1. Our Privacy Statement

The protection of your personal data is of great importance to ambr. Inc (“Company”or “we”). This privacy notice (the “Privacy Notice”) therefore intends to inform you about how we, acting as data controller, collect and process your personal data that you submit or disclose to us. We also act as data controller when we process your personal data received or obtained through third-parties. We process this personal data in accordance with the applicable EU and Member State regulations on data protection in particular, the General Data Protection Regulation No 2016/679 (the “GDPR”), the applicable EEACC data protection laws and the United Kingdom Data Protection Act 2018 (the “UK DPA 2018”) and United Kingdom General Data Protection Regulation (the “UK GDPR”).
This Privacy Notice, provides in particular the information required by applicable privacy and data protection laws to our customers who are in the European Economic Area (EEA), in the EEA Cooperating Countries (Montenegro, Serbia, Republic of North Macedonia, Albania, Bosnia Herzegovina, Kosovo - “EEACC”) and the United Kingdom (UK).

We encourage you to read this Privacy Notice carefully, and if you do not wish your personal data to be used by us as set out in this Privacy Notice, please do not provide us with your personal data. Please note that in such a case, we may not be able to provide you with our services, you may not have access to and/or be able to use some features of applications we provide (the “Applications”) or our Website (the “Website”), and your customer experience may become insufficient.

2. How Do We Use Your Personal Data & Processing Purposes?

We will always process your personal data based on one of the legal basis provided for in the applicable privacy and data protection laws and regulations. In addition, we will always process your sensitive personal data, for example, concerning your trade union membership, religious views, or health condition, in accordance with the special rules provided for in the GDPR (Articles 9 and 10), the applicable EEACC data protection laws and the UK DPA 2018 and UK GDPR.

We may collect and process your personal data for the purposes detailed below.

• • Performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract, and in compliance with legal obligations,:
• • • To provide, improve and develop our products and services When you contact us regarding the use of our applications (via contact form or e-mail), your details will be processed for the purpose of handling the respective enquiry and its processing by us
  • • To manage your customer account
  • • To notify you about changes to our service(s)
  • • To inform you about our policies and terms
  • • When you contact us as a future partner, we process your data to check whether a cooperation agreement can be concluded with you
  • • To comply with legal and regulatory requirements and any resulting control and reporting obligations

• • Legitimate interests: We process your data to protect legitimate interests of us or of third parties, insofar as this is necessary. In particular, we pursue the following legitimate interests:
• • • When generally contacting us (via contact form or e-mail), your details will be processed for the purpose of handling the respective enquiry and its processing by us.
  • • Operation of our website and to ensure that content from our site is presented in the most effective manner for you
  • • Improving the quality of our products and services, for customer management, testing and optimizing procedures for needs analysis and direct customer contact, as well as measures for customer retention and service enhancement
  • • To offer you products and services or conducting customer satisfaction and opinion surveys, provided you have not objected to the use of your data for this purpose
  • • Ensuring IT security, in particular the security of the website and to promote safety and security, such as by monitoring fraud and investigating suspicious or potentially illegal activity or violations of our terms or policies
  • • Assertion of legal claims and defence in legal disputes
  • • To ensure business continuity

• • Also, subject to obtaining your express prior consent, we may also collect and process your personal data for the following purposes:
• • • To provide you with information which we feel may be of your interest;
  • • To allow you to participate in interactive features of our services, when you choose to do so;
  • • To manage your subscription to the newsletter;
  • • To share your personal information with third-party partners who may send you marketing communications in relation to their products and services;
  • • For making business analysis / data analysis, research and audits.

Please be aware that you are entitled to withdraw your consent at any time, without affecting the lawfulness of processing based on your consent before withdrawal thereof.
We will process your data for these specified, explicit and legitimate purposes, and will not further process the data in a way that is incompatible with these purposes. If we intend to process personal data originally collected for one purpose in order to attain other objectives or purposes, we will ensure that you are informed of this. We will keep your personal data for as long as it is necessary for us to comply with our legal obligations, to ensure that we provide an adequate service, and to support its business activities.

