隱私政策

Effective Date: April 22, 2022
 Last Updated: September 30, 2025

 

1. Introduction

Toko Co., Ltd. (“we”, “our”, or “us”) recognizes the importance of protecting personal information and considers the proper use and protection of such data a social responsibility. We hereby establish this Privacy Policy (“Policy”) for our website and commit to complying with it.

2. Business Information

3. Scope of Application

This Policy applies to the collection of personal information via online services (e-commerce websites, etc.) offered to residents of the following six countries:

  • Japan
  • United Kingdom
  • Germany
  • Denmark
  • France
  • Taiwan

4. Categories and Sources of Personal Information

Personal information refers to data that can identify an individual. The following are examples and not exhaustive:

  • Contact details (name, address, phone number, email address)
  • Purchase history, cart contents, wishlist items
  • Login data, IP address, browser information, cookies
  • Inquiry contents
  • Additional information collected with consent (e.g., newsletter subscription for Japan residents only)

Personal information is generally obtained directly from the user.


5. Purposes of Collection and Use

We collect and use personal information solely for the following purposes:

  • Order fulfillment and payment processing
  • Customer support and after-sales service
  • Product or service updates (with prior consent)
  • Site improvement and marketing analytics
  • Compliance with legal obligations

The information is voluntarily provided by users, and use implies consent to this Policy.

6. Legal Basis (GDPR Article 6)

We process personal data based on one or more of the following legal grounds:

  • The data subject’s consent
  • Performance of a contract or pre-contractual procedures
  • Compliance with legal obligations
  • Legitimate interests (e.g., fraud prevention, service optimization)
  • Protection of vital interests of the data subject or others

7. Data Management

We appoint a data protection manager and implement security measures to prevent leakage, loss, or damage of personal information under our direct management. We also ensure accuracy and up-to-date maintenance of data.

8. Supervision of Contractors

When outsourcing part of our operations, we select partners who meet our required privacy standards and sign appropriate data processing agreements. We supervise and manage them to ensure proper handling of data.

9. Relationship with Shopify

Our websites are hosted by Shopify Inc., which processes personal data for:

  • Provision and improvement of products/services
  • Enhanced user experience and website analytics

Shopify may process data outside the user’s country and act as a data controller in some features (e.g., analytics). For details, see the Shopify Consumer Privacy Policy.

10. Cross-Border Data Transfers (GDPR Article 44+)

While we manage data in Japan, cross-border transfers may occur in the following scenarios:

  • Use of Shopify Inc. (Canada, an adequacy country)
  • Use of services like Google LLC (U.S.) under SCCs or other safeguards

11. Third-Party Data Sharing

We will not disclose personal information to third parties except in the following cases:

  • To service providers (e.g., delivery, payment processors) under confidentiality contracts
  • When required by law or legal authorities

12. Retention and Deletion

  • We retain data for as long as necessary for operations or as required by law.
  • Customer data related to purchases will be deleted after 180 days.
  • Requests for access, correction, deletion, or suspension will be honored upon identity verification, unless restricted by law.
  • Service limitations may result if data is partially or fully deleted.

13. User Rights (GDPR, Taiwan, and Japan)

Users may exercise the following rights (where applicable):

  • Right to access
  • Rectification or deletion
  • Restriction or objection to processing
  • Right to data portability (GDPR)
  • Withdrawal of consent at any time
  • Right to lodge a complaint with supervisory authorities

We verify identity before responding to such requests.

14. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance user experience and track site usage.

  • Cookies for marketing are used only after obtaining consent.
  • Users may manage cookie settings via browser or on-site banners.
  • Third-party cookies may be used for behavioral data collection and ad delivery.
  • For details or to disable such cookies, please review the privacy policies of relevant third parties.

15. Google Analytics

We use Google Analytics to understand website usage. Google may collect, store, and analyze visit data, but no personally identifiable information is included.

To opt out, visit:

16. Security

We use SSL encryption to secure data during transmission. However, no security is perfect. Users should avoid transmitting sensitive information via insecure means.

17. Supervisory Authorities

Users may file complaints with their country’s data protection authority:

  • Japan: Personal Information Protection Commission
  • United Kingdom: Information Commissioner’s Office (ICO)
  • Germany: Regional Data Protection Supervisory Authorities
  • France: CNIL
  • Denmark: Datatilsynet
  • Taiwan: National Development Council or competent authority

18. Updates to This Policy

We may revise this Policy due to operational, legal, or regulatory changes. Updated versions will be posted on our websites with a revised “Last Updated” date.

Special Notes by Country

Japan

  • Records of third-party transfers must be maintained under the amended APPI.
  • Documentation of consent-based data sharing is required.

Taiwan

  • Written contracts are required for data processing under the Personal Data Protection Act.
  • Only minimum necessary data may be collected.

EU/EEA (including the UK)

  • Complies with GDPR Articles 13 and 14 on transparency.

No Data Protection Officer (DPO) appointed at this time; subject to future need.