CLOVER HOLDING co.,ltd..
Privacy Policy for Personal Data Subject to GDPR
OUR PRIVACY STATEMENT
This privacy policy (“Privacy Policy”) intends to inform you of how CLOVER HOLDING co.,ltd. . and our group companies (“ We ” or “CLOVER HOLDING” ), acting as a data controller, process your personal data that we obtained from you or through third parties. We process your personal data in accordance with the applicable UK and EU data protection regulations, including the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation 2016/679 (Hereinafter, both are referred to simply as "GDPR".). If you have any questions or concerns relating to this Privacy Policy, please contact us at privacy @clover-hd.jp .
WHAT PERSONAL DATA DO WE PROCESS ABOUT YOU?
We process the following categories of personal data in the course of our business operation:
-
Identity-related information:
Name, Handle name, date of birth, copies of identification documents (such as national ID cards or
driver's licenses), facial photographs, genderUser Profile Information: Profile description and
self-introduction text
- Identity documents and facial photographs are stored in encrypted form on AWS S3 (Tokyo region). These data will be deleted upon account deletion. However, where retention obligations exist under applicable laws such as anti-money laundering regulations, the data will be retained for the period prescribed by such laws before deletion.
- Contact details: Address, email address
-
Location Data:
Geolocation data including GPS coordinates (latitude and longitude). Collection frequency is every 10 meters
of movement.
- For Support Providers: Collected while "Available for Support" is turned ON and during active support sessions. While "Available for Support" is ON, collection continues even when the app is in the background (including when the app is closed).
- For Travelers: Collected only during active support sessions. During support sessions, collection continues even when the app is in the background (including when the app is closed).
- Sharing Scope: Location data is shared in real-time only with the matched counterpart user. It is not shared with any third parties.
- Retention on Device: Up to 14 days
- Retention on Server: During the existence of the user account and for 6 months after account closure
- How to Stop: Automatically stops when the support session ends. Support providers can also stop it by turning OFF "Available for Support." Users can also stop collection at any time by revoking location permissions in the device's OS settings.
- Automatic Start: Background location collection starts automatically when a support session begins, without any additional user action.
- User authentication status: Payment processor authentication status (for Stripe)
- Login Credentials: Email address and password used to create or access your account
- Third-Party Authentication Data: Information received when you authenticate via third-party services like Google or Apple, which may include unique user IDs, email addresses, and authentication tokens
- Professional information: Copies of licenses for travel support and other qualifications necessary to legally conduct support services through this application " abay” " (hereinafter referred to as "app" or "application")
- Usage information: App usage history, including access logs, eature usage, and interaction data
- Communication data: Messages exchanged between app users Audio and Video Content(Voice streams and video footage transmitted and received during real-time communications.) Call Metadata(Information about your communications, including Date and time of calls, Duration of communications, User IDs of call participants, Call status information.)
- Payment information: Payment completion status via payment processor
- Bank account information: Bank account details (bank name, account number, branch code, account holder's name, and any other required banking details)
- Support Provider Learning and Assessment Data: Information related to support providers' learning progress and test results required for providing travel support services, including: Learning progress status Test responses and scores Test completion dates Test attempts history Test pass/fail status
- Technical data: Cookie [(Please see the details of processing cookie in our cookie policy at [Cookie Policy]( Cookie Policy ))], IP addresses, JSON Web Tokens (JWTs) for user identification and session management
HOW DO WE COLLECT YOUR PERSONAL DATA?
In general, we receive or obtain your personal data from you in the cases, including when you:
- Provide us with your personal data on our website, our mobile application
- Contact us to ask any queries
- Use our mobile application
We also collect information on your usage of our website through the services of Google Analytics, when you use our official website and online ticket store so that we may measure the effectiveness of our official website.
Additionally, when you install and use our mobile application, we may collect personal data as necessary for the functioning of the app and to provide you with our services. This may include information you provide directly through the app, as well as data automatically collected by the app such as device information and usage statistics.
HOW DO WE USE YOUR PERSONAL DATA?
For the purposes specified in the Privacy Policy, we process your personal data. We ensure that the personal data processed are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. If we intend to process your personal data in order to attain other purposes than the original purposes, we will ensure that you are informed of this. We process your personal data based on the following legal basis for the following purposes:
-
Legitimate Interest Assessments
When we process your personal data based on our legitimate interests, we have conducted a balancing test to
ensure that our interests are not overridden by your rights and freedoms. Our legitimate interests include:
- Ensuring compliance with legal requirements and maintaining a safe user environment.
- Preventing misuse of our services and protecting users from unlawful activities.
