Privacy Policy

PRIVACY POLICY | ZERO UP TRADING

PRIVACY POLICY

ZERO UP TRADING (hereinafter referred to as "the Company") considers the protection of customer personal information and privacy as a matter of utmost importance. We comply with the EU General Data Protection Regulation (GDPR), Japan's Act on the Protection of Personal Information, and other applicable data protection laws in Japan and abroad, and hereby establish the following Privacy Policy (hereinafter referred to as "this Policy").

Last Updated: December 15, 2025
Established: January 1, 2022

1. Data Controller Information

Business Operator Name: ZERO UP TRADING
Address: 193 Otsuka, Hachioji-shi, Tokyo 192-0352, Japan
Personal Information Protection Manager: Yamauchi
Contact: info-zjp@zeroup-japan.com

2. Scope of Application

This Policy applies to personal information obtained and processed in all services, websites, and business activities provided by the Company.

3. Definition of Personal Information

In this Policy, "Personal Information" refers to information relating to a living individual that can identify a specific individual by name, date of birth, address, telephone number, email address, or other descriptions, as well as online identifiers (IP addresses, Cookie identifiers, etc.).

4. Types of Personal Information Collected

The Company may collect the following types of personal information:

4.1 Information provided directly by customers

  • Name, Company Name, Department Name, Job Title
  • Address (including billing and shipping addresses)
  • Telephone number, FAX number
  • Email address
  • Bank account information required for transactions
  • Information required for customs clearance and quarantine
  • Other information necessary for business execution

4.2 Information collected automatically

  • IP address
  • Browser type and version
  • Operating system
  • Access date and time
  • Pages viewed
  • Referrer information
  • Cookie information
  • Device identifiers

4.3 Information obtained from third parties

  • Credit information from credit bureaus (if necessary)
  • Delivery status information from logistics providers

5. Methods of Collecting Personal Information

The Company collects personal information through the following methods:

  • Website inquiry forms
  • Inquiries via email or telephone
  • Documents such as contracts and purchase orders
  • Exchange of business cards
  • Automatic collection through technologies such as Cookies
  • Registration at seminars, exhibitions, etc.

6. Purposes of Use of Personal Information

The Company uses collected personal information only for the following purposes:

6.1 Business Execution

  1. Execution of import/export agency services
  2. Customs clearance procedures, quarantine procedures
  3. Product shipment and delivery arrangements
  4. Creation and sending of various documents
  5. Payment processing and issuance of invoices

6.2 Customer Support

  1. Responding to inquiries
  2. Creation and sending of quotations
  3. Confirmation and handling of contract changes
  4. Provision of after-sales service
  5. Handling complaints and troubles

6.3 Service Improvement & Marketing

  1. Improvement of service quality
  2. Improvement of website usability
  3. Creation of statistical data through access analysis
  4. Information on new services and campaigns (only with customer consent)
  5. Implementation of satisfaction surveys

6.4 Legal Compliance & Safety Management

  1. Compliance with related laws such as the Export Trade Control Order
  2. Tax and accounting processing
  3. Prevention and detection of fraudulent activities
  4. Response to legal disputes
  5. Fulfillment of reporting obligations to supervisory authorities

7. Legal Basis for Processing Personal Information (GDPR Art. 6)

The Company processes personal information based on one of the following legal bases:

7.1 Performance of Contract (Art. 6(1)(b))

Processing necessary to fulfill contracts with customers, such as import/export agency services and product shipment.

7.2 Consent (Art. 6(1)(a))

  • Submission of inquiry forms
  • Distribution of newsletters
  • Use for marketing purposes
  • Processing of voluntarily provided information

7.3 Compliance with Legal Obligations (Art. 6(1)(c))

  • Fulfillment of legal obligations under tax laws, customs laws, trade-related regulations, etc.
  • Reporting obligations to government agencies
  • Obligation to preserve accounting books

7.4 Legitimate Interests (Art. 6(1)(f))

  • Analysis for service improvement
  • Maintenance of website security
  • Prevention of fraud
  • Internal management and auditing

The Company will not perform processing based on legitimate interests if the fundamental rights and freedoms of the customer override the legitimate interests of the Company.

