.

2.1. Personal Data will not be used for purposes other than those described in this Privacy and Cookie Policy. We use Personal Data obtained through the Website and App only for the purposes mentioned below. We shall always obtain explicit consent from individuals in advance before collecting their Personal Data in connection with the purposes stated below.
(a) Making our Services available and the execution of related Services.
(b) Product sales and product management.
(c) Improving our Services, such as customer support.
(d) Communications and notifications regarding our products and Services.
(e) Conducting market research, such as questionnaires and surveys.
(f) Market analysis to develop and improve our products and Services.
(g) Creating statistical reports.
(h) Processing to anonymously processed information.

2.2. Purpose of data collection
Your Personal Data will be Processed for the following purposes by the Company.
(a) It will be used for marketing purposes.
(b) In order to help with the strategic development of the Services.
(c) To understand how our Website and App are being used.

2.3. Marketing and Communication
(a) As an integral part of the Services We provide, THE TOKYO PASS may occasionally send messages you may find useful via e-mail or through the App containing informational offers, promotions, discounts, events, new services, information about related activities or attractions, and location-based information. Such communications may also be sent by SMS, WhatsApp, and any other available method or technology.
(b) These communications may include new or related Services We wish to send you from our third-party affiliate companies. If they contact you, we are not responsible for any agreements between you and them, and any Personal Data you provide is subject to that third-party affiliate company’s respective privacy policy.
(c) We have partnered with a number of third-party companies and organizations, such as ticket suppliers and attractions. We may share your Personal Data with them. Your Personal Data, including but not limited to your name, e-mail address, and phone number, is used to confirm or change your reservation with them.
(d) If you book an admission ticket through one of our business partners, they may obtain and use your Personal Data. In such cases, your information will fall under the privacy policy of that respective business partner.

We will process your data for these specified, explicit, and legitimate purposes, and will not further process the data in a way that is incompatible with these purposes. We will keep your Personal Data for as long as it is necessary for us to comply with our legal obligations, to ensure that we provide an adequate service, and to support our business activities (Article 5 and 25(2) GDPR).

3. What Types of Personal Data Do We Use?

For the purposes specified under this Privacy Policy, we may collect the following categories of Personal Data:

3.1. We collect certain Personal Data (such as name, e-mail address, date of birth, age, nationality) provided by the customer through the registration form, by e-mail, or when the customer purchases a product or makes an inquiry. We collect your location data only if you are in Japan. Please note that if you object to providing Personal Data, you may be excluded from the Services provided by the Company.

3.2. When you use this Website or the App, the following data may be collected: your IP address, location, general preferences, settings, system specifications, and any other information. We shall always seek your permission before you share location data with us. Once We get access to your location, we will know which mobile Device you are using, and We can find nearby attractions that match your interests and share suitable attractions with you that are located nearby. If you no longer want to share location data with us, you can withdraw your consent at any time by changing the privacy settings on your Device or browser.

3.3. When you are using our Website or downloading our App, we may ask for information such as your name, e-mail address, date of birth, age, and nationality. We may also record information such as the types of Services you are interested in, usage patterns, information requested by you, and products you have purchased.

4. How Do We Share Your Personal Data?

We may share your Personal Data with third parties in accordance with the GDPR. Where we share your data with a data processor, we will put the appropriate legal framework in place in order to cover such transfer and processing (Articles 26,28 and 29 GDPR).

5. Strategic Partners

Subject to your prior consent, your Personal Data may be transferred to, stored, and further processed by strategic partners that work with us to provide our services or help us market to customers. Your Personal Data will only be shared by us with the partners in order to provide or improve our products, Services, and advertising.

6. Service Providers

We may share your Personal Data with companies that provide services on our behalf, such as hosting, maintenance, support services, email services, marketing, auditing, fulfilling your orders, processing payments, data analytics, providing customer service, and conducting customer research and satisfaction surveys.

7. Corporate Affiliates and Corporate Business Transactions

We may share your Personal Data with all of the Company’s affiliates. In the event of a merger, reorganization, acquisition, joint venture, assignment, spin-off, transfer, or sale or disposition of all or any portion of our business, including in connection with any bankruptcy or similar proceedings, we may transfer any and all Personal Data to the relevant third party.

8. Legal Compliance and Security

It may be necessary for us—by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence—to disclose your Personal Data. We may also disclose your Personal Data if we determine that, due to purposes of national security, law enforcement, or other issues of public importance, the disclosure is necessary or appropriate.
We may also disclose your Personal Data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our terms and conditions, investigate fraud, or protect our operations or users.

9. Data Transfers

Such disclosures may involve transferring your Personal Data out of the European Union to the following countries: Japan and the United States of America. These countries may change due to changes in the business environment.