3. What Types of Personal Data Do We Use and Origin of the Data?

For the purposes specified under this Privacy Notice, we may collect the following categories of personal data:

• • Name, Surname
• • Username
• • Title
• • Home Address
• • Identification number (e.g., customer number)
• • Location data (country of access to the application)
• • Gender/Sex
• • Age
• • Email address (personal / professional)
• • Telephone number (personal / professional)
• • Employer
• • Operating system, Browser version, Selected language, Online identifiers (IP address / cookie identifiers, ID of account in related to the devices automatically collected from users), users actions in the application (including the date and time of account created, staying time of in our services)
• • Social Media account(e.g. Twitter) information from users who want to link their Twitter account to the application
• • Log trails in our services
• • Credit card / bank account information, for items purchased via third party stores: Item ID purchased, Day and time of purchase, account information of users

We can obtain such personal data either directly from you when you decide to communicate such data to us (i.e., when you fill in forms displayed on the Applications or the Website) or indirectly where such personal data is provided to us by your electronic communication terminal equipment, your Internet browser or third parties. We ensure that the personal data processed is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4. How Do We Share Your Personal Data?

We may share your personal data with third parties in accordance with the applicable data protection law and regulations. Where we share your data, we will put the appropriate legal framework in place in order to cover such transfer and processing (controller-processor agreements, controller-controller agreements, joint controller agreements). Furthermore, where we share your data with any entity outside the EEA, EEACC or UK we will put appropriate legal frameworks in place, inter alia notably controller-to-controller and controller-to-processor Standard Contract Clauses approved by the European Commission, in order to cover such transfers (Articles 44 ff. GDPR) respectively for UK related transfers the International Data Transfer Agreement (IDTA) or the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (UK Addendum).

• Service Providers
• • We may share your personal data with companies which provide services on our behalf, such as hosting, maintenance, support services, email services, marketing, auditing, fulfilling your orders, processing payments, data analytics, providing customer service, and conducting customer research and satisfaction surveys. For such data transfers, we conclude data processing agreements in accordance with Art. 28 GDPR / Art. 28 UK GDPR / applicable EEACC data protection law.

• Strategic Partners
• • Subject to your prior consent, your personal data may be transferred to, stored, and further processed by strategic partners that work with us to provide our products and services or help us market to customers. Your personal data will only be shared by us with the partners in order to provide or improve our products, services and advertising.

• Corporate Affiliates and Corporate Business Transactions
• • We may share your personal data with all Company's affiliates based on our legitimate interests. In the event of a merger, reorganization, acquisition, joint venture, assignment, spin-off, transfer, or sale or disposition of all or any portion of our business, including in connection with any bankruptcy or similar proceedings, we may transfer any and all personal data to the relevant third party.

• Legal Compliance and Security
• • It may be necessary for us - by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence - to disclose your personal data. We may also disclose your personal data if we determine that, due to purposes of national security, law enforcement, or other issues of public importance, the disclosure is necessary.
    
    We may also disclose your personal data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our terms and conditions, investigate fraud, or protect our operations or users.

• Data Transfers
• • Such disclosures may involve transferring your personal data out of the European Union to the following countries: Japan and United States of America. These countries may change due to changes in the business environment.
    
    Such transfer may take place for the purpose such as personnel evaluation of employees, processing of salaries and reimbursement expenses, and contracts with business partners. For each of these transfers, we make sure that we provide an adequate level of protection to the data transferred.
    
    For Japan, there is an adequacy decision by the EU Commission and the UK government. For countries without an adequacy decision according to Article 45 GDPR / Art. 45 UK GDPR, as is the case with the USA, we generally entering into standard contractual clauses with the recipients of your data or obtain your consent for the data transfer. In addition, we implement additional measures to ensure the adequacy of data transfers such as encryption.

5. Security Measures & Data retention

We process your personal data in a manner that ensures their appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage.
We use appropriate technical or organisational measures to achieve this level of protection.
To the extent that we process your personal data, we will store your data only for as long as the above explained purposes require or until you object to the use of your personal data (to the extent that we have a legitimate interest in using your personal data) or until you withdraw your consent (to the extent that you have consented to our use of your personal data). However, if a longer storage of your personal data by us is mandatory by law, we will process your personal data until the expiry of the relevant retention period.