- Responding to user inquiries to improve our services and maintain good relationships.
We believe that our processing is necessary for these purposes and does not disproportionately affect your privacy rights. You have the right to object to this processing at any time (see "YOUR RIGHTS" section).
Table of Purposes and Legal Bases
| Specific Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
|
User registration for app access:
New user registration for initial access account creation. This includes identity verification by matching with a photo ID. The image of the ID is used solely for the purpose of manually confirming that the registered user matches the person shown on the ID. (This verification process is performed without the use of AI or automated facial recognition algorithms.) |
• Identity Verification Information: Name, date of birth, copy of ID, photo, gender
• User Authentication Status: Authentication status with payment processors (Stripe) • Login Authentication Information: Email address and password for account creation or access • Third-Party Authentication Data: Information received when authenticating via third-party services like Google or Apple, which may include a unique user ID, email address, and authentication token. • Professional Information: Copy of licenses for travel support and other qualifications required to legally provide support services through this app. |
Performance of a contract |
| User identification at each login |
• Identity Verification Information: Handle name, email address
• Login Authentication Information: Email address and password for account creation or access • Third-Party Authentication Data: Information received when authenticating via third-party services like Google or Apple, which may include a unique user ID, email address, and authentication token. |
Performance of a contract |
| User identification within the app |
• Identity Verification Information: Handle name
• Technical Data: IP address, Token (JWT) |
Performance of a contract |
| To confirm completion and passing of mandatory e-learning courses and tests by support providers. | • Supporter Learning and Evaluation Data: Information on the learning progress and test results of support providers necessary for providing itinerary support services. This includes learning progress, test answer content and scores, test completion date, test-taking history, and test pass/fail status. | Performance of a contract |
| Matching of travelers and support providers within the app ("Traveler" refers to a user using the app as a traveler, and "Support Provider" refers to a user assisting travelers) |
• Identity Verification Information: Handle name, date of birth, photo, gender
• User Profile Information: Profile description and self-introduction • Location Information: Geolocation data |
Performance of a contract |
| Realization of offline meetings between travelers and support providers based on app information |
• Identity Verification Information: Handle name
• Location Information: Geolocation data |
Performance of a contract |
| Sharing location information between travelers and support providers |
• Identity Verification Information: Handle name
• Location Information: Geolocation data |
Performance of a contract |
| Chat communication between travelers and support providers |
• Identity Verification Information: Handle name
• Location Information: Geolocation data • Technical Data: IP address, JSON Web Token (JWT) |
Performance of a contract |
| Voice and video calls within the app |
• Identity Verification Information: Handle name
• Communication Data: Voice and video content (audio and video streams transmitted during real-time communication) • Call Metadata: Information related to communication, including call date and time, duration, user IDs of participants, and call status • Technical Data: Cookie, IP address, JSON Web Token (JWT) |
Performance of a contract |
| Confirmation of payment for fees incurred within the app | • Payment Information: Payment completion status via payment processors | Performance of a contract |
| Processing payments for services to support providers to their bank accounts | • Bank Account Information: Bank account details (bank name, account number, branch code, account holder name, and other necessary bank transaction information) | Performance of a contract |
| Review of whether a specific user has the legal qualification and eligibility to use the application based on the app's terms of use |
• Identity Verification Information: Name, handle name, date of birth, copy of ID, photo, gender
• Contact Information: Address, email address • Location Information: Geolocation data • User Authentication Status: Authentication status with payment processors (Stripe), authentication information for using the app on the user's own device • Professional Information: Copy of licenses for travel support and other qualifications required to legally provide support services through this app • Usage Information: App usage history including access logs, feature usage, and interaction data |
Legitimate Interest: We have a legitimate interest in assessing certain users to ensure compliance with legal requirements, protect the integrity of our service, and maintain a safe and proper user environment. This assessment helps prevent misuse, mitigate potential legal risks, and uphold quality standards for all users. |
| Verification of user identity for eligibility to use our application, especially when providing support services to travelers | • Facial photographs, copies of identification documents | Explicit consent (Article 9(2)(a) GDPR); compliance with legal obligations (Article 6(1)(c) GDPR); legitimate interests (Article 6(1)(f) GDPR) |
| Investigation of inappropriate app usage by specific users |
• Identity Verification Information: Handle name
• Contact Information: Address, email address • Location Information: Geolocation data • User Authentication Status: Authentication status with payment processors (Stripe), authentication information for using the app on the user's own device • Communication Data: Messages exchanged between app users • Payment Information: Payment completion status via payment processors |
Legitimate Interest: The investigation of potential misuse by a specific user is to protect other users from illegal acts and to prevent the application from being used as a means for illegal activities. This processing is necessary to protect the legitimate interests of the community and to maintain the integrity of the service. |
| Responding to inquiries from app users |
• Identity Verification Information: Name, handle name
• Contact Information: Address, email address |
Legitimate Interest: We have a legitimate interest in responding to inquiries from users to provide effective customer support, improve our services, and maintain a good relationship with our users. This processing is necessary to address concerns, resolve issues, and ensure that users' rights are not infringed. |
|
Measuring the effectiveness of the CLOVER HOLDING official website
By using cookies in the Google Analytics service, we track and view visit history to the official website to measure user interest in our services and help improve the website. (For details on cookie processing, please see our [Cookie Policy]( Cookie Policy ).) [Further information on Google Analytics: [ https://support.google.com/analytics/answer/12329599?hl=en ] |
• Technical Data: Cookie | Consent |
HOW LONG DO WE KEEP YOUR DATA?
