KORENANI Privacy Policy
Last Updated: December 16, 2024
Data Controller Information
- Data Controller: eight arms
- Address: Mitsuhashi Building 3F, 1-3-3 Kita-Aoyama, Minato-ku, Tokyo 107-0061, Japan
- Phone: +81-50-1726-9342 (Weekdays 10:00-17:00 JST)
- Email: [email protected]
1. Introduction
eight arms ("we," "us," or "our") respects the privacy of users of KORENANI ("Service") ("you" or "User") and recognizes the importance of properly protecting personal information.
This Privacy Policy explains the types of information we collect from users, how we use it, and how we protect it. Please read this carefully before using the Service.
2. Information We Collect
2.1 Information You Provide Directly
Account Information
- Parent/guardian email address
- Password (stored encrypted)
- Display name
- Billing information (processed through App Store, not directly held by us)
Child Profile Information
- Child's nickname (real name not required)
- Age or birth month/year (we do not collect the exact birth date)
- Avatar image (optional)
- UI mode setting (Simple/Standard/Advanced)
Learning Data
- Uploaded images
- Image recognition results (GENERAL, INSECT, PLANT modes)
- Manual annotations (user-added names and notes)
- Multilingual album information (album names in up to 9 languages)
- Learning history (dates, frequency, etc.)
- Achievement & gamification data (experience points, levels, daily streaks, unlocked achievements)
- Public data usage history (records of browsed and copied public items and albums)
2.2 Information Collected Automatically
Device Information
- Device identifier (e.g., IDFV; we do not collect IDFA)
- Device type and model
- OS version
- App version
- Language settings
- Time zone
Usage Data
- App usage frequency and duration
- Feature usage (GENERAL/INSECT/PLANT Recognition, manual annotations, 9-language audio playback, etc.)
- Achievement unlock patterns and learning streak continuity
- Album creation and organization activities, public data usage
- Performance data
Location Information
- The Service does not collect location information
2.3 Information from Third-Party Services
- Authentication information from social login (when implemented)
- Payment information (via App Store)
3. How We Use Information and Legal Basis
3.1 Purpose of Use
We use collected information for the following purposes:
Service Provision and Improvement
- Account creation and management (up to 4 child profiles)
- Providing image recognition and 9-language voice playback features
- Saving and syncing learning data (all plans)
- Providing multilingual album features
- Providing achievement & gamification features (experience points, levels, streak management)
- Providing public data features (browsing and copying other users' content)
- Providing detailed explanations for recognized objects (Premium plan)
- Service improvement and new feature development
Communication
- Important service announcements
- Technical issue notifications
- Customer support
- New feature and update notifications (opt-in)
Analysis and Research
- UI/UX improvement through usage analysis (e.g., identifying frequently used features)
- Image recognition model accuracy improvement (using anonymized data)
- Statistical analysis using aggregated data (e.g., usage trends by age group)
Legal Compliance
- Compliance with laws and regulations
- Enforcement of Terms of Service
- Protection of legal rights
3.2 Legal Basis (for EU Residents)
We process personal information based on the following legal grounds under GDPR Article 6:
- Contract Performance (Art. 6(1)(b)): Account information, child profiles (based on contract with parent/guardian)
- Parental Consent (Art. 6(1)(a)): Image data, learning data (consent may be withdrawn at any time)
- Legitimate Interests (Art. 6(1)(f)): Security measures, fraud prevention
- Legal Obligation (Art. 6(1)(c)): Record retention required by law
4. Information Sharing and Disclosure
4.1 Third-Party Sharing
We do not share personal information with third parties except in the following cases:
- With user consent
- Legal requirements
- Service providers necessary for operations (see below)
- Business transfers
4.2 Service Providers
We use the following third-party services:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | Japan (Tokyo region) |
| RevenueCat | Payment management | United States |
| Google Gemini 2.0 Flash API | General object recognition (GENERAL mode) | United States |
| Kindwise API | Plant recognition (PLANT mode) | Europe (Slovakia) |
| Kindwise Insect Recognition API | Insect recognition (INSECT mode) | Europe (Slovakia) |
These service providers access information only as necessary for Service operations and handle information according to their own privacy policies.
4.3 Image Recognition API Transmission
When using image recognition features, uploaded images are transmitted to the above APIs for recognition processing. These API providers use images solely for recognition processing and delete them promptly after processing.
By using the Service and its image recognition features, you consent to image transmission to the above third-party APIs.
4.3 Anonymized Data
Data processed to prevent individual identification may be used or disclosed for research and statistical purposes.
5. Machine Learning and AI Development Use
5.1 Purpose of Use
We may use images uploaded by users for machine learning and AI development for the following purposes:
- Improving image recognition model accuracy
- Developing new recognition categories
- Improving service quality
5.2 Anonymization
When using images for machine learning, we take the following measures:
- Removal or anonymization of personally identifiable information (faces, names, addresses, etc.)
- Removal of image metadata (location information, timestamps, etc.)
