Privacy Policy

November 