Article 1 (Scope and Priority) #

1. This Policy applies to the handling of personal data and other information that we acquire, use, store, provide, or otherwise process in connection with the provision of this website and our services.
2. When we establish separate provisions or notices regarding privacy or information management in relation to our services (including terms of service, notices on individual screens, guides, etc.), such provisions or notices complement this Policy. If there is any conflict between them, the separate provisions or notices shall take priority.
3. When we conclude a confidentiality agreement (NDA) or other individual contract (hereinafter “Individual Contract”) with customers regarding integration services, implementation support, custom development, consulting, or other individual projects related to our services, if such Individual Contract contains provisions regarding the handling of personal data or confidential information, such provisions shall apply with priority over this Policy.
4. Notwithstanding the preceding paragraph, such Individual Contract shall not exempt or restrict our obligations under applicable law (including GDPR) or the rights of data subjects in a manner not permitted by applicable law.

Article 2 (Definitions of Terms) #

The principal terms used in this Policy shall be defined as follows:

1. “Personal Information”: Information defined as personal information under the Act on the Protection of Personal Information and other applicable laws.
2. “Personal Data”: Personal data as defined in GDPR, or personal information that constitutes a personal information database.
3. “Processing”: All handling, including acquisition, recording, editing, storage, use, provision, deletion, and other operations.
4. “Data Subject”: An individual identified by personal data.
5. “Controller” and “Processor”: As defined in GDPR.
6. “Cookie etc.”: Information obtained using cookies, advertising identifiers, device identifiers, or other similar technologies.
7. “Usage Logs”: Access logs, IP addresses, browser information, operation history, authentication and security logs, and other records that are automatically generated and accumulated in connection with the use of our services.

Article 3 (Our Role: Controller/Processor) #

1. We principally handle personal data and other information relating to our customer management, billing, support, marketing, website operations, and other activities as a Controller.
2. On the other hand, with respect to data that customers store or process on cloud/VPS or other services (which may include personal data obtained by customers from end users or others; hereinafter “Customer Content”), when we handle such data for maintenance, operational support, or other purposes, we may handle it as a Processor depending on the contract terms. In such cases, we handle the data in accordance with our Individual Contract (including DPA) and your reasonable instructions.

Article 4 (Personal Data and Information Acquired) #

We may acquire the following personal data and information in providing our services:

1. Account and Contract Information: Name (including contact person name), company name, department name, address, telephone number, email address, login ID, authentication information, contract details, etc.
2. Billing and Payment Information: Billing information, transaction ID, payment status, invoice and receipt information, etc.
   • When using payment processing services, we may not retain credit card numbers.
3. Support-Related Information: Inquiry details, ticket content, response history, communications, configuration information, logs, and other information necessary for incident response within the necessary scope
4. Technical Information and Usage Logs: IP address, access date and time, device/browser information, OS information, browsed pages, referrer, authentication and security logs, operation history, Cookie, etc.
5. Domain/SSL-Related Information (if provided): Registration information, WHOIS-related information, DNS configuration information, certificate application information (domain ownership verification information, organization information, etc.)
6. Fraud Prevention Information: Information necessary for detecting fraudulent orders, unauthorized access, etc. (transaction-related information, logs, identifiers, etc.)
7. Marketing-Related Information (if applicable): Email delivery consent/opt-out status, survey responses, campaign participation information, etc.
8. Other: Information designated by us on our service application screens, configuration screens, etc.

Article 5 (Purposes of Use) #

We use the acquired personal data and information for the following purposes:

1. Provision of our services, account management, fulfillment of contracts, identity verification (if applicable)
2. Billing for service fees, payment processing, payment confirmation, refund handling, accounting and tax processing
3. Service operations (monitoring, incident response, security measures, backups, maintenance, etc.)
4. Responding to inquiries, providing support, notifying of important announcements (terms changes, incident notifications, etc.)
5. Domain registration/transfer/renewal, DNS management, SSL certificate application, issuance, renewal, and other procedures
6. Prevention of fraud, handling of terms violations, protection of rights, dispute resolution
7. Improvement of our services, development of new features, usage analysis, creation of statistical data (including cases in which we perform this in a form that does not identify individuals)
8. Campaign and email newsletter notifications

