Welcome to OnsZen and our website at www.onszenjapan.com. This Privacy Policy describes our practices for collecting, using, protecting and disclosing the Personal Data we collect from you when you visit our website and use our services.

General Information

What law applies?

In principle, we will only use your Personal Data in accordance with the applicable data protection laws, in particular the UK’s Data Protection Act (“DPA”), the EU`s counterpart the General Data Protection Regulation (“GDPR”) and Japan`s Privacy Principles under the Act on Protection of Personal Information (“APPI”).

What is Personal Data?

Personal Data is any information relating to personal or material circumstances that relates to an identified or identifiable individual. This includes, for example, your name, date of birth, e-mail address, postal address, or telephone number as well as online identifiers such as your IP address. 

What is processing?

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means. The term is broad and covers virtually any handling of data.

Who is responsible for data processing?

The Data Controller within the meaning of the DPA, GDPR, APPI is OnsZen, Takako Kato of [Sandycombe Road, Richmond, London, TW9 2EP, the United Kingdom] (“OnsZen”, “we”, “us”, or “our”). If you have any questions about this policy or our data protection practices, please contact us using info@onszenjapan.com.

What are the legal bases of processing?

In accordance with the DPA, GDPR, APPI, we have to have at least one of the following legal bases to process your Personal Data:

• Consent – This is where we have asked you to provide explicit permission to process your data for a particular purpose. 

• Contract – This is where we process your information to fulfil a contractual arrangement we have made with you or reply to your messages, e-mails, posts, calls, etc. 

• Legitimate Interests – This is where we rely on our interests as a reason for processing, generally this is to provide you with the best products and service in the most secure and appropriate way. Of course, before relying on any of those legitimate interests we balance them against your interests and make sure they are compelling enough and will not cause any unwarranted harm.

• Legal Obligation – This is where we have a statutory or other legal obligation to process the information, such as for archiving or the investigation of crime.

Data we collect automatically

Log data

When you access and use our website, we collect the Personal Data that your browser automatically transmits to our server. This is technically necessary for us to display our website and to ensure its stability and security. In this sense, we collect the following data: i) IP address of the requesting computer, ii) Date and time of access, iii) name and URL of the file accessed, iv) website from which the access was made (referrer URL), v) browser used and, if applicable, the operating system of your computer as well as the name of your access provider. The legal basis is our legitimate interest.

Cookies

We use so-called cookies on our website. Cookies are pieces of information that are transmitted from our web server or third-party web servers to your web browser and stored there for later retrieval. Cookies may be small files or other types of information storage. There are different types of cookies: a) Essential Cookies. Essential cookies are cookies to provide a correct and user-friendly website; and b) Non-essential Cookies. Non-essential Cookies are any cookies that do not fall within the definition of essential cookies, such as cookies used to analyse your behaviour on a website (“analytical” cookies) or cookies used to display advertisements to you (“advertising” cookies). 

As set out in the UK’s Privacy and Electronic Communications Regulations (“PECR”) and the EU`s Privacy and Electronic Communications Directive (“PECD”), we need to obtain consent for the use of Non-essential Cookies. For further information on the cookies we use, please refer to our Cookie Policy. The legal basis for processing is our legitimate interest and your consent.

Cookie consent 

Our website uses a cookie consent tool, to obtain your consent to the storage of cookies and to document this consent. When you enter our website, the following Personal Data is transferred to us: i) Your consent(s) or revocation of your consent(s); ii) Your IP address; iii) Information about your browser; iv) Information about your device; v) Time of your visit to our website. The basis for processing is our legitimate interest and your consent.

Economic analyses and market research

For business reasons, we analyse the data we have on web and server traffic patterns, website interactions, browsing behaviour etc. The analyses serve us alone and are not disclosed externally and processed using anonymous analyses with summarised and or anonymized values. For this purpose we use SourceBuster JS and Jetpack by Automattic Inc. The legal basis is our legitimate interest and your consent. For further information, please refer to our Cookie Policy.

