Kaibi Holdings Co., Ltd. (hereinafter “Kaibi Holdings”, “we”, “us”, “our”) respects your privacy and is committed to protecting the privacy of our customers including our Website Visitors (hereinafter “you”, “your”). This Privacy Policy describes the ways we collect, store, use and protect your personal data and informs you about your privacy rights. Please read this Privacy Policy carefully and in full before using our Website(s) and/or our services, or otherwise contacting us.

ARTICLE 1 SCOPE OF THIS PRIVACY POLICY

The scope of this Privacy Policy is limited to processing activities of your personal data to which the privacy rules of the countries of the European Economic Area (“EEA”) and United Kingdom (“UK”) apply, such as the General Data Protection Regulation (“GDPR”) and UK GDPR.

ARTICLE 2 WHO IS RESPONSIBLE FOR THE DATA PROCESSING?

2.1 Data Controller.

Kaibi Holdings is responsible for the processing of your personal data. Our affiliate tHiN’nk. Co., Ltd. (“tHiN’nk.”) is responsible for the collection and further processing of personal data via the website contact form (and is considered data controller for this processing). For the sake of completeness, we have described the collection of personal data via this contact form in ARTICLE 3;

2.2 Data Processor.

In principle, we control the processing of your personal data and do not process your personal data on behalf of another party.

2.3 Compliant processing.

We will only process personal data in accordance with the Applicable Privacy Legislation and as described in this Privacy Policy.

2.4 Third party references Website(s).

Our Website(s) include links to websites of third parties (for example hyperlinks, banners or buttons). We are not responsible for the content of these websites, services provided by these third parties, or their compliance with the Applicable Privacy Legislation. We recommend you to carefully read the privacy policies of the third party websites you are visiting.

ARTICLE 3 WHICH PERSONAL DATA IS USED AND FOR WHAT PURPOSES?

3.1 Collection of personal data.

We may collect information of you when:

• a. entering data on our contact form
• b. otherwise you use our Website(s).

3.2 Categories of personal data.

We may collect the following personal data from you:

• a. We may collect the following information via our contact form
  • - first and last name;
  • - address;
  • - e-mail address;
  • - phone number;
  • - shipper/receiver;
  • - company name;
  • - your message to us;
• b. We may collect the following information if you use Website(s):
  • - IP address;
  • - Website(s) behavior.

3.3 No sensitive personal data.

In principle we do not obtain sensitive personal data and personal data relating to criminal offences except in cases where it meets the requirements of the applicable laws. We also do not intend or wish to obtain personal data (directly) from minors.

3.4 Purposes and legal grounds.

We may process personal data collected in accordance with this Privacy Policy based on the following purposes and legal grounds:

• a. Performance of a Contract:

  We use your personal data for performing a Contract that you have concluded with us or another party or in order to take steps at your request prior to entering into such Contract. Legal ground: If you decide to place an order via one of our Website(s), your personal data are processed by us for performing Contract between us. We do not process more personal data than is necessary for the performance of a Contract.

• b. Communication:

  Your personal data may be used to communicate with you about our services and to inform you of matters that are important for your use of our Website(s) and the handling of any complaints. Legal grounds: This processing of personal data is necessary for the performance of a Contract and/or for purposes of a legitimate interest pursued by Kaibi Holdings, namely to conduct our normal business.

• c. Marketing purposes and customer experience surveys:

  To approach you for marketing purposes or to measure customer satisfaction to improve customer experience, we request your prior consent, unless it concerns offers about similar services that you have ordered. You always have the right to unsubscribe from mailings. Legal ground: This processing of personal data is necessary for purposes of a legitimate interest pursued by Kaibi Holdings, namely to keep in touch with you and to offer you similar services or is based on your prior consent.

• d. Customer service:

  If you use our customer service, your personal data may be used to provide you with customer service. For example, we process your personal data when you fill out our contact form or when you contact us for inquires. Legal grounds: This processing of your personal data is necessary for the performance of a Contract, or is necessary for purposes of a legitimate interest pursued by Kaibi Holdings, namely to conduct our normal business.

