Updated: July 1, 2023
The Sanrio Group*1 (collectively, “the Group,” “we,” “us,” “, our”) hereby declares that all of its employees, including officers and other employees, will comply with laws and regulations concerning the protection of personal information, and appropriately handle and protect personal information in accordance with this policy, based on the recognition that personal information is an important right relating to the rights and interests of all customers, suppliers and other persons from whom it collects personal information (collectively, “customers, etc.,” “you,” “your.”)
The following policy applies to personal information collected via the Group’s corporate websites, portal sites, online shops, membership sites, other official Sanrio websites designated by the Group, official apps, and official social media accounts operated by the Group (collectively, “official websites, etc.”), personal information collected at theme parks operated by the Group, and all personal information collected by other businesses operated by the Group.
Minors (customers, etc., under the age of 18 years) cannot agree to this policy on their own. Please make sure that your parent or guardian agrees to this policy.
1 Information we collect
The Group collects the following information from customers through the operation of its official websites, etc., theme parks and publishing businesses.
- Information you provide about yourself, such as your name, date of birth, gender, address, telephone number, email address, nationality, occupation, and job title, etc.
- Information you provide about your family, such as your child’s name, date of birth, and gender
- Other information you may send to us, such as photos, videos, audio, and comments on our official websites, etc.
- Usage histories for our services (including location information) and purchase histories of products, etc.
- Information you provide when using our services (product delivery addresses and payment information such as credit card numbers)
- Usage and browsing histories for our official websites, etc.
- Information given in answers to our questionnaire surveys, voting and prize contests, etc.,
- Audio recordings of customer service calls and still images and/or video footage taken by cameras or readers in or around our facilities and equipment
- *Cookies are data downloaded from a website to your device when you browse a website. They are currently in common use by many websites. Using cookies makes it possible for us to display more appropriate (personalized) content and provide services to you. Access logs include the date and time of your access, the number of times, IP address, type of browser used, and cookie information, etc. If you do not wish us to collect information about your browser, you can disable the cookie functionality yourself by changing your browser settings. For details, please refer to Article 5 (2) of this policy.
2 Purposes of Use
All personal information that you provide to the Group will be used within the scope of the following purposes of use. This includes the analysis of information collected for the purposes set forth in this section.
- To advertise and provide information on products or services sold or provided to you
(including distribution of various information such as information on benefits and gifts for members, information on questionnaire surveys, information on campaigns and sales, information on events, display of personalized web content, advertisements, and provision of information for you)
- To ship products or services sold or provided to you, verify and confirm payment payments, and provide after-sales services
- To investigate and analyze the purchase and usage status of products or services
- To improve products or services and consider new products or services, etc.
- For statistical analysis for the purpose of improving customer convenience and service quality
- To register and manage customer information
- To respond to questions, requests and other inquiries we receive from you
- To notify you of problems with purchased products, product recalls or safety problems
- For advertisements, contact and identity verification in the Group’s recruitment activities
- To contact you in connection with the above items and to confirm your identity
In order to achieve the purposes of use described in this section, the Group may provide customer information to third parties such as business partners, after converting it into a form that does not allow the identification of specific individuals, either in itself or through cross-referencing it with typically expected types of external information, and prohibiting the act of identifying specific individuals based on the information.
3 Outsourcing, Joint Use, and Provision to Third Parties
- The Group may provide customer information (to third parties) in the following cases.
In order to achieve the purposes of use defined in Section 2 of this policy, the Group may outsource all or part of the work necessary for operation and management to a third party, and may outsource all or part of the handling of personal information provided by customers to a third party, to such extent as necessary for the purpose of outsourcing such work. In such cases, we will safely manage your personal information through necessary and appropriate supervision of third-party contractors.
- In order to achieve the purposes of use defined in Section 2 of this policy, the Group may engage in joint use of customer information defined in Section 1 of this policy with Sanrio Group*1 companies. Companies that make joint use of this information will do so within the scope of the purposes of use defined in Section 2 of this policy. Even in such cases, we will manage your personal information responsibly.
- Personal information provided by customers will not be provided to third parties, except in the following cases.
• When you have given your prior consent
• When statistical data processing has been performed so that individual customers cannot be identified
• When the information is in a form that does not allow the identification of specific individuals, either in itself or through cross-referencing it with typically expected types of external information, and the act of identifying specific individuals based on the information is prohibited
• When transferring your personal information in connection with a merger, spin-off, or business succession, etc.