Article 6 (Legal Basis for Processing under GDPR) #

When we handle personal data of data subjects in the EEA/UK and other regions, we primarily process it based on the following legal bases:

1. Performance of a Contract: Provision of our services, account management, support responses, etc.
2. Compliance with Legal Obligation: Accounting and tax obligations, compliance with legal requirements, etc.
3. Legitimate Interests: Ensuring security, preventing fraud, improving quality, resolving disputes, etc. (We conduct a balancing of interests as necessary)
4. Consent: Marketing communications, consent-required Cookie, etc. (Consent may be withdrawn at any time)
5. Vital Interests: Protection of life and bodily integrity, etc.

Article 7 (Voluntariness of Provision and Impact of Non-Provision) #

1. The provision of personal data and other information is generally voluntary; however, if you do not provide information necessary for the provision of our services, you may not be able to use all or part of our services.
2. Marketing communications, optional surveys, and other similar activities will be operated in a manner that does not result in disadvantages from non-provision (provided, however, that this shall not apply where benefits or incentives are offered).

Article 8 (Provision to Third Parties) #

1. We will not provide personal data to third parties without your consent, except where permitted under applicable law.
2. However, we may provide data to the following categories of third parties to the extent necessary for the provision of our services (recipients may be located domestically or internationally):
   1. Payment processors and financial institutions (credit card payment, PayPal, etc.)
   2. Domain registration-related businesses (registrars, registries, etc.)
   3. SSL certificate-related businesses (certification authorities, auditing bodies, etc.)
   4. Fraud detection and security-related businesses
   5. Distribution, notification, and support tool providers
3. In connection with domain registration or similar services, some registration information may be disclosed publicly or to third parties according to registry rules (this varies depending on the TLD and registration type).
4. We may provide personal data and other information to the extent necessary when responding to legal disclosure requests (from courts, government agencies, etc.).

Article 9 (Outsourcing and Sub-processors) #

1. We may outsource all or part of the processing of personal data and other information to third parties to the extent necessary to achieve our purposes of use.
2. In selecting outsourcing partners, we conduct reviews based on appropriate criteria, impose obligations regarding security measures and confidentiality through outsourcing contracts and other agreements, and conduct necessary and appropriate supervision.
3. When we handle Customer Content as a processor, we may use sub-processors in accordance with our contracts.

Article 10 (International Transfer) #

1. We may handle personal data and other information outside the EEA/UK (including Japan) for the provision of our services.
2. For transfers to which GDPR applies, we implement appropriate safeguards based on adequacy decisions, standard contractual clauses (SCC), and other mechanisms under applicable law.
3. If you wish to receive additional information regarding international transfers, please contact the window specified in Article 21.

Article 11 (Retention Period and Deletion) #

1. We retain personal data and other information only for the period necessary to achieve the purposes of use, and appropriately delete or anonymize such information when it is no longer needed.
2. Based on client portal settings, we generally retain and delete data in accordance with Appendix 1 (Retention Periods and Deletion Criteria).
3. However, where necessary for legal compliance (accounting, tax obligations, etc.), protection of rights (dispute resolution, etc.), ensuring security, or other legitimate reasons, we may retain data within the minimum necessary scope.
4. If you have agreed with us on separate retention periods or deletion conditions through an Individual Contract (DPA/NDA, etc.), such agreement shall take priority (provided it does not conflict with applicable law).

Article 12 (Rights of Data Subjects) #

Where GDPR or similar laws apply, data subjects have the following rights to the extent provided by law:

1. Right of access (confirmation of retained personal data)
2. Right to rectification
3. Right to erasure (the “right to be forgotten”)
4. Right to restrict processing
5. Right to data portability
6. Right to object (to processing based on legitimate interests, etc.)
7. Right to withdraw consent (from processing based on consent)
8. Right to lodge a complaint with a supervisory authority

Article 13 (Procedures for Exercising Rights and Response Deadlines) #

1. Requests under the preceding article (hereinafter “Requests to Exercise Rights”) shall be received at the window specified in Article 21.
2. When processing Requests to Exercise Rights, we may ask you to provide additional information to verify your identity (or authority to act).
3. We will respond to Requests to Exercise Rights in accordance with applicable law, generally within one month of receiving the request. However, if the request is complex or numerous, we may extend the response deadline to the extent permitted by applicable law.
4. We may decline to respond to a Request to Exercise Rights if we are unable to do so under applicable law, or if the request exceeds reasonable bounds. In such cases, we will explain the reason to the extent possible.

