Privacy Policy
1. Introduction
This Privacy Policy (hereinafter, the "Policy") explains how Japan Onsen & Sauna Guide (hereinafter, the "Site") collects, uses, protects, and shares the personal information of users (hereinafter, "Users").
The Site provides services to users in Japan and internationally and complies with the following laws and regulations:
- Japan's Act on the Protection of Personal Information (APPI)
- EU General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Other applicable data protection laws in each country
2. Operator Information
Service Provider: ForceEngine Inc.
Note: For the free parts of the service, such as facility searches and article browsing, the main transactions do not fall under the Act on Specified Commercial Transactions as "mail-order sales." On the other hand, if you purchase paid digital content such as the premium magazine, please review the Statement Based on the Act on Specified Commercial Transactions.
3. Personal Information We Collect
3.1 Information Collected When You Sign Up for the Waitlist
When you sign up for the premium magazine waitlist, we collect the following information.
- Email address (entered voluntarily by the user)
- Date and time of registration
- Language setting at the time of registration
The information collected is used only to send notification emails when the magazine is published. You can unsubscribe from the waitlist at any time using the unsubscribe link in the email.
3.2 Information Collected When You Contact Us
We collect the following information submitted through the contact form.
- Email address
- Inquiry details
- Date and time of submission
3.3 Information Collected Automatically
When you access the Site, the following information is collected automatically:
- IP address
- Browser type and version
- Operating system
- Referrer URL (the page from which you accessed the Site)
- Date and time of access
- Pages viewed
- Cookie ID (described below)
3.4 Location Information
When using the facility search feature, we may obtain your device's location information (latitude and longitude) with your permission. This information is used only to provide search results and is not stored.
3.5 Information Collected When Purchasing and Paying for the Premium Magazine or Other Paid Content
When you purchase paid content through Stripe Checkout or similar services, the following information is processed by us or through our payment processor.
- Email address (for purchaser verification and sending magic links)
- Identification information for the purchased content (such as a magazine identifier)
- Payment and order identifiers (such as transaction IDs issued by the payment processor. We do not store the card number itself on our servers.)
- Payment amount, currency, and date and time of payment (as transaction records)
Sensitive payment information such as card numbers and security codes is handled by the payment processor in PCI DSS-compliant form.
3.6 Information Handled When Logging In Through Magic Links or Similar Methods
Our authentication infrastructure is involved in login for viewing paid content. In such cases, the following information may be generated and stored.
- Email address (the destination for the login link)
- Session identifiers and authentication tokens (may be stored in browser cookies, etc.)
- Technical logs related to login attempts (IP addresses, access times, etc. for fraud prevention)
4. Purposes of Using Personal Information
We use the personal information we collect for the following purposes:
4.1 Service Provision
- Displaying and managing content
- Processing purchases of paid content, managing purchase history, and granting viewing rights
- Enabling login through magic links or similar methods and maintaining sessions
- Sending purchase completion notices, viewing links, and re-login links (when requested by the user)
4.2 Service Improvement
- Access analytics
- Improving site usability
- Developing new features
4.3 Communication
- Responding to inquiries
- Sending important notices (security-related matters, service changes, etc.)
- Sending magazine publication notification emails to waitlist subscribers (based on subscriber consent)
- Providing purchase completion guidance for paid content and sending login emails via magic links or similar methods (when requested by the user)
4.4 Fraud Prevention
- Detecting spam and bots
- Investigating security incidents
4.5 Legal Compliance
- Fulfilling legal obligations
- Responding to legal claims
5. Legal Basis for Processing Personal Information (GDPR Compliance)
The legal basis for processing the personal information of EU residents is as follows:
5.1 Legitimate Interests (GDPR Article 6(1)(f))
- Analysis for service improvement
- Prevention of misuse
- Maintenance of security
5.2 Consent (GDPR Article 6(1)(a))
- Use of analytics cookies
- Signing up for the waitlist
5.3 Compliance with Legal Obligations (GDPR Article 6(1)(c))
- Retention of information required by law
5.4 Performance of a Contract (GDPR Article 6(1)(b))
For users within the EU, we process email addresses and purchase and payment-related information to the extent necessary to conclude and perform contracts for paid content purchases.
