- Privacy Policy
- Privacy Policy (for Customers Residing in the EEA or the UK)
In order to ensure that our customers and partners can use our services safely, H2O RETAILING Group companies (the “Group”) will lawfully and properly manage and use personal data in compliance with internal regulations and relevant laws, regulations, guidelines, etc., and endeavor to protect the privacy of our customers and partners.
The following Privacy Policy sets out the Group’s basic principles for using and otherwise handling personal data, and will be adhered to by the Group.
1. When processing any personal data, the Group will endeavor to ensure that the customers will be able to purchase our products and services with a sense of security by complying with applicable domestic and overseas laws, regulations, guidelines, etc., and continually improving this Privacy Policy.
In addition, the Group will pay constant attention to the use of personal data that a customer entrusts to the Group and will not use it in any way that encourages or induces illegal or unjust acts.
2. If the Group collects any personal data, the Group will do so in a lawful manner and specify its purpose of use.
The Group only collects the personal data necessary for accomplishing the purpose of use and will not collect any personal data beyond what is necessary for such purpose.
Personal data includes information of the customer himself/herself, as well as any personal data indirectly collected through the customer, such as personal data of family members or recipients of shipped products.
3. If the Group processes any personal data of a customer, the Group will specify its purpose of use in advance.
The Group will not use personal data for any purpose other than the specified purposes of use.
Unless otherwise specified, the Group processes customers’ personal data for the following purposes of use.
1)Business related to retail and services
| Information processed | Purpose of use |
| Information regarding the customer’s attributes, such as name, address, phone number, and e-mail address |
|
2)Business to perform services outsourced by corporations, etc.
| Information processed | Purpose of use |
| Information regarding the attributes of our partners’ officers and employees, etc., such as name, department, phone number, and e-mail address |
|
3)Common to the Group
| Information processed | Purpose of use |
| Customer attribute information, such as name, address, phone number, and e-mail address, information regarding purchase history, browsing history for websites, social media, etc., and activity history, etc., and attribute information, such as department, phone number, and e-mail address |
|
4. Personal data will be used jointly among the Group companies in order to respond to inquiries or to improve the quality of services, or for other similar purposes.
The details of the Group’s joint use are as follows:
- Personal data items to be jointly used
Equivalent to the personal data specified in Section 3 - Scope of joint users
The Group and Ningbo Hankyu Department Stores Co.,Ltd. - Purposes of joint use
Equivalent to the purposes of use specified in Section 3 - Name, etc., of the company responsible for managing jointly used personal data
Naoya Araki, President and Representative Director, H2O RETAILING CORPORATION
8-7 Kakuda-cho, Kita-ku, Osaka-shi, Osaka
No personal data will be disclosed to or accessed by a third party except when such personal data is jointly used, or under any of the following circumstances:
- The customer has given consent;
- Based on laws and regulations;
- Disclosure or access is necessary for protecting the life, limb, or property of someone, and it is difficult to obtain the consent of the applicable customer;
- Disclosure or access is necessary for enhancing public health or for the sound development of children, and it is difficult to obtain the consent of the applicable customer;
- There is a need to cooperate with a national agency, local government, or person delegated by such national agency or local government in conducting affairs stipulated by laws and regulations, and it is difficult to obtain the consent of the applicable customer;
- Outsourcing the processing of personal data to a service provider within the purposes of use (such as delivery companies, address-label printing companies, and credit card companies);
- Personal data is disclosed in connection with business transfer due to a merger or other events; or
- The third party is an academic research institute, etc., and needs to process personal data for academic research purposes.
5. The Group will take necessary and appropriate security measures against any risks to personal data that the Group holds, such as unauthorized access, loss, destruction, alteration, and leakage of personal data.
Establishing regulations for processing personal data
Protect individual rights and interests (such as preventing violations of privacy) by establishing Group-wide personal data management regulations and setting out necessary matters for processing personal data.
Organizational security measures
Appoint a personal data officer and establish a reporting system for any potential breach of laws, regulations, or internal regulations related to personal data or any potential leakage, etc., of personal data.
Human resources security measures
Provide officers and employees with education and awareness-raising programs to familiarize them with the need to protect personal data on an ongoing basis.
Physical security measures
Limit the areas in which personal data is processed and take measures to prevent the theft or loss of information equipment, electronic media, documents, etc., through which personal data is processed.
Technical security measures
Introduce a mechanism to prevent external unauthorized access to the system through which personal data is processed and have access controls in place to limit the scope of personal data processed by the people who are in charge.