We only retain your information, as long as it is necessary to process your personal data for the aforementioned purposes, unless there are statutory or legal requirements to do so. Even after any relationship has ended, it may be necessary to retain your personal data for a specific period in accordance with EU and other applicable legislations in the context of our business activities.
1. Contract Performance-Based Retention
-
a. User Registration and Authentication Data Categories: Identity-related information, User authentication status, Professional information Retention Period: For the duration of the user's account, plus [6] months after account closure
-
b. App Functionality (Matching, Location Sharing, Messaging) Data Categories: Identity-related information, Location data, Technical data Retention Period: For the duration of the user's account, plus [6] months after account closure
-
c. Payment Verification Data Categories: Payment information Retention Period: [7] years after the last transaction, in compliance with financial regulations
2. Legitimate Interest-Based Retention
-
a. User Eligibility Assessment Data Categories: Identity-related information, Contact details, Location data, User authentication status, Professional information, Usage information Retention Period: [3] years after the last user activity
-
b. Investigation of App Usage Data Categories: Identity-related information, Contact details, Location data, User authentication status, Communication data, Payment information Retention Period: [5] years after the investigation is closed
-
c. User Inquiries Data Categories: Identity-related information, Contact details Retention Period: [2] years after the inquiry is resolved
3. Consent-Based Retention
- Website Effectiveness Measurement Data Categories: Technical data (Cookies) Retention Period: Up to [180] days, or until consent is withdrawn
HOW DO WE SHARE YOUR PERSONAL DATA?
1 We may share user identification information with our payment processor, Stripe, for two specific purposes:
- To verify that users have registered their credit card with Stripe for use in our app.
- To confirm that users have completed payments through Stripe for in-app charges.
Credit card numbers and other card details are processed directly by Stripe and are never stored on our servers.
Shared information may include name, date of birth, email address, address.
2 We may share certain technical information with Stream.io, our voice and video call service provider, to enable real-time communication features in our app:
- To establish and maintain voice and video calls between users
- To ensure optimal call quality and technical performance
- To troubleshoot technical issues and improve service quality
Shared information may include:
- Technical data such as IP addresses, device information, and network type
- Call-related metadata (call duration, timestamps, connection status)
- Temporary audio and video streams during calls
- User IDs for call routing purposes
Please note that:
- Voice and video content is processed in real-time and is not stored permanently
- All communications are encrypted during transmission
- Technical data is shared only to the extent necessary for providing the service
- No personal identification information beyond technical identifiers is shared with Stream.io
For more information about how Stream.io handles your data, please refer to their Privacy Policy at [ https://getstream.io/legal/privacy/ ]
3 Information Sharing with Third Parties
-
a) Amazon Web Services (AWS) We store and process all personal data collected through our app (as described in "WHAT PERSONAL DATA DO WE PROCESS ABOUT YOU?") on Amazon Web Services servers located in Japan.