• When the Group reasonably determines that it is necessary to provide services to you
• When the Group reasonably determines that it is necessary to protect the life, health, property, rights, etc., of the customer
• When the Group reasonably determines that it is necessary for the improvement of public health and hygiene, or the sound development of children
• When there are other provisions dictated by law
4 Security Management Measures
The Group will take the following safety management measures to protect your personal information from leakage, loss, damage, falsification, misuse, and unauthorized access.
- Establishment of Basic Policy
We have formulated this policy to properly handle and protect personal information.
- Development of Rules Governing the Handling of Personal Information
In order to prevent leakage, etc., of personal information and to otherwise safely manage personal information, we have established discipline such as internal rules and related guidelines that clarify who is responsible for handling personal information, and the scope and method of its handling, etc.
- Systematic Security Control Measures
Each organizational unit or department that handles personal information has a personal information protection supervisor who is responsible for handling personal information, and clarifies the person(s) responsible for handling personal information and the scope of its handling. We have established a response plan for discovering facts and/or signs of violation of laws and internal rules, and have established a contact point for reporting such violations. In addition, we conduct regular self-inspections and audits of the state of handling of personal information.
- Human Security Control Measures
We make the appropriate handling of information—including personal information—known in internal rules, etc., and regularly educate employees on the handling of personal information.
- Physical Security Control Measures
In areas where personal information is handled, we restrict employee access and the equipment which can be brought in and we also take measures to set the authority to prevent unauthorized persons from viewing personal information. In order to prevent theft or loss of equipment, electronic media, documents, etc., that handle personal information, we take measures such as installing server equipment containing personal information in specific areas, with consideration for information security.
- Technological Security Control Measures
We control access to information systems that handle personal information, limit the persons who handle it and the scope of handling, and set access privileges.
We have adopted various defenses to protect information systems containing personal information from being hacked or infected by malware.
- Assessment of External Environment
We implement safety and secure management measures based on an understanding of systems for the protection of personal information in Japan, where personal information is stored, and in countries where servers for services used by the Group are installed.
5 Customer Disclosure and Correction Requests and Control
We have established a contact point to appropriately respond to requests from customers for the disclosure, correction, addition, deletion, suspension of use and erasure of their personal information, and suspension of provision of their personal information to third parties, etc. (collectively, “disclosure or correction, etc.”)
You can also control the information about your browser that can be collected on official websites, etc., by changing your browser settings.
- For inquiries regarding the disclosure or correction, etc., of customer information, please contact us by one of the methods described in Section 12 of this policy. Please note that we may be unable to respond to requests for disclosure or correction, etc. that do not follow the method described.
- If you do not wish us to collect information about your browser, you can disable the cookie functionality yourself by changing your browser settings. Please note that, if you do so, you may not be able to use some or all of our services.
For details, please check the “Settings” and “Help” menus of your browser. (Setup methods may differ depending on your browser.)
6 Security and Scope of Responsibility for Websites, etc.
The Group pays close attention to and strictly manages the personal information you provide.
Pages that send and receive personal information use SSL (Secure Socket Layer) for safety. However, it is currently impossible to ensure that data sent and received over the Internet is 100% secure. When sending or receiving personal information over the Internet, you do so at your own risk.
7 Links to Third-Party Sites on Websites
If you access another site by clicking links, banners or text, etc., to third-party sites on our official websites, etc., a cookie may be sent to your computer from the linked web server.
Use of such cookies is in accordance with the policies of each linked site, and the Group cannot be held responsible for such use. We also cannot be held responsible for the handling of personal information provided or collected on third-party link sites or advertisers’ sites linked to the Internet. Please check the policies of each of these sites on their respective websites.
8 Login Using Social Media IDs
If you allow linkage with external services—such as social media—on our official websites, etc., you may be asked to provide information clearly expressed to you by such external services, or by the Group.
The Group may revise the contents of this policy without prior notice.
The revised policy will be posted on the Group’s official websites, etc., and shall take effect from the time it is posted. Please also note that we will not be able to contact you each time the policy is updated, so please check the policy each time you use our official websites, etc.
10 Special Provisions Regarding GDPR
This section applies to the processing of your personal information located in the European Economic Area (“EEA”) in accordance with the General Data Protection Regulation (“GDPR”).
- The Group collects and processes the personal information described in Section 1 of this policy based on the following legal basis, as stipulated in the GDPR (Article 6), for the purposes of use defined in Section 2 of this policy.