- Disassociation from user accounts
5.3 Opt-Out
Users may opt out of image use for machine learning in app settings. Basic Service features remain available after opting out.
6. Data Storage and Deletion
6.1 Data Storage Location
- Primary data: Japan data centers (via Supabase)
- Cache data: User's device
6.2 Data Retention Period
- Account information: 30 days after account deletion
- Learning data: 1 year from last use
- Image data:
- Free plan: Device only (no cloud storage)
- Standard/Premium plan: 30 days after plan cancellation
- Analytics data: 2 years from collection
6.3 Data Deletion
- Users can delete their data anytime from in-app settings
- All related personal data is deleted upon account deletion
- Deletion requests are processed within 30 days, except where legally required
7. Data Security
7.1 Security Measures
We implement the following security measures:
- Data encryption (in transit: TLS 1.3, at rest: AES-256)
- Access control (authentication and authorization)
- Regular security audits
- Vulnerability testing
- Employee security training
7.2 Data Breach Response
In the event of a data breach:
- Notification to affected users within 72 hours via email and in-app notifications
- Notification contents: nature of the breach, types of data disclosed, our response measures, actions users should take
- Report to appropriate supervisory authorities (Personal Information Protection Commission, etc.)
- Investigation and implementation of preventive measures
8. Children's Privacy
8.1 Child Privacy Protection
- The Service is intended for children under 13
- We collect children's personal information only with parental consent
- We do not directly collect personal information from children
- This App is classified in the Kids Category and does not use any third-party analytics SDKs, advertising SDKs, or tracking tools
8.2 Parental Rights
Parents have the following rights:
- Access to child's personal information (viewable in app settings)
- Request correction or deletion of information
- Request to stop information collection
- Manage child profiles
- Withdraw consent (contact [email protected])
8.3 Children's Face Photos
This App is intended for object recognition and does not intentionally collect children's face photos, but they may appear in captured images.
- Images containing face photos are not used for purposes other than object recognition
- When using images for machine learning, faces are automatically detected and blurred
- Parents can delete images at any time (immediately removed from servers)
We recommend taking photos that do not include children's faces.
8.4 COPPA Compliance (US Launch)
When providing services in the US, we comply with the Children's Online Privacy Protection Act (COPPA).
9. User Rights
9.1 Access Rights
- Access to your personal information
- Obtain copies of your data
9.2 Correction Rights
- Request correction of inaccurate information
9.3 Deletion Rights
- Request deletion of personal information (right to be forgotten)
9.4 Data Portability
- Obtain data in machine-readable format
9.5 Processing Restrictions and Objections
- Object to specific processing
- Request temporary suspension of processing
9.6 How to Exercise Rights
To exercise the above rights, please contact [email protected]. After identity verification, we will respond within 30 days.
10. Cookies and Tracking
10.1 Cookie Usage
- The app does not use cookies
- Web version (future implementation) will use minimal necessary cookies
10.2 Analytics Tools (Kids Category Compliance)
- This App is classified in the Kids Category and complies with the following:
- We do not use any third-party analytics SDKs, advertising SDKs, or tracking tools
- We do not display behavioral targeted advertising
- We do not collect IDFA (Advertising Identifier)
- We do not share or sell information related to child profiles with third parties
11. International Data Transfers
11.1 Transfer Destinations
- Supabase: Japan (Tokyo region)
- RevenueCat: United States
- Google Gemini API: United States
- Kindwise API: Europe (Slovakia)
11.2 Safeguards for Transfers from the EU
When transferring EU residents' data outside the EU, we implement the following safeguards:
- European Commission-approved Standard Contractual Clauses (SCC) 2021 version
- Transfer Impact Assessment (TIA) for risk evaluation of destination countries
- Additional technical measures (encryption, anonymization)
12. Privacy Policy Changes
12.1 Change Notifications
- Significant changes will be notified 30 days in advance
- Notification methods: In-app notifications, email
12.2 Consent Through Continued Use
- Continued use after changes constitutes acceptance of the revised policy
13. Additional Provisions
13.1 California Resident Rights (CCPA)
California residents have additional rights under the CCPA. We do not sell personal information and have no plans to do so.
13.2 EU Resident Rights (GDPR)
EU residents have additional rights under the GDPR, including the right to file complaints with supervisory authorities.
13.3 Automated Decision-Making and Profiling
We perform the following automated processing but do not make fully automated decisions that produce legal effects or significantly affect children:
- Image recognition: AI-based object identification (results are for reference only)
- Achievement unlocking: Automatic determination based on learning patterns
14. Contact Information
For privacy-related questions or requests, please contact:
- Email: [email protected]
- Phone: +81-50-1726-9342 (Weekdays 10:00-17:00 JST)
- Address: Mitsuhashi Building 3F, 1-3-3 Kita-Aoyama, Minato-ku, Tokyo 107-0061, Japan
This Privacy Policy shall take effect on December 16, 2024.