Privacy Policy (Japan, APPI-Compliant)

Last updated: [2025-05]
Applies to: Peak Season Co., Ltd. (“we,” “us,” “our”)

1) Who we are

Peak Season Co., Ltd. operates a property management business in Japan, providing reservation management, guest services, housekeeping, maintenance coordination, and related services (“Services”).

Contact (privacy):

  • Email: info@peakseason.jp

  • Address: 219 Tagiri Myoko Niigata Japan 949-2102

2) Scope

This Policy explains how we handle “Personal Information” and “Retained Personal Data” as defined under Japan’s Act on the Protection of Personal Information (APPI), including data we collect from guests, owners, vendors, applicants, and website users. (Key APPI duties on purposes of use, third-party provision, records, cross-border rules, and access/correction stem from APPI Articles 27–31, etc.)

3) What we collect

Depending on your relationship with us:

  • Identity & contact: name, address, phone, email, date of birth, nationality; for foreign guests, passport details when required by law (e.g., lodging/visitor ID requirements).

  • Booking & stay details: property, dates, party size, preferences, communications with us.

  • Payment: payer name, masked card details or payment processor tokens, billing info (we do not store full card numbers on our servers).

  • Owner/vendor data: contract information, tax/payment info required by law.

  • Employment/applicant data: CV, work history, references, ID as required.

  • Website/IT: IP address, device/browser info, and cookie/analytics identifiers (“person-related information” under the APPI amendments when linked or provided to a third party alongside identifiers).

4) Purposes of use (APPI)

We specify and use data only for the following:

  1. Reservations & guest services (booking, check-in/out, support).

  2. Property operations (housekeeping, maintenance, access control).

  3. Owner/vendor relationship management (contracts, payments).

  4. Legal & compliance (identity verification, record-keeping, tax/municipal filings, responding to lawful requests).

  5. Payments & fraud prevention.

  6. Safety & security (incident response, CCTV where installed with notice at premises).

  7. Service improvement & analytics (site/app performance, preferences), marketing with opt-out.

  8. Recruitment & HR administration for applicants/employees.

We will not use Personal Information beyond these purposes without obtaining consent or notifying as required by APPI. (Purpose specification/limitation is required under APPI.)

5) Third-party provision (APPI Art. 27/29)

We may provide Personal Data to third parties only in accordance with APPI, for example:

  • Service providers (processors/outsourcers): IT hosting, PMS/booking engines, payment processors, messaging, ID verification, housekeeping/maintenance contractors. We supervise contractors to ensure proper handling and require appropriate security measures.

  • Property owners: limited stay/booking data necessary to manage the property.

  • Legal obligations: government authorities, courts, or law enforcement when required.

  • Consent-based sharing: where you request/consent (e.g., sharing details with a tour provider).

When we provide Personal Data to a third party, we prepare and retain required records (e.g., date, recipient, items provided) as mandated by APPI. Opt-out style third-party provision—if ever used—would be notified to the PPC per APPI and PPC rules.

6) Cross-border transfers

Some vendors (e.g., booking engines, cloud services) may be located outside Japan. Before transferring Personal Data to a foreign third party, we will obtain consent or ensure APPI-compliant safeguards, and disclose information about the destination country’s data protection system and the recipient’s protective measures, as required by PPC rules (APPI Art. 28/31 and PPC Orders).

7) Person-related information, cookies & analytics

We use cookies and similar tech for essential functions, analytics, and (if enabled) marketing. Where person-related information could become personal data for a third party (e.g., when providing identifiers so the recipient can identify a person), we follow APPI’s third-party rules and obtain consent where required. You can manage cookies via our Cookie Settings link and your browser. ol measures

We implement systematic, human, physical, and technical controls appropriate to risks, including: access controls, need-to-know permissions, encryption in transit, vendor due diligence, employee training, secure disposal, and incident response procedures aligned with PPC guidance. (Security control duties derive from APPI and PPC guidelines.)

9) Data retention

We retain Personal Data only as long as necessary for the stated purposes, our contracts, and legal obligations (e.g., tax and lodging records), then delete or irreversibly anonymize it.

10) Your rights under APPI (Retained Personal Data)

You may request notification of purposes, disclosure/access, correction/addition/deletion, and cessation of use or third-party provision of your Retained Personal Data, subject to APPI conditions and defenses (e.g., risk to life/rights, significant interference with operations). We may charge a reasonable fee where permitted.

How to make a request:
Send a written or email request to the contact above with (i) your name and contact, (ii) the right you wish to exercise, (iii) details to identify the data, and (iv) identity verification documents. We will respond per APPI within a reasonable period. (Rights & procedures are set in APPI Chapter IV incl. Articles 33–36; records under Article 29.)

11) Data breach notification

If we suffer a breach meeting APPI thresholds (e.g., involving sensitive items, risk of unauthorized use, or widespread impact), we will report to the PPC and notify affected individuals without delay, following PPC guidance.

12) Special care-required personal information

Where we handle “special care-required personal information” (e.g., health-related info) we obtain consent or rely on an APPI exception and apply heightened safeguards.

13) Joint use (if applicable)

If we jointly use specific Personal Data with a group company or co-host, we will disclose in advance: the items of data jointly used, the scope of co-users, the purposes of joint use, and the name of the party responsible for management. (Add details here if you do joint use.)

14) Children

We do not knowingly collect Personal Information from children under 16 without guardian consent. Guardians may contact us to review or delete such data.

15) Links & third parties

Our website may link to third-party sites or services with their own privacy terms. Please review those separately.

16) Updates to this Policy

We may update this Policy to reflect changes in law or our practices. When required by law, we will notify you or obtain consent. The Japanese version (if provided) controls in case of conflict.