Understanding external environment
Gather information on any establishment or revision of overseas laws and regulations on personal data and promote the establishment of a system that corresponds to such establishment or revision of laws and regulations.
6. If the Group outsources the work relating to the processing of personal data to a third party, the Group will provide such third-party service provider with necessary and appropriate supervision to ensure that the third-party service provider will also manage personal data securely.
7. If a customer requests to access, correct, or restrict the processing, etc., of their personal data, etc., the Group’s inquiry desk will handle the customer’s request swiftly to the extent necessary and reasonable in accordance with the method requested by the customer, whenever possible.
The Group will also endeavor to ensure that the personal data it holds is accurate and updated.
If a customer makes any of the following requests, the Group will handle the request as follows:
- If a customer does not wish to receive direct mails, e-mails, etc., from the Group, the Group will promptly stop sending them upon receiving the request from the customer.
- If a customer wishes to make a request to access, correct, or erase personal data, or to restrict processing, the customer is requested to contact our inquiry desk and file a request in the form designated by the Group. The Group will promptly handle the request to the extent necessary and reasonable. (In some cases, certain restrictions or fees may apply.)
8. The Group’s websites may use data that identifies a customer’s computer called “cookies” that are sent to and stored in the customer’s hard disk in order to gather browsing information for the purpose of improving website performance and to deliver services and advertisements that are most suited to the customer’s interest.
Although the cookies themselves do not include data that identifies individuals, a customer may refuse to accept the cookies sent by the Group’s websites by changing the cookie settings on the customer’s software for browsing the Internet (web browser).
For details about cookies, please see the Cookie Policy on respective Group websites.
9. If a customer has any inquiry about the processing of personal data that the Group holds, please send it using the following form:
Group inquiry form
1. In order to ensure that our customers and partners can use our services safely, H2O RETAILING Group companies (the “Group”) will lawfully and properly manage and use personal data in compliance with internal regulations and relevant laws, regulations, guidelines, etc., and will endeavor to protect the privacy of our customers and partners.
When processing any personal data of customers residing in the EEA or the UK (“personal data”), the Group will endeavor to ensure that customers will be able to purchase our products and services safely by complying with the EU General Data Protection Regulation and the same as retained in UK law and related guidelines, etc., and by improving this Privacy Policy on an ongoing basis.
2. If the Group collects any personal data, the Group will specify the purpose of use thereof, and only collect personal data by which the stated purpose(s) of use can be accomplished.
3. The Group processes personal data on any of the following legal bases:
- The customer has given consent to the processing (“customer’s consent”).
- The processing is necessary for entering into and the performance of a contract to which the customer is a party (“performance of contract”).
- The processing is necessary for the Group to comply with a legal obligation (“legal obligation”).
- The processing is necessary in order to protect the vital interests of the customer or a third party (“protection of vital interests”).
- The processing is necessary for public interest (“public interest”).
- The processing of personal data is necessary for purposes of the legitimate interests of the Group or a third party, and those interests are not overridden by the customer’s rights (“legitimate interests”).
This includes the processing of personal data that is necessary for the Group to conduct its business or provide its services. - Other instances in which the processing is based on laws and regulations.
Unless otherwise specified, the Group processes personal data for the purposes of use and on the legal bases listed below. The customer may withdraw his/her consent any time and the withdrawal of his/her consent will not affect lawfulness of processing based on consent before the withdrawal. If the customer does not provide the Group with his/her personal data, you may not receive all or a part of services provided by the Group.
The personal data that the Group processes includes information about the customer himself/herself, as well as any personal data indirectly collected through the customer, such as personal data about family members or recipients of shipped products.