For security reasons (for example, to clarify acts of abuse or fraud), log file information is stored for a maximum of 4 weeks and then deleted (see above "How Do We Use Your Personal Data?"). Data whose further storage is required for evidentiary purposes is exempt from deletion until the respective incident has been finally clarified.

Data collected for the purposes set out will only be retained for as long as is necessary, in particular we process and store your personal data for the duration of our contractual relationship.

In addition, we are subject to various recording and storage obligations, which result from regulatory regulations. Based on these legal requirements, we are obliged to carry out further temporary storage. In accordance with the retention periods provided for in these regulations, we store your data beyond the end of the contractual relationship.

In addition, the preservation of evidence within the scope of the statutory limitation provisions may necessitate further storage. Further storage for a limited period is based on safeguarding our legitimate interests to assert, exercise or defend legal claims..

In case of doubt, we will contact the competent Data Protection Supervisory Authority in order to obtain their advice and recommendations.

6. Your Rights

You have the following rights regarding personal data collected and processed by us.

• • Information regarding your data processing: You have the right to obtain from us all the requisite information regarding our data processing activities that concern you.
• • Access to personal data: You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain related information.
• • Rectification or erasure of personal data: You have the right to obtain from us the rectification of inaccurate personal data concerning you without undue delay, and to complete any incomplete personal data. You may also have the right to obtain from us the erasure of personal data concerning you without undue delay, when certain legal conditions apply.
• • Restriction on processing of personal data: You may have the right to obtain from us the restriction of processing of personal data, when certain legal conditions apply.
• • Data portability of personal data: You may have the right to receive your personal data in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without our hindrance, when certain conditions apply.
• • Not to be subject to automated decision-making: You may have the right not to be subject to automated decision-making (including profiling) based on the processing of your personal data, insofar as this produces legal or similar effects on you, when certain conditions apply.
• • ◦ Please note: In the context of accessing our website or in the context of using our applications, we do not use any fully automated decision-making pursuant. Should we use these procedures in individual cases, we will inform you about this separately if this is required by law. We do not process your data automatically with the aim of evaluating certain personal aspects (profiling).
• • Object to processing of personal data: You may have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, when certain legal conditions apply.

If you intend to exercise such rights, please refer to the contact section.

If you are not satisfied with the way in which we have proceeded with any request, or if you have any complaint regarding the way in which we process your personal data, you may lodge a complaint with a Data Protection Supervisory Authority.

7. Children

We do not knowingly collect and process information on children under sixteen (16) without permission and consent of their parent(s). If we discover that we have collected and processed the personal data of a child under sixteen (16) directly, or the equivalent minimum age depending on the concerned jurisdiction, we will take steps to delete the information as soon as possible. If you become aware that a child under sixteen (16) has provided us with personal data directly, please contact us immediately by using the contact address specified under this Privacy Notice.

8. Links to Other Sites

We may propose hypertext links from the website on which this policy is stated to third-party websites or internet sources. We do not control and cannot be held liable for third parties' privacy practices and content. Please read carefully their privacy policies to find out how they collect and process your personal data.

9. Updates to Privacy Notice

We may revise or update this Privacy Notice from time to time. Any changes to this Privacy Notice will become effective upon posting of the revised Privacy Notice. If we make changes which we believe are significant, we will inform you through the Website to the extent possible.

For any questions or requests relating to this Privacy Notice, please use the inquiry form below.

10. Who is responsible for data processing and whom can I contact?

The entity responsible for the processing of personal data is:
ambr, Inc.

ambr, Inc
CEO Takuya Nishimura
Aperto Higashi Nakano Building, 10th floor
4-6−2 Higashi Nakano, Nakano-ku, Tokyo 164-0003
Telephone (general) +81-3-4546-8370
E-mail address (general): info@ambr.co.jp

Our representative in the EU pursuant to Art. 27 GDPR is mip Consult GmbH, Wilhelm-Kabus-Str. 9, 10829 Berlin, Germany.

You can contact our data protection officer at:
Asmus Eggert, Attorney-at-law
mip Consult GmbH
Wilhelm-Kabus-Str. 9
10829 Berlin, Germany
Tel. +49-30-20889990
privacy@ambr.co.jp
www.sofortdatenschutz.de