• Explicit consent to processing your personal information
• Entering into a contract with you, or fulfilling obligations under a contract with you
• Legitimate interests (examples of which are provided in Section 2 of this policy)
• Compliance with applicable laws and regulations
- Personal information may be transferred to entities in countries or jurisdictions outside the EEA (e.g., Japan) if necessary for the purposes of use defined in Section 2 of this policy. Please note that such countries or jurisdictions may not have the same data protection laws as the EEA, and as such we cannot give you many of the rights you have in the EEA. We will ensure that such international transfers are subject to appropriate protection as required by the GDPR, or other relevant laws. In doing so, we will comply with applicable data protection requirements and use methods of protection as appropriate as security for personal information.
- The Group will retain personal information for as long as necessary to fulfill the purposes of use defined in this policy, unless a longer retention period is required or permitted by law.
- You have the right to request access, collection, deletion, or restriction of processing, to object to processing, to request data portability, and to withdraw your consent with regard to your personal information held by us at any time (but without affecting the legality of processing based on such consent prior to such withdrawal).
If we receive a request under the above rights, we will conduct the necessary investigation without delay and provide personal information to you or a designated third party, or respond to that right without delay.
Failure to provide personal information will generally not cause you to suffer any disadvantage, but we may need to collect personal information in order to process your instructions, or to fulfill contractual obligations to you. In such cases, we may have to cancel your contract with us, at which time we will notify you to that effect.
To make a request for access or correction, etc., please contact us by one of the methods described in Section 12 of this policy.
You also have the right to lodge a complaint with your local data protection authority if you have a complaint regarding our processing of your personal information.
11 Special Provisions Regarding CCPA
This section applies to the processing of personal information of customers who are classified as California “consumers” pursuant to the California Consumer Privacy Act of 2018 (“CCPA”).
- Personal information that we plan to collect and use—and that we have collected during the past 12 months—is indicated in Section 1 of this policy.
- The businesses or commercial purposes for which we collect personal information are described in the purposes of use defined in Section 2 of this policy.
- We have not sold any personal information during the past 12 months, including that of minors under the age of 16.
We may have disclosed the personal information described in Section 1 of this policy during the past 12 months for business purposes. Third parties to which we disclose information are service providers such as server management service providers, web analytics service providers, and web design service providers.
- If you are a California consumer, you may make the following choices with regard to your personal information.
• Access: You have the right to request—twice during a 12-month period—that we disclose the following information about you that we have collected, used, or disclosed.
(1)Categories of personal information we have collected about you
(2)Categories of sources from which we collected personal information
(3)The business or commercial purpose(s) for which the personal information was collected
(4)The category of third party with whom the personal information is to be shared
(5)Specific pieces of personal information that we collect
• Deletion: You have the right to request that we delete the personal information that we have collected from you.
• Correction: You have the right to request that we correct any inaccurate personal information we hold about you, subject to applicable legal exceptions.
• Opting out of the sale of personal information: You have the right to opt out of our sale of your personal information to third parties.
If you choose to exercise any of your rights under the CCPA, you have the right to not be discriminated against by us.
- If we receive a request from you regarding access, deletion, correction or opt-out under Section 11(4) of this policy, we will take steps to verify your identity before responding to your request, to protect your privacy and maintain security.
When we receive a request for access or deletion, etc., from a customer, we first request submission of information necessary to verify your identity, such as your name and email address, depending on the service provided. We then verify your identity by comparing the information you provide with information we already have in our possession. If you use an authorized agent to request access or deletion, etc., we will ask you to (1) give the authorized agent signed permission to make such a request on your behalf, (2) verify your identity directly, as described above, and (3) confirm directly that you have given permission to the authorized agent to make such a request on your behalf.
To make a request for access, deletion, correction or output, please contact us by one of the methods described in Section 12 of this policy.
12 Contact for Inquiries
- Contact information for questions, complaints, or comments, etc., regarding this policy
• email: firstname.lastname@example.org
- Contact information if you wish to make a request about your rights under applicable data protection laws
Act on the Protection of Personal Information
• email: email@example.com
• Tel: +81-3-3779-8163
• email: firstname.lastname@example.org
• Tel: +1-866-957-0006
• Mail: 1-11-1 Osaki, Shinagawa-ku, Tokyo
Please note that, to the extent permitted by applicable laws, we may charge a reasonable fee to comply with your request.