-
b) Authentication Services We use Google Sign-In and Apple ID as authentication providers to enable secure login to our app. Shared information may include:
From Google: Email address Google account ID Profile name Profile picture (if available)
-
From Apple: Apple ID Email address (if you choose to share it) Name (if you choose to share it)
Please note that:
- We only receive the information necessary for authentication purposes
- Your passwords are never shared with us
-
The sharing of additional profile information is optional and controlled by your settings with these
providers For more information about how these services handle your data, please refer to:
- Google Privacy Policy [ https://policies.google.com/privacy]
- Apple Privacy Policy [ https://www.apple.com/legal/privacy/en-ww/]
4 Payment and Money Transfer Services
-
Wise We use Wise (formerly TransferWise) for processing payments to support providers' bank accounts. Shared information may include:
- Support provider's bank account details
- Payment amount and currency
- Transaction reference information
Please note that:
- We only share information necessary for payment processing
- All financial data is transmitted securely
- No additional personal information is shared beyond what is required for payment transfers
In case where we transfer your personal data outside the UK or the European Economic Area, we ensure the appropriate legal framework by the establishment of the Standard Contractual Clauses as defined by the European Commission decisions 2004/915/EC (“SCC Controller - Controller”) and 2010/87/EU (“SCC Controller - Processor”) pursuant to Article 46(2)(c) of the GDPR. You may obtain a non-confidential copy of the mentioned safeguards of transfers we carry out by contacting us at the contact details provided below. We transfer personal data to Japan. Japan has been recognized by the European Commission as providing an adequate level of data protection (Commission Implementing Decision (EU) 2019/419). Therefore, your personal data transferred to Japan is protected under standards equivalent to those in the EU.
In addition to Japan, your personal data may be transferred to and processed in:
- The United States (Google, Apple, Stripe, Stream.io)
- The United Kingdom (Wise, Stripe)
- countries within the EU (Wise)
These transfers are protected by appropriate safeguards such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-U.S. Data Privacy Framework
- Adequacy decisions where applicable
- Additional technical and organizational measures as necessary
For specific information about data transfer mechanisms used with each service provider, please refer to their respective privacy policies:
It may be necessary for us to disclose your personal data to public authorities or courts in the context of investigations or legal proceedings, where we are obliged to do so by instructions of the public authorities or the courts. We may also disclose your personal data if we determine in good faith that the disclosure is reasonably necessary to protect our rights and pursue available remedies.
YOUR RIGHTS
You have the following rights regarding your personal data processed by us.
- Information regarding your data processing: You have the right to obtain from us all the requisite information regarding our data processing activities of your personal data.
- Access to personal data: You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain related information.
- Rectification or erasure of personal data: You have the right to obtain from us the rectification of inaccurate personal data concerning you without undue delay, and to complete any incomplete personal data. You may also have the right to obtain from us the erasure of personal data concerning you without undue delay, when certain conditions apply.
- Restriction on processing of personal data: You have the right to obtain from us the restriction of processing of personal data, when certain conditions apply.
- Object to processing of personal data: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, when certain conditions apply. For instance, if you would not like to receive any marketing communication from us, please contact us at XXXX.
- Data portability of personal data: You have the right to receive your personal data in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without our hindrance, when certain conditions apply.
- Withdrawal of your consent: You can withdraw your consent at any time without affecting the lawfulness of processing based on your consent before withdrawal thereof. To withdraw your consent, please contact us at XXXX. Once we have received notification that you have withdrawn your consent, we no longer process your data for the purpose or purposes you originally agreed to.
If you intend to exercise such rights, please refer to the contact section below.
Account Deletion
Users can initiate account deletion from the settings screen within the Application. Data processing upon account deletion is as follows:
- Deletion Method: Accounts are logically deleted, and personally identifiable information (PII) is anonymized.
- Data Subject to Deletion: Identity verification information (including copies of identity documents and facial photographs), user profile information, contact information, location data, and login credentials are subject to account deletion processing.
- Retention Based on Legal Obligations: Payment information required by financial regulations (7 years from the last transaction), identity verification data required under anti-money laundering laws, and other data subject to legal retention obligations will be retained for the period prescribed by applicable laws before deletion.
- Data Not Immediately Deleted: Data related to ongoing dispute investigations will be retained until the investigation is completed.
If you are not satisfied with the way in which we have proceeded with any request, or if you have any complaint regarding the way in which we process your personal data, you may lodge a complaint with a Supervisory Authority, in particular in the Member State of your habitual residence, place of work or of an alleged infringement of GDPR.
CHILDREN's DATA
Our services are not intended for individuals under the age of 18. We do not knowingly collect or process personal data from children under 18 without parental consent. If we become aware that personal data from a child under 18 has been collected without verifiable parental consent, we will take steps to delete such information.
UPDATES TO PRIVACY POLICY
We may revise or update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective upon posting of the revised Privacy Policy via our website.
CONTACT
For any questions or requests relating to this Privacy Policy, you can contact us at:
[CLOVER HOLDING co.,ltd.] 6F Daiwa Shibuya Square 16-28 Nanpeidai-cho Shibuya-ku, Tokyo 150-0036, Japan Email: privacy@clover-hd.jp
[Representative in EU] Email: privacy@clover-hd.jp