(i)Business related to retail and services
| Type of personal data | Purpose of use | Legal basis |
| Information regarding the customer’s attributes, such as name, address, phone number, and e-mail address | ・Provision of sales services and other services, such as processing of sale, delivery or shipping of products, member registration, and after-sales service | 1) Customer’s consent 2) Performance of contract 6) Legitimate interests |
| ・Sending a notice of goods left behind, etc., and responding to customer inquiries and feedback on sales processing, products, and services | 6) Legitimate interests | |
| ・Printing the information of the sender and the recipient on a gift shipping slip | 2) Performance of contract 6) Legitimate interests |
|
| ・Shipping notices, prizes, etc., to the winners of prize competitions, etc., and shipping rewards, etc., for answering questionnaires | 1) Customer’s consent 2) Performance of contract 6) Legitimate interests |
|
| ・Responding to other customer inquiries, requests for material, etc. | 6) Legitimate interests | |
| ・Securing the safety of customers | 4) Protection of vital interests 6) Legitimate interests |
| Type of personal data | Purpose of use | Legal basis |
| Information regarding the attributes of our partners’ officers and employees, etc., such as name, department, phone number, and e-mail address | ・Providing services under a service agreement with a partner, such as salary calculation, bookkeeping, individual number management, and hiring | 6) Legitimate interests |
| ・Providing services under a service agreement with a partner, such as system development, operation, and maintenance | 6) Legitimate interests | |
| ・Responding to other inquiries, requests for material, etc., from our partners | 6) Legitimate interests |
| Type of personal data | Purpose of use | Legal basis |
| Information regarding customer’s attributes, such as name, address, phone number, and e-mail address, and information regarding purchase history, browsing history for websites, social media, etc., and activity history, etc. | ・Analyzing the collected information in order to provide various types of information according to a customer’s hobbies and preferences, such as information on the Group’s products, services, and events, and information on lifestyle and culture | 1) Customer’s consent |
| ・Analyzing the collected information in order to conduct marketing activities for the purpose of market research, product development, product renewal, etc. | 1) Customer’s consent 6) Legitimate interests |
4. If a customer has given consent, the customer’s personal data will be disclosed to the Group in order to respond to inquiries, to improve the quality of services, or for other similar purposes. Details are as follows:
- Personal data to be disclosed
Equivalent to the personal data specified in Section 3 - Scope of disclosure
The Group and Ningbo Hankyu Department Stores Co.,Ltd. - Purposes of use of disclosed personal data
Equivalent to the purposes of use specified in Section 3
5. The Group will take necessary and appropriate security measures against any risks to personal data that the Group holds, such as unauthorized access, loss, destruction, alteration, and leakage of personal data.
Establishing regulations for processing personal data
Protection of individual rights and interests (such as preventing violations of privacy) by establishing Group-wide personal data management regulations and setting out necessary matters for processing personal data.
Organizational security measures
Appointment of a personal data officer and establishment of a reporting system for any potential breach of laws, regulations, or internal regulations related to personal data or any potential leakage, etc., of personal data.
Personnel security measures
Providing officers and employees with education and programs to raise awareness and familiarize them with the need to protect personal data on an ongoing basis.
Physical security measures
Limiting the areas in which personal data is processed and taking measures to prevent the theft or loss of information equipment, electronic media, documents, etc., through which personal data is processed.
Technical security measures
Introducing a mechanism to prevent external unauthorized access to the system through which personal data is processed and having access controls in place to limit the scope of personal data processed by the people who are in charge.
6. The Group will establish the minimum required retention period for the personal data it collects, in light of the purposes of processing such data, and will retain such data only for that period. Any personal data that no longer needs to be retained will be destroyed promptly.
7. If the Group outsources work relating to the processing of personal data to a third party, the Group will provide the third-party service provider with necessary and appropriate supervision to ensure that the third-party service provider will also manage personal data securely.
8. If a customer requests any of the following with regard to the customer’s personal data, the Group’s inquiry desk will handle the customer’s request swiftly, to the extent necessary and reasonable, in accordance with the method requested by the customer, whenever possible: access to personal data, rectification or erasure of personal data, exercise of the right to data portability, objection to processing, restriction of processing, withdrawal of consent, or other relevant matters.
The Group will also endeavor to ensure that the personal data it holds is accurate and updated in light of its purpose of use.
If a customer makes any of the following requests, the Group will handle the request as follows:
- If a customer does not wish to receive direct mails, e-mails, etc., from the Group, the Group will promptly stop sending the communications upon receiving a request from the customer.
- If a customer wishes to make a request to access, rectify, or erase personal data, to exercise the right to data portability, to object to processing, to restrict processing, or to withdraw consent, the customer is requested to contact our inquiry desk and file a request in the form designated by the Group. The Group will handle the request promptly, to the extent necessary and reasonable.
(If certain conditions are met, restrictions or fees may apply.)
9. A customer has the right to lodge a complaint regarding the processing of personal data with a data protection authority that has jurisdiction over the customer’s place of residence.
10. The Group’s websites may use data that identifies a customer’s computer, called “cookies,” that are sent to and stored in the customer’s hard disk in order to gather browsing information for the purpose of improving website performance and to deliver services and advertisements that are most suited to the customer’s interests.
Although the cookies themselves do not include data that identifies individuals, a customer may refuse to accept the cookies sent by the Group’s websites by changing the cookie settings on the customer’s software for browsing the Internet (web browser).
For details about cookies, please see the Cookie Policy on respective Group websites.
11. If a customer has any inquiries about the processing of personal data that the Group holds, please make a request using the following form:
Group inquiry form