10. Our Records of Data Processes

We handle records of all processing of Personal Data in accordance with the obligations established by the GDPR (Article 30), both where We might act as a controller or as a processor. In these records, we reflect all the information necessary in order to comply with the GDPR and cooperate with the supervisory authorities as required (Article 31 GDPR).

11. Security Measures

We process your Personal Data in a manner that ensures their appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage.
We use appropriate technical or organizational measures to achieve this level of protection (Article 25(1) and 32 GDPR).
We will retain your personal information for as long as it is necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.

12. Notification of Data Breaches to the Competent Supervisory Authorities

In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed, we have the mechanisms and policies in place in order to identify it and assess it promptly. Depending on the outcome of our assessment, we will make the requisite notifications to the supervisory authorities and communications to the affected data subjects, which might include you (Articles 33 and 34 GDPR).

13. Processing Likely to Result in High Risk to Your Rights and Freedoms

We have mechanisms and policies in place in order to identify data processing activities that may result in high risk to your rights and freedoms (Article 35 GDPR). If any such data processing activity is identified, we will assess it internally and either stop it or ensure that the processing is compliant with the GDPR or that appropriate technical and organizational safeguards are in place in order to proceed with it.
In case of doubt, we will contact the competent Data Protection Supervisory Authority in order to obtain their advice and recommendations (Article 36 GDPR).

14. Your Rights

You have the following rights regarding Personal Data collected and processed by us.
Information regarding your data processing: You have the right to obtain from us all the requisite information regarding our data processing activities that concern you (Articles 13 and 14 GDPR).
Access to Personal Data: You have the right to obtain from us confirmation as to whether or not Personal Data concerning you are being processed, and, where that is the case, access to the Personal Data and certain related information (Article 15 GDPR).
Rectification or erasure of Personal Data: You have the right to obtain from us the rectification of inaccurate Personal Data concerning you without undue delay, and to complete any incomplete Personal Data (Article 16 GDPR). You may also have the right to obtain from us the erasure of Personal Data concerning you without undue delay, when certain legal conditions apply (Article 17 GDPR).
Restriction on processing of Personal Data: You may have the right to obtain from us the restriction of processing of Personal Data, when certain legal conditions apply (Article 18 GDPR).
Object to processing of Personal Data: You may have the right to object, on grounds relating to your particular situation, at any time to processing of Personal Data concerning you, when certain legal conditions apply (Article 21 GDPR).
Data portability of Personal Data: You may have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without our hindrance, when certain conditions apply (Article 20 GDPR).
Not to be subject to automated decision-making: You may have the right not to be subject to automated decision-making (including profiling) based on the processing of your Personal Data, insofar as this produces legal or similar effects on you, when certain conditions apply (Article 22 GDPR).
If you want to exercise your rights or need more information about how we use your Personal Data, please contact us at privacy@mytokyopass.com.

The steps to exercise your rights are as follows:
1) Once we have received your notice, we will send you a confirmation that we are processing your request. Also, we will indicate our response time, which shall be within a reasonable period of time.
2) We will evaluate your request first in order to confirm your identity and whether the request is valid.
3) If no further information or action from you is required, we will continue with the processing of your request.
4) At the end of evaluating our internal privacy processes, we will provide an answer to your request in connection to our duty to comply with the GDPR.
5) We may charge a reasonable fee based on our administrative costs for either excessive or unsubstantiated requests.

15. If you want to file a complaint about the way we process your Personal Data.

You can do so by sending your complaint to privacy@mytokyopass.com. After having received your complaint, we will send you a confirmation of receipt within three working days. This answer may include additional questions necessary to clarify the issue underlying your complaint. We will respond with a substantive response as soon as reasonably possible, but at least within one month after receiving your complaint. If we are unable to provide a substantive response within one month due to the complexity of the complaint, we will respond to it within two months after having received it.
If you are not satisfied with the way in which we have proceeded with any request, or if you have any complaint regarding the way in which we process your Personal Data, you may lodge a complaint with a Data Protection Supervisory Authority.

16. Children

We do not knowingly collect and process information on children under sixteen (16) without the permission and consent of their parent(s). If we discover that we have collected and processed the Personal Data of a child under sixteen (16) directly, or the equivalent minimum age depending on the concerned jurisdiction, we will take steps to delete the information as soon as possible. If you become aware that a child under sixteen (16) has provided us with Personal Data directly, please contact us immediately by using the contact address specified under this Privacy Policy.

17. Links to Other Sites

We may propose hypertext links from the Website on which this policy is stated to third-party websites or internet sources. We do not control and cannot be held liable for third parties’ privacy practices and content. Please carefully read their privacy policies to find out how they collect and process your Personal Data.

18. Updates to Privacy Policy

We may revise or update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective upon posting of the revised Privacy Policy. If we make changes which we believe are significant, we will inform you through the Website.