8. Provision of Personal Information to Third Parties

8.1 Provision to Domestic Third Parties

The Company will not provide personal information to third parties without customer consent, except in the following cases:

[Cases where provision is necessary]

  1. Logistics/Delivery Companies
    Information provided: Name, address, phone number, product information
    Purpose: Delivery of products, notification of delivery status
  2. Customs Brokers/Airlines
    Information provided: Name, address, product information, invoice information
    Purpose: Customs procedures, arrangement of international transport
  3. Payment Processors/Financial Institutions
    Information provided: Name, transaction amount, payment-related information
    Purpose: Settlement of payments, credit management
  4. Subcontractors
    Information provided: Minimum information necessary for business execution
    Purpose: Subcontracted work such as system maintenance and data entry
  5. Based on Laws and Regulations
    Lawful requests from public institutions such as police, prosecutors, courts, tax offices, customs, etc.
    Disclosure based on legal obligations

8.2 International Transfer (Transfer outside the EU)

The Company is based in Japan, and personal data of customers in the EU will be transferred to Japan.

[Adequacy Decision]
Japan has received an adequacy decision from the European Commission as a country having "an adequate level of data protection". Therefore, the transfer of personal data from the EU to Japan is conducted lawfully based on Article 45 of the GDPR.

[Transfer to Third Countries]
Depending on the destination country or the necessity of customs procedures, customer data may be transferred to business operators in third countries (countries other than Japan and EU member states). In such cases, the Company will implement one of the following appropriate safeguards:

  • Conclusion of Standard Contractual Clauses (SCC) by the European Commission
  • Compliance with certified codes of conduct
  • Application of approved Binding Corporate Rules (BCR)
  • Explicit consent of the customer

9. Retention Period of Personal Information

The Company retains personal information according to the following criteria:

Type of Data Retention Period Basis
Contract-related documents 7 years after contract end Commercial Code, Tax Law
Accounting books 10 years Companies Act
Import/Export documents 5 years Customs Act
Inquiry records 3 years after completion Legitimate interest
Access logs Max 12 months Security purposes
Marketing consent Until consent is withdrawn Consent

After the retention period has elapsed, the Company will erase or anonymize personal information in a secure manner.

10. Your Rights (GDPR Art. 12-22)

All customers using the Company's services, including those in the EU, have the following rights:

10.1 Right of Access (Art. 15)

The right to access your own personal information and obtain a copy of the personal data held by the Company.

10.2 Right to Rectification (Art. 16)

The right to request correction of inaccurate or incomplete personal information.

10.3 Right to Erasure ("Right to be Forgotten") (Art. 17)

The right to request erasure of personal information in the following cases:

  • When it is no longer necessary for the purpose of use
  • When consent is withdrawn
  • When an objection to processing is made
  • When processed unlawfully
  • When erasure is required to comply with a legal obligation

However, erasure may not be possible in the following cases:

  • When necessary for compliance with legal obligations
  • When necessary for the establishment, exercise, or defense of legal claims

10.4 Right to Restriction of Processing (Art. 18)

The right to request restriction of processing in the following cases:

  • During the period when the accuracy of personal data is contested
  • When processing is unlawful but erasure is not desired
  • When the Company no longer needs the personal data, but the customer requires it for legal claims

10.5 Right to Data Portability (Art. 20)

The right to receive personal data in a structured, commonly used, and machine-readable format and to transfer it to another controller (when based on automated processing).

10.6 Right to Object (Art. 21)

The right to object to processing based on legitimate interests or public interests due to grounds relating to the customer's particular situation.

10.7 Rights regarding Automated Individual Decision-making and Profiling (Art. 22)

The Company currently does not conduct automated decision-making (including profiling), but if implemented in the future, we will inform you in advance and provide an opportunity to obtain consent or object.

10.8 Withdrawal of Consent

When processing personal information based on consent, customers can withdraw consent at any time. However, this does not affect the lawfulness of processing before withdrawal.

10.9 Method of Exercising Rights

If you wish to exercise the above rights, please contact the inquiry desk listed at the end of this Policy. The Company will generally respond within one month of receiving the request.