6. Use of Cookies
The Site uses the following cookies:
6.1 Essential Cookies (No Consent Required)
| Purpose | Retention Period | | ----------------------------------------- | ----------------------------- | | Saving language settings | 30 days | | Maintaining login sessions (paid access authentication, etc.) | In accordance with authentication infrastructure settings |
6.2 Analytics Cookies (Consent Required)
| Purpose | Retention Period | | ------------------------------------------------------ | ---------------- | | Access analytics (statistics such as visitor counts and page views) | Up to 2 years |
About the access analytics service: The Site uses a third-party access analytics service to analyze site usage. These services use cookies to track user behavior, but do not collect information that identifies individuals.
Managing cookies: You can refuse cookies or delete existing cookies in your browser settings. However, if you disable essential cookies, some functions of the service may not work properly.
7. Disclosure of Personal Information to Third Parties
The Site does not provide users' personal information to third parties except in the following cases.
7.1 Third Parties Necessary for Service Provision
| Category | Purpose | Information Provided | Location | | --------------------------- | ------------------------------------- | ------------------------------------------------------------ | -------- | | Cloud database and authentication | Database, authentication, storage | Information related to the waitlist, purchases, and authentication, session-related data | United States, etc. | | Access analytics service | Analysis of site usage | Access logs | United States | | Hosting provider | Website hosting | Access logs | United States | | Email delivery service | Delivery of notifications, magic links, and other emails | Email address, link tokens contained in email body, etc. | United States | | Payment processor | Credit card payment processing | Information necessary for payment (the full card number is not retained by us) | United States, etc. |
These third parties manage personal information under strict security standards based on appropriate Data Processing Agreements.
7.2 International Data Transfers
As noted above, some personal information is transferred to the United States or outside the EU. These transfers are protected by the following mechanisms:
- Standard Contractual Clauses (SCC)
- Adequacy decisions (where applicable)
- Other safeguards in compliance with Chapter 5 of the GDPR
7.3 Disclosure Based on Law
We may disclose personal information as required by law in the following cases:
- Court orders
- Formal requests from law enforcement authorities
- To protect life or physical safety in emergencies
8. User Rights
8.1 Rights of All Users
- Right of access: The right to confirm your own personal information
- Right to rectification: The right to correct inaccurate information
- Right to erasure: The right to delete personal information
- Right to object: The right to object to the processing of personal information
8.2 Additional Rights for EU Residents (GDPR Data Subjects)
- Right to data portability: The right to receive personal information in a machine-readable format and transfer it to another service
- Right to restriction of processing: The right to restrict processing under certain circumstances
- Right to object to automated decision-making, including profiling
8.3 Additional Rights for California Residents (CCPA Data Subjects)
- Right to know: The right to know the categories and specific pieces of personal information collected
- Right to deletion: The right to request deletion of personal information
- Right to opt out of sale: The right to opt out of the sale of personal information (the Site does not sell personal information)
- Right to non-discrimination: The right not to be discriminated against for exercising rights
8.4 How to Exercise Your Rights
To exercise these rights, please submit a request through the contact form.
Response times:
- Standard requests: responded to within 30 days
- Complex requests: up to 60 days (you will be notified in advance if an extension is required)
9. Data Retention Periods
| Data Type | Retention Period | | --------------------------------------- | ------------------------------------------------------------------------ | | Waitlist registration information | Until unsubscribed via the unsubscribe link, or 90 days after magazine publication | | Records related to purchases and payment of paid content | For the period required by law and accounting/tax purposes (unnecessary items are deleted after the period has elapsed) | | Inquiry details | Up to 1 year after resolution | | Access logs | Up to 90 days | | Backup data | Up to 180 days | | Cookies | Varies by cookie (see above) |
Retention for legal compliance: If there is information that must be retained due to specific legal obligations, such as tax-related records, we retain it for the period prescribed by law.