• e. Legal obligations:

  We may also be required to comply with legal obligations to which we are subject under the applicable laws. We only provide personal data obtained from you to third parties, such as competent authorities, if required by law. Legal grounds: Our legal grounds for the processing activity with regards to legal objectives is to comply with a legal obligation under EEA and UK law and our legitimate interest to comply with non EEA / UK laws.

3.5 Legitimate interest.

Sometimes we indicate that we process your personal data based on the legal ground "legitimate interest". This means that a balance of interests is performed between the interests: the interests that are served by the processing on one hand and your privacy interests on the other hand, and that the interests in favor of the processing prevail. The related legitimate interests are included above per processing activity.

3.6 Further processing.

It may be that we intend to further process your personal data for a purpose other than those for which the personal data have been collected, but compatible with the initial processing purpose. In such case, we will provide you with information about that further processing.

ARTICLE 4 HOW DO WE OBTAIN YOUR PERSONAL DATA?

4.1 Means of collection.

We obtain your personal data in various ways:

• a. Provided by you.

  We obtain information actively provided by you. For example, if you contact us via the contact form you provide us information. When you provide personal data to Kaibi Holdings and tHiN’nk., please do not provide information that is irrelevant, not accurate and/or unnecessary for the services provided.

• b. Automatically retrieved.

  We obtain some information automatically when you visit our Website(s). For example, we automatically obtain information about you via cookies when you visit our Website(s). For more information on this, please refer to our Cookie Notice.

• c. Third-party sources.

  We also may obtain information from third parties in exceptional cases.

• d. Derived.

  We may perform analysis on personal data about you. The resulting data can also qualify as personal data about you. For example, we may analyze which webpages are visited most frequently, and from which previous website the Website Visitor was referred to such webpage.

4.2 Required provision.

It may be that providing certain personal data to us is a statutory or contractual requirement. If that is the case, we will inform you thereof separately, and will also explain the possible consequences if you fail to provide such personal data to us.

ARTICLE 5 WHO DO WE SHARE YOUR PERSONAL DATA WITH?

Sometimes it is necessary to share your personal data with another party. In this paragraph we inform you under what conditions we will share personal data and with whom.

5.1 Conditions for data sharing.

We only share your personal data with third parties if:

• a. This is necessary for the provision of a service or the involvement of the third party. Third parties will, for example, in principle only get access to the personal data that they require for their part of the service provision.
• b. The persons within the third party that have access to the personal data are under an obligation to treat the personal data confidentially.
• c. The third party is obliged to comply with the applicable data protection laws.

5.2 Parties with whom we share your personal data.

We may share all or part of the above-mentioned information referred to in ARTICLE 3 above with the following (third) parties:

• a. Kaibi Group including tHiN’nk.;
• b. agents involved, operating on behalf of Kaibi Holdings;
• c. subcontractors and service providers involved, such as airlines, shipping lines, trucking companies, depots, auditing companies, consulting and law firms, insurance companies, other authorities, marketing and market research agencies and hosting and payment providers;
• d. persons authorized to this end, employed or engaged by a data processor of Kaibi Holdings or affiliated companies of Kaibi Holdings, involved in the processing, on a need-to-know basis (accounting and auditing firms, insurance and tax institutions);
• e. competent authorities, such as the police or the authorities of the country of transit or destination for customs clearance in as far as required by the laws of the respective country; and
• f. other third parties, on a need-to-know basis.

ARTICLE 6 HOW DO WE SECURE YOUR PERSONAL DATA?

6.1 Security measures.

We take appropriate organizational and technical security measures to protect your personal data and to prevent misuse, loss or alteration thereof. In addition, we limit access to personal data to those employees, agents, contractors and other third parties who have a need to have access. Also the aforementioned persons involved are bound by a confidentiality obligation, either in their employment agreements, data processor agreements or other similar agreements.

6.2 Security policies.

We have in place information security guideline in which it is described how we ensure an appropriate level of technical and organizational security. This guideline also includes a data breach policy in which it is described how to deal with suspected personal data breaches. We will for example notify the relevant EU supervisory authority and the data subjects involved if required under Applicable Privacy Legislation.

ARTICLE 7 TO WHICH COUNTRIES DO WE TRANSFER YOUR PERSONAL DATA?