Google Fonts

We integrate the fonts of the provider Google LLC, whereby the user’s data is used solely for the purpose of displaying the fonts in the user’s browser. The integration is based on my legitimate interest in a technically secure, maintenance-free and efficient use of fonts, their uniform display and taking into account possible licensing restrictions for their integration. The legal basis for this processing is our legitimate interest.

Content Management System (CMS)

We also use the Content Management System (CMS) of WordPress, a service provided by Automattic Inc, to publish and maintain the created and edited Content and texts on our website and to provide the forms used. This means that all content and texts submitted to us by users for publication is transferred to WordPress. In addition to texts, this also includes, for example your data in our forms. The legal basis for this processing is our legitimate interest.

WooCommerce 

To provide our web shop, we use the WooCommerce service developed and operated by Automattic, Inc.. WooCommerce provides us with their online e-commerce platform through which we can offer our goods for sale to you. Both your inventory data and your usage data are stored on WooCommerce’s servers. The legal basis for processing is our legitimate interest.

Links to other websites

Please note that if you use a link from our website to a third-party website, that third-party may also set new cookies that are not covered by this policy. In such cases, we recommend that you read the cookie policy on the third-party website itself.

Data we collect directly

Contacting us

If you contact us, we store and process the following data from you: Name, e-mail address, telephone number as well as other Personal Data that you provide when contacting us. This data is collected and processed exclusively for the purpose of contacting you and processing your request and then deleted, provided there is no legal obligation to retain it. The legal bases for processing are contract and our legitimate interest.

When using our services

The protection of your Personal Data is particularly important to us in the performance of our services. We therefore only want to process as much Personal Data (for example, your name, address, e-mail address or telephone number) as is absolutely necessary. Nevertheless, we rely on the processing of certain Personal Data, to fulfil our contractual obligations to you or to carry out pre-contractual measures and in the context of administrative tasks as well as organisation of your travel requirements and preferences our business, and compliance with legal obligations, such as archiving. 

We process the data of our Service Users in order to enable them to select, purchase or commission the selected services (Booking Support, Customised Itinerary, Planning or our other auxiliary Services) and our digital guides, as well as associated activities and to pay for and deliver (including digital delivery, if any) them or to execute or provide them. The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for the provision of services and billing as well as contact information. The legal bases are contractual performance, Legal obligation, and our legitimate interests.

When making a purchase

To make a purchase, you may need to provide a valid payment method (e.g., credit card). Your payment information will be collected and processed by our authorised payment vendor. We do not directly collect or store credit or debit card numbers ourselves in the ordinary course of processing transactions. The legal basis for the provision of a payment system is the establishment and implementation of the contract.

Administration, financial accounting, office organisation, contact management

We process data in the context of administrative tasks as well as organisation of our business, and compliance with legal obligations, such as archiving. In this regard, we process the same data that we process in the course of providing our contractual services. Further, based on our business interests, we store information on sellers, and other business partners, e.g., for the purpose of contacting them at a later date. This data, most of which is company-related, is generally stored permanently.The processing bases are our legal obligations and our legitimate interest. 

Marketing 

Insofar as you have given us your separate consent to process your data for marketing and advertising purposes, we are entitled to contact you for these purposes via the communication channels you have given your consent to.

You may give us your consent in a number of ways including by selecting a box on a form where we seek your permission to send you marketing information, or sometimes your consent is implied from your interactions or contractual relationship with us. Where your consent is implied, it is on the basis that you would have a reasonable expectation of receiving a marketing communication based on your interactions or contractual relationship with us.

Direct Marketing generally takes the form of email but may also include other less traditional or emerging channels. These forms of contact will be managed by us, or by our contracted service providers. Every directly addressed marketing sent or made by us or on our behalf will include a means by which you may unsubscribe or opt out. 

Social Media 

General

We are present on social media (currently Instagram) and if you contact or connect with us via social media websites, we and the relevant social media website are jointly responsible for the processing of your data and enter into a so-called joint controller agreement. The legal basis is our legitimate interest, your consent or, in some cases, the initiation of a contract.