Article 14 (Export and Deletion in Client Portal) #

1. We provide a mechanism on our client portal that allows customers to export their own information. The scope of exportable information may change depending on our service provisions, but includes the following as examples:
   • Contacts
   • Accounts/Services
   • Domains
   • Change logs
   • Transactions (payments and transactions)
   • Invoices
   • Tickets
2. We provide a mechanism on our client portal that allows customers to request deletion of their own accounts.
3. When an account deletion request is submitted, we will delete or anonymize personal data and other information held by us after a certain grace period has elapsed.
4. Notwithstanding the preceding paragraph, we may retain some information to the extent necessary for legal compliance (accounting, tax obligations, etc.) or protection of rights (dispute resolution, etc.) (e.g., paid invoices).

Article 15 (Use of Cookie and Similar Technologies) #

1. We may use Cookie and similar technologies to improve the convenience of this website, ensure security, conduct access analysis, and for other purposes.
2. For Cookie and similar technologies that require consent, we provide consent acquisition mechanisms in accordance with applicable law.
3. You can refuse Cookie through browser settings; however, doing so may prevent you from using certain functions of this website or our services.

Article 16 (Access Analysis and Advertising) #

1. We may use access analysis tools and similar services to improve our services. Information collected by access analysis tools is handled in accordance with the terms of the tool provider.
2. When we use advertising delivery services, the provider may acquire browsing information and other data using Cookie and similar technologies.
3. When we use analysis and advertising-related tools, we will provide information on tool names, opt-out methods, and similar information on this website as needed.

Article 17 (Security Measures and Information Security) #

1. We implement organizational, human, physical, and technical security measures to prevent leakage, loss, damage, or unauthorized access to personal data and other information.
2. We implement reasonable measures, including access control, strengthened authentication, encryption, log management, vulnerability response, and supervision of outsourcing partners.
3. When we handle Customer Content as a processor, we implement appropriate technical and organizational measures in accordance with our contracts.

Article 18 (Response to Personal Data Breaches) #

In the event of a personal data breach (leakage, loss, damage, unauthorized access, etc.), we will take measures in accordance with applicable law, including impact assessment, prevention of recurrence, notification to supervisory authorities, and notification to data subjects (where necessary).

Article 19 (Automated Decision-Making and Profiling) #

We may automatically analyze usage status and other information for fraud prevention, security assurance, and other purposes. When we conduct automated decision-making that may have a significant effect on data subjects (including profiling), we will provide necessary information in accordance with applicable law.

Article 20 (Minors) #

We do not intentionally collect personal data of minors. When minors use our services, parental consent or similar may be required depending on applicable law.

Article 21 (Contact Information) #

For inquiries regarding this Policy, the handling of personal data and other information, requests for disclosure, complaints, or consultations, please contact the following window:

• Operator: BESTNET LLC
• Window: Personal Data Contact Window
• Contact: Inquiry form URL
• Reception Hours: Weekdays 10:00–17:00 (excluding holidays and year-end/New Year period)

Article 22 (Operator Information) #

• Operator: BESTNET LLC
• Location: 161-1 Kitanagane, Tajiri, Osaki City, Miyagi Prefecture, Japan
• Representative: Representative Partner Hideyuki Chinden

Article 23 (Additional Information for EEA/UK Residents) #

1. When we handle personal data concerning residents of the EU/EEA or UK due to extraterritorial application of GDPR or similar circumstances, data subjects have the right to lodge a complaint with the supervisory authority having jurisdiction over their residence.
2. As needed, we will appoint an EU/UK representative and publish their contact information on this website.

Article 24 (Revision) #

1. We may revise this Policy in response to legal changes, service modifications, and other circumstances.
2. The revised Policy will be publicized through posting on this website or other means we deem appropriate, and will become effective as of the date of posting or such date as we specify.