1. The access and usage of the website chilltea-tokyo.com and all of its subdomains are likely to lead the user to communicate us some personal data as defined in the GDPR article 4(1)
Personal data is processed in accordance with the principles relating to the processing of personal data listed in article 5 of the GDPR.
○Lawfulness, fairness, and transparency: processed lawfully, fairly, and in a transparent manner in relation to the data subject
○Purpose limitation: collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes
○Data minimization: adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed
○Accuracy: accurate and where necessary, kept up to date
○Storage limitation: kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
○Integrity and confidentiality: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures
We undertake not to process any sensitive personal data, in accordance with article 9 of the GDPR.
2. Identity and the contact details of the controller and where applicable, of the controller’s representative;
Chilty Co., Ltd.
KC Building 6F,2-35-1
Higashiazabu , Minato-ku , Tokyo 106-0044
3. Where do we store your data?
The data we collect is stored with our service provider. SiteGround Spain S.L.
Calle de Prim 19,28004 Madrid, Spain
The data is stored in its data center in Singapore.
4. How is your data protected?
We use appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
○Pseudonymisation and encryption of personal data;
○Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
○Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
○Regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
5. Purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
We may collect, use, store and transfer the following kinds of information about you:
○Identity Data includes first name, last name, username, or similar identifier.
○Contact Data includes billing address, delivery address, email address, and telephone numbers.
○Financial Data includes the bank account and payment card details.
○Transaction Data includes details about payments to and from you and other details of products you have purchased from us.
○Technical Data includes internet protocol (IP) address, your login data, browser type, and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
○Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses.
○Usage Data includes information about how you use our website, products, and services.
○Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
This is the purpose of collecting the personal data we need to provide you with the service offered.
○To provide, maintain, protect, and improve the service, including the acceptance of registration, identification, user authentication, recording of user settings, and calculation of usage fees.
○To measure user traffic and behavior
○To analyze the hobbies and preferences of users and to distribute, display, and measure the effectiveness of advertisements related to the products and other services of the company or
third parties affiliated with the company, by linking information about users obtained from the company’s business partners with users’ personal information.
○To provide information and respond to inquiries regarding the Service.
○To respond to violations of the company’s terms, policies, etc. (hereinafter referred to as the “Terms, etc.”) related to the Service.
○To respond to violations of the Company’s terms, policies, etc. (hereinafter referred to as the “Terms, etc.”) regarding the Service
○To conduct surveys, statistics, and analysis for marketing purposes
○To improve the services of the company or third parties affiliated with the company, or to develop new services or new functions.
○To maintain the system and respond to problems
○To notify you of changes to the terms of service, etc.
○For other purposes incidental to the preceding items.
We only use as a legal basis those proposed by article 6 of the GDPR. Including;
○The data subject has given consent to the processing of his or her personal data for one or more specific purposes
○Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
○Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child.
○processing is necessary for compliance with a legal obligation to which the controller is subject;
6. The period for which the personal data will be stored
○The customer file: the personal data of customers are kept for the time necessary for the commercial relationship. They can be kept for commercial prospecting purposes for a maximum of 3 years from the end of this commercial relationship
○The prospect file: the personal data of prospects are kept for 3 years from their collection by the data controller or from the last contact from the prospect.
7. Recipients of personal data
Only chilltea-tokyo is the recipient of your Personal Information. These are never passed on to a third party. Only subcontractors to which chilltea-tokyo uses can access it. Neither chilltea-tokyo nor our subcontractors market your Personal Data.
8. Your rights under the GDPR regulation.
○The Right to Information.
○The Right of Access.
○The Right to Rectification.
○The Right to Erasure.
○The Right to Restriction of Processing.
○The Right to Data Portability.
○The Right to Object.
○The Right to Avoid Automated Decision making.
(1)The Right to Information; you have the right to request information about the personal data we hold. You have the right to be informed of how your personal data is processed.
(2)The Right of Access; (Article 15, Recitals 63 & 64 GDPR)
The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their personal data which are being ‘processed’ (i.e. used in any way) by ‘controllers’ (i.e. those who decide how and why data are processed), as well as other relevant information (as detailed below). These requests are often referred to as ‘data subject access requests, or ‘access requests.’
(3)The Right to Rectification; (Articles 16 & 19 of the GDPR)
If your personal data is inaccurate, you have the right to have the data rectified, by the controller, without undue delay.
If your personal data is incomplete, you have the right to have data completed, including by means of providing supplementary information.
The right of rectification is restricted in certain circumstances under Section 60 of the Data Protection Act 2018, which provides for restrictions that are necessary for important objectives of public interest, and by Section 43 of the Act which seeks to balance the right of rectification with the right of freedom of expression and information.
(4)The Right to Erasure; (Articles 17 & 19 of the GDPR) This is also known as the ‘right to be forgotten.
You have the right to have your data erased, without undue delay, by the data controller, if one of the following grounds applies:
○Where your personal data are no longer necessary in relation to the purpose for which it was collected or processed.
○Where you withdraw your consent to the processing and there is no other lawful basis for processing the data.
○Where you object to the processing and there are no overriding legitimate grounds for continuing the processing (see point 6 below).
○Where you object to the processing and your personal data are being processed for direct marketing purposes (see point 6 below).
○Where your personal data have been unlawfully processed.
○Where your personal data have to be erased in order to comply with a legal obligation.
○Where your personal data have been collected in relation to the offer of information society services (e.g. social media) to a child.
(5)The Right to Restriction of Processing; (Article 18 of the GDPR)
You have a limited right of restriction of processing of your personal data by a data controller. Where the processing of your data is restricted, it can be stored by the data controller, but most other processing actions, such as deletion, will require your permission.
(6)The Right to Data Portability; (Article 20 of the GDPR)
In some circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context and to transmit this data to another data controller of your choosing without hindrance. This is referred to as the right to data portability.
(7)The Right to Object; (Article 21 of the GDPR)
When do you have a right to object?
○You have the right to object to certain types of processing of your personal data where this processing is carried out in connection with tasks:
In the public interest, Under official authority, or in the legitimate interests of others.
○You have a stronger right to object to the processing of your personal data where the processing relates to direct marketing. Where a data controller is using your personal data for the purpose of marketing something directly to you or profiling you for direct marketing purposes, you can object at any time, and the data controller must stop processing as soon as they receive your objection.
○You may also object to the processing of your personal data for research purposes unless the processing is necessary for the performance of a task carried out in the public interest.
(8)The Right to Avoid Automated Decisionmaking; (Article 22 of the GDPR)
You have the right to not be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you.
Automated processing includes profiling.
9. How to exercise your rights.
You also have the right to lodge a complaint. (Article 77 of the GDPR)
For English-speaking peoples, you can contact the ICO, which is the English authority for the protection of personal data.
The Information Commissioner’s Office Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF Tel. +44 1625 545 745