10. Data Security
The Site takes the following technical and organizational measures to protect personal information from unauthorized access, loss, destruction, and alteration:
10.1 Technical Measures
- SSL/TLS encryption: Encrypting all communications over HTTPS
- Regular security updates
10.2 Organizational Measures
- Strict management of access privileges
- Establishment of a security incident response plan
10.3 Response to Data Breaches
In the unlikely event that personal information is leaked:
- Report to the supervisory authority within 72 hours (GDPR requirement)
- If the risk is high, notify affected users directly
- Investigate the cause and implement measures to prevent recurrence
11. Children's Personal Information
The Site is not a service for children under 13 (under 16 for EU residents). We do not intentionally collect personal information from children under 13 (under 16 for EU residents).
If we learn that a child under 13 has provided personal information to the Site, we will promptly delete that information.
If you are a parent or guardian and believe your child has provided personal information to the Site, please contact us immediately.
12. Changes to the Privacy Policy
The Site may update this Policy from time to time in response to changes in laws or improvements to the service.
12.1 How We Notify You of Changes
- Notice on the Site
12.2 Effectiveness of Changes
The revised Policy takes effect when it is posted on the Site. Continued use of the service will be deemed acceptance of the revised Policy.
13. For EU Residents (GDPR Compliance)
13.1 Data Controller
The Site operator is the data controller of your personal information.
13.2 EU Representative (GDPR Article 27)
For sites like ours that are based outside the EU, personal data may be sent outside the EU (for example, to the United States) through servers or payment processors. Under the GDPR, this is mainly a matter of Chapter V, which covers safeguards for transfers such as adequacy decisions and standard contractual clauses.
On the other hand, appointing an "EU representative" under Article 27 is not determined solely because there are cross-border transfers. It is a separate rule under which the appointment may be required when a controller outside the EU handles personal data in connection with the ongoing offering of goods or services to people in the EU and other legal requirements are met.
The Site does not currently appoint an EU representative. If use by EU residents becomes continuous and of a certain scale, and we determine that Article 27 measures are necessary, we will respond accordingly by notifying you in this Policy or otherwise. For individual legal judgments, please consult a specialist if necessary.
13.3 Complaints to Supervisory Authorities
If you have a complaint regarding the GDPR, you may file it with the data protection supervisory authority in your country of residence.
Major EU data protection authorities:
- Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
- France: Commission Nationale de l'Informatique et des Libertés (CNIL)
- List of supervisory authorities by country
14. For California Residents (CCPA Compliance) {#ccpa-rights}
14.1 Sale and Sharing of Personal Information
Important notice: The Site does not sell personal information.
The Site does not do the following:
- Sell personal information to third parties in exchange for monetary consideration
- "Share" as defined by the CCPA (disclosure of personal information for cross-context behavioral advertising)
About disclosure to third parties:
Personal information shared by the Site with service providers (cloud providers, analytics services, etc.) is limited to the extent necessary to provide the service, and these service providers operate under strict data protection agreements. Such sharing does not constitute "sale" or "sharing" as defined by the CCPA.
14.2 Global Privacy Control (GPC) Support
The Site automatically recognizes and respects Global Privacy Control (GPC) signals.
What GPC is:
- A signal sent through a browser or browser extension
- An expression of the user's intent that they do not want their personal information sold or shared
- A response required under California law (CCPA)
Our response:
- If you visit the Site with a browser that has GPC enabled, analytics cookies will be disabled automatically
- No banner will be shown, and privacy-first settings will be applied immediately
How to set up GPC:
- Supported browsers: Brave, Firefox (extension), DuckDuckGo, etc.