In addition to transferring your personal data to Japan, we may also transfer it to other countries or territories outside the EEA and UK in connection with the sharing of personal data with third parties as described above. In this paragraph we provide you with more information on data transfers and the legitimization thereof.

7.1 Transfers outside the EEA.

Part of the third parties which we entrust with your personal data are based outside the EEA and/or the UK (“GDPR Third Countries”). Any data transfers from the EEA/UK to GDPR Third Countries shall always take place in compliance with the GDPR and UK GDPR and additional recommendation or decision issued in this regard by the European Data Protection Board, European Commission or other competent authority. In case the data is transferred outside the EEA or the UK, the transfer is legitimized in the manner described below. Please note that if we collect personal data directly from you, this does not qualify as a transfer.

7.2 Legitimization of transfers outside the EEA and UK.

Whenever we transfer your personal data to GDPR Third Countries, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

- Transfers of your personal data to GDPR Third Countries may be legitimized on the basis of a so-called EU adequacy decision. This is a decision in which the European Commission states that e.g. a certain country offers a level of data protection similar to the GDPR. See this webpage for the current list of adequacy decisions. This is for example the case for transfers of your personal data from the EEA to Japan.

- If and insofar as we transfer personal data to GDPR Third Countries to which no adequacy decision applies, we will conclude the applicable version of the model clauses to safeguard data protection as published by the European Commission, so called standard contractual clauses (“Transfer SCCs”) or UK transfer agreement approved by the ICO. If deemed required under the Applicable Privacy Legislation, additional measures will be taken. This may concern technical, organizational and/or contractual measures.

ARTICLE 8 HOW DO WE DETERMINE HOW LONG WE RETAIN YOUR PERSONAL DATA?

8.1 Main rule.

In principle, we do not store your personal data any longer than is necessary for the purposes for which we process your personal data.

8.2 Exception: shorter retention.

If you or another person successfully exercises one of your privacy rights, it can be that the relevant personal data may no longer be retained. In such cases, we may process your personal data for a shorter period, than as stated under the ‘main rule’. Please refer to ARTICLE 10 below for more information on this.

8.3 Exception: longer retention.

In exceptional cases, we may process your personal data longer. In such cases we may process your personal data longer than as stated under the ‘main rule’. This is the case if we need to process your personal data for a longer period in view of:

• a. a longer minimum statutory retention period that applies to Kaibi Holdings or other specific statutory obligation;
• b. practicality;
• c. a legal procedure;
• d. the right to freedom of expression and to information;
• e. a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• f. public health.

ARTICLE 9 COOKIES

9.1 Use of cookies.

We use cookies to ensure that our Website(s) functions properly. Cookies are small text files that can be placed on your computer, tablet, smartphone or other electronic device with which you can use to surf the internet via a web browser. Please refer to our Cookie Notice for more information.

ARTICLE 10 WHAT ARE YOUR PRIVACY RIGHTS?

10.1 Privacy rights.

In relation to our processing of your personal data, you have the below privacy rights. For more information on your privacy rights, please refer to this webpage of the European Commission.

• a. Right to withdraw consent.

  In so far as our processing of your personal data is based on your consent (see ARTICLE 3), you have the right to withdraw consent at any time.

• b. Right of access.

  You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you (but not necessarily the documents themselves).

• c. Right to rectification.

  You have the right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.

• d. Right to erasure.

  You have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where: (i) the personal data are no longer necessary, (ii) you have withdrawn your consent, (iii) you have objected to the processing activities, (iv) the personal data have been unlawfully processed, (v) the personal data have to be erased on the basis of a legal requirement, or (vi) where the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of GDPR. We do not have to honor your request to the extent that the processing is necessary: (i) for exercising the right of freedom of expression and information, (ii) for compliance with a legal obligation which requires processing, (iii) for reasons of public interest in the area of public health, (iv) for archiving purposes, or (v) for the establishment, exercise or defense of legal claims.

• e. Right to object.

  You have the right to object to processing of your personal data where we are relying on legitimate interests as processing ground (see ARTICLE 3). Insofar as the processing of your personal data takes place for direct marketing purposes, we will honor your request. For processing for other purposes, we will also cease and desist processing, unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or that are related to the institution, exercise or substantiation of a legal claim.