11. Cookies and Tracking Technologies

11.1 Purpose of Cookie Use

The Company website uses Cookies and similar technologies for the following purposes:

[Essential Cookies]

  • Provision of basic website functions
  • Ensuring security
  • Session management

[Analytical Cookies]

  • Google Analytics: Collection of statistical information such as visitor numbers, page views, time spent, etc.
  • Heatmap tools: Analysis of user behavior

[Functional Cookies]

  • Remembering language settings
  • Saving user settings

[Marketing Cookies (Requires Customer Consent)]

  • Retargeting advertising
  • Social media integration

11.2 About Google Analytics

This site uses Google Analytics provided by Google Inc. Google Analytics uses Cookies to collect traffic data, but this does not contain information that identifies individuals.

Collected data is managed based on Google's privacy policy. Please see below for details.
https://policies.google.com/privacy

If you wish to disable Google Analytics, please use the opt-out add-on provided by Google.
https://tools.google.com/dlpage/gaoptout

11.3 Management of Cookies

Customers can disable or delete Cookies through browser settings. However, if Cookies are disabled, some functions of the website may not be available.

Please refer to the help of each browser for Cookie setting methods.

12. Security Measures for Personal Information

The Company takes the following measures to prevent leakage, loss, or damage of personal information and for other security management.

12.1 Organizational Security Measures

  • Appointment of a Personal Information Protection Manager
  • Regular education and training for employees
  • Establishment of regulations regarding the handling of personal information
  • Regular audits of personal information handling status

12.2 Personnel Security Measures

  • Conclusion of confidentiality agreements with employees
  • Enforcement of confidentiality obligations after retirement
  • Appropriate management of access rights

12.3 Physical Security Measures

  • Access control to server rooms
  • Locking management of documents containing personal information
  • Secure disposal of unnecessary personal information (shredding, etc.)

12.4 Technical Security Measures

  • Installation of firewalls
  • Introduction of unauthorized access detection systems
  • Adoption of SSL/TLS encrypted communication
  • Recording and monitoring of access logs
  • Application of regular security patches
  • Introduction of anti-malware software

13. Supervision of Subcontractors

When outsourcing the handling of personal information to an external party, the Company takes the following measures regarding the subcontractor:

  • Selection of appropriate subcontractors (confirmation of security system)
  • Conclusion of confidentiality agreements
  • Stipulation of personal information protection clauses in outsourcing contracts
  • Regular audits and evaluation of subcontractors
  • Conclusion of Data Processing Agreements (DPA) if GDPR applies

14. Personal Information of Minors

The Company does not knowingly collect personal information from minors under the age of 16. If a person under the age of 16 provides personal information, the consent of a guardian is required.

15. Changes to Privacy Policy

The Company may change this Policy due to amendments to laws and regulations, changes in service content, etc. In the case of significant changes, we will notify you in advance on the website and obtain customer consent if necessary.

The modified Policy shall take effect from the time it is posted on the Company website.

16. Data Protection Impact Assessment (DPIA)

The Company conducts Data Protection Impact Assessments (DPIA) based on GDPR Article 35 when performing high-risk personal data processing.

17. Notification of Data Breach

In the unlikely event of a personal data breach, the Company will take the following actions in accordance with GDPR Articles 33 and 34:

  • Notification to the supervisory authority within 72 hours of awareness (if applicable)
  • Notification without undue delay to affected customers in the case of a high-risk breach
  • Implementation of appropriate technical and organizational measures

18. Lodging Complaints with Supervisory Authorities

Customers in the EU have the right to lodge a complaint with the data protection supervisory authority in their country of residence. Please refer to the following for a list of supervisory authorities in each country.

https://edpb.europa.eu/about-edpb/board/members_en

19. Contact Information

For questions regarding this Policy, requests for disclosure, correction, deletion, etc. of personal information, complaints, or consultations, please contact the following:

ZERO UP TRADING
Personal Information Protection Manager: Yamauchi
Address: 193 Otsuka, Hachioji-shi, Tokyo 192-0352, Japan
Contact: info-zjp@zeroup-japan.com
Reception Hours: Weekdays 10:00 - 16:00 (Excluding Saturdays, Sundays, and Holidays)

EU Representative Contact (EU Representative):
info-zjp@zeroup-japan.com

20. Governing Law and Jurisdiction

The interpretation and application of this Policy shall be governed by Japanese law. The Tokyo District Court shall be the exclusive agreed court of first instance for any disputes regarding this Policy.

However, customers within the EU have the right to file a lawsuit in the court of their place of residence based on GDPR Article 79.