- For details: https://globalprivacycontrol.org/
14.3 Exercising California Rights
You can exercise your rights using the method described in Article 8 of this Policy.
Special rights for California residents:
- Right to know: The categories and specific pieces of personal information collected over the past 12 months
- Right to deletion: Request deletion of personal information held by the Site
- Right to opt out of sale (the Site does not sell personal information)
- Right to non-discrimination: Service quality will not be reduced because you exercised your rights
How to exercise your rights:
Please submit a request through the contact form.
Response time: Within 45 days (up to 90 days in complex cases, with prior notice of any extension)
15. Waitlist Registration and Unsubscription
15.1 About Registration
The premium magazine waitlist is an optional service for users who wish to receive notifications when the magazine is published. Only an email address is required to register.
Registration for the waitlist processes personal information based on the following legal basis (GDPR Article 6(1)(a)):
- Consent: The user is deemed to have consented by voluntarily entering an email address and clicking the registration button.
15.2 Notification Emails
After registration, we may send the following emails:
- Registration confirmation email
- Magazine publication notification email
We do not send spam email. We only contact you with magazine publication notifications.
15.3 How to Unsubscribe
You can unsubscribe from the waitlist at any time:
- Unsubscribe link in the email: Click the "unsubscribe" link in the email you received
- Contact form: Contact us through the contact form and let us know you want to unsubscribe
After unsubscribing, your registration information will be deleted promptly.
16. Processing for Premium Magazine Buyers (Payment and Authentication Links)
16.1 Purchase and Payment
When purchasing paid content, the email address, purchase details, transaction identifiers issued by the payment processor, and similar information are processed for the performance of the contract and legal compliance. Credit card numbers and similar information are, in principle, handled on the payment processor's system, and we do not store them on the Site's servers.
16.2 Authentication Links
We may send a one-time login URL to the email address of users who have viewing rights. This is because we use an authentication method that does not require us to permanently retain passwords. The expiration period for the link and the reissue procedure will follow the instructions in the relevant email and on the Site.
16.3 Third-Party Services
For details regarding payment, authentication and database, email delivery, and other processing, please refer to Article 7 of this Policy and the privacy policies of each provider.
17. Handling of Data in Social Media Operations (Threads)
ForceEngine Inc., which operates the Site, may acquire and process publicly available post information on Threads through the Threads API provided by Meta Platforms for editorial and community operations, such as keyword searches and tag searches.
17.1 Information Collected and Processed
- Public information such as the text of publicly available Threads posts, the public username of the poster, the post URL (permalink), and the date and time of the post
- We do not obtain posts from private accounts or personal information that is not publicly available.
17.2 Purpose of Use
- Understanding topics related to Japanese hot springs, sauna, and travel, and planning editorial content
- Internal viewing and reference so that the person in charge of operations can reply and interact sincerely and manually from the brand account
17.3 Handling Policy
- Public posts obtained are limited to internal use so that the person in charge of operations can understand the content.
- We do not permanently store, sell, or redistribute the information to third parties.
- Actions such as following, liking, and replying are not automated and are all performed manually by the person in charge of operations.
- The Threads API access token is managed securely and is not used for any purpose other than this one.
- This processing is carried out in accordance with Meta Platforms' terms of use and platform policies.
18. Governing Law and Jurisdiction
18.1 Governing Law
The interpretation and application of this Policy shall be governed by the laws of Japan.
However, the following laws and regulations may take priority where applicable:
- For EU residents, the EU General Data Protection Regulation (GDPR)
- For California residents, the California Consumer Privacy Act (CCPA)
- Any other mandatory laws of the user's country of residence
18.2 Jurisdiction
Any disputes regarding this Policy shall be subject to the exclusive agreed jurisdiction of the Tokyo District Court as the court of first instance.
However, this shall not apply where the jurisdiction of another court takes priority under mandatory law.
Revision History
Contact Us
For inquiries or complaints regarding the handling of personal information, please use our contact form.
Go to Contact Form