• f. Right to restriction.

  You have the right to request restriction of processing of your personal data in case: (i) the accuracy of the personal data is contested by you, during the period we verify your request, (ii) the processing is unlawful and restriction is requested by you instead of erasure, (iii) we no longer need the personal data but they are required by you for the establishment, exercise or defense of legal claims, or (iv) in case you have objected to processing, during the period we verify your request. If we have restricted the processing of your personal data, this means that we will only store them and no longer process them in any other way, unless: (i) with your consent, (ii) for the establishment, exercise or defense of legal claims, (iii) for the protection of the rights of another natural or legal person, or (iv) for reasons of important public interest.

• g. Right to data portability.

  You have the right to request to transfer of your personal data to you or to a third party of your choice. Please note that this right only applies if it concerns processing that is carried out by us by automated means, and only if our processing ground for such processing is your consent or the performance of a Contract to which you are a party (see ARTICLE 3).

• h. Automated decision-making.

  In addition to the above mentioned rights you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or of an alleged infringement of the GDPR at all times. Please refer to this webpage for an overview of the supervisory authorities and their contact details. However, we would appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us beforehand.

10.2 How to exercise your rights.

The exercise of the abovementioned rights is free of charge and can be carried out by e-mail via the contact details displayed below. If requests are manifestly unfounded or excessive, in particular because of the repetitive character, we will either charge you a reasonable fee or refuse to comply with the request.

10.3 Verification of your identity.

We may request specific information from you to help us confirm your identity before we comply with a request from you concerning one of your rights.

10.4 Follow-up of your requests.

We will provide you with information about the follow-up to the request without undue delay and in principle within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months. We will notify you of such an extension within one month of receipt of the request. The Applicable Privacy Legislation may allow or require us to refuse your request. If we cannot comply with your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

ARTICLE 11 CONTACT DETAILS

For any questions, complaints or in the event that you wish to make use of one of the rights mentioned in ARTICLE 10, you may contact us at the contact details below:

11.1 Contact Kaibi Holdings and tHiN’nk.. You can contact Kaibi Holdings for any question relating to your privacy, via miura@kaibi.jp. You may also contact us via post (address: 3-15, tsurushiromachi , Wakabayashi-ku, Sendai-city, Miyagi 984-0001, Japan).

11.2 Contact DPO. We have appointed a Data Protection Officer. Our DPO can be contacted via furuhashi.027@kaibi.jp. Please let the DPO know by e-mail if you prefer to have further contact over the phone and indicate your preferred language, provided that this is the national language of an EEA country, or Japanese. The DPO will then provide you with the relevant phone number.

ARTICLE 12 MISCELLANEOUS

12.1 Kaibi Holdings reserves the right to change this Privacy Policy from time to time. It is your responsibility to regularly review the applicable conditions.

12.2 If a provision from this Privacy Policy is in conflict with the law, it will be replaced by a provision of the same purport that reflects the original intention of the provision, all this to the extent legally permissible. In that case, the remaining provisions remain applicable unchanged.

ARTICLE 13 DEFINITIONS

13.1 In this Privacy Policy, the definitions the following definitions apply:

• ・“Applicable Privacy Legislation” means the Applicable Privacy Legislation, including the GDPR and the relevant national implementation acts.
• ・ “Contract” means any contract between you and Kaibi Holdings.
• ・“GDPR” means either or both the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the GDPR as it forms part of United Kingdom (“UK”) law by virtue of section 3 of the Data Protection Act 2018 (“UK GDPR”).
• ・“Privacy Policy” means the present Privacy Policy.
• ・“Website(s)” means the website(s) listed here that controlled by Kaibi Holdings in as far as these are directed towards EEA individuals and fall under the scope of the GDPR.
• ・“Website Visitor” means individuals who visit one of our Website(s).
• ・“Kaibi Group” means all entities which are part of the Kaibi group and an affiliate entity of Kaibi Holdings.

13.2 Other terms that are defined in the Applicable Privacy Legislation, such as ‘personal data’, ‘(joint) controller’, ‘processor’, ‘data subject’ and ‘processing’ will have the meaning as described in the Applicable Privacy Legislation.