When you visit our profiles and interact with us and others

When you visit our social media profiles, we, as the operator of the profile, process your actions and interactions with our profile (e.g., the content of your messages, enquiries, posts or comments that you send to us or leave on our profile or when you like or share our posts) as well as your publicly viewable profile data (e.g., your name and profile picture). 

Which Personal Data from your profile is publicly viewable depends on your profile settings, which you can adjust yourself in the settings of your social media account. 

Please take care not to transmit or share sensitive data or confidential information (e.g., application documents, bank or payment data) via social media platforms; we recommend that you use a more secure means of transmission (e.g. e-mail). 

Principles of processing Personal Data

Storage and Retention

As far as necessary, we process and store your Personal Data for the duration of our business relationship, which also includes, for example, the initiation and execution of a contract.

In addition, we are subject to various storage and documentation obligations, which result from the minimum statutory retention periods in accordance with Companies House and HMRC (UK) Ministry of Finance (Japan), among others. The retention and documentation periods specified vary between two to eight years.

Security

Our website uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data or contact requests that you send to us. We have also implemented numerous security measures (“technical and organisational measures”) for example encryption or need to know access, to ensure the most complete protection of Personal Data processed through our website. 

Nevertheless, internet-based data transmissions can always have security gaps, so that absolute protection cannot be guaranteed. And databases or data sets that include Personal Data may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, we will notify all affected individuals whose Personal Data may have been compromised as expeditiously as possible after which the breach was discovered.

Special Category Data

Unless specifically required when using our services and explicit consent is obtained for that service, we do not process special category data.

Automated decision-making

Automated decision-making is the process of making a decision by automated means without any human involvement. Automated decision-making including profiling does not take place.

Do Not Sell

We do not sell your Personal Data.

Sharing and Disclosure

We will not disclose or otherwise distribute your Personal Data to third parties unless this is a) necessary for the performance of our services including our shipping forwarder and, b) you have consented to the disclosure, c) or if we are legally obliged to do so e.g., by court order or if this is necessary to support criminal or legal investigations or other legal investigations or other legal proceedings; or proceedings at home or abroad or to fulfil our legitimate interests.

International Transfer

We may transfer your Personal Data to other companies as necessary for the purposes described in this Privacy Policy. In order to provide adequate protection for your Personal Data when it is transferred, we have contractual arrangements regarding such transfers. We take all reasonable technical and organisational measures to protect the Personal Data we transfer.

Your Rights and Privileges 

Privacy rights 

Under the DPA and the GDPR, you can exercise the following rights:

• Right to information

• Right to rectification

• Right to deletion

• Right to data portability

• Right of objection

• Right to withdraw consent

• Right to complain to a supervisory authority

• Right not to be subject to a decision based solely on automated processing.

Under the APPI, you can exercise the following rights:

• Right to access (be informed) 

• Right to request correction or amendment 

• Right to request the suspension of the use or disclosure of Personal Data 

• Right to request the deletion 

If you have any questions about the nature of the Personal Data we hold about you, or if you wish to exercise any of your rights, please contact us.

Updating your information

If you believe that the information we hold about you is inaccurate or that we are no longer entitled to use it and want to request its rectification, deletion, or object to its processing, please do so by contacting us. 

Withdrawing your consent 

You can revoke consents you have given at any time by contacting us. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Access Request 

In the event that you wish to make a Data Subject Access Request, you may inform us in writing of the same. We will respond to requests regarding access and correction as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days, we will tell you why and when we will be able to respond to your request. If we are unable to provide you with any Personal Data or to make a correction requested by you, we will tell you why.

Complaint to a supervisory authority

You have the right to complain about our processing of Personal Data to a supervisory authority responsible for data protection. The supervisory authority in the UK is: The Information Commissioner’s Office (ICO) (www.ico.org.uk). The supervisory authority in Japan is: The Personal Information Protection Commission (PPC) (www.ppc.go.jp). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, PPC or any other supervisory authority.

Validity and questions

This Privacy Policy was last updated on Tuesday, 5th of March, 2024, and is the current and valid version. However, we want to point out that from time to time due to actual or legal changes a revision to this policy may be necessary. If you have any questions about this policy or our data protection practices, please contact us using info@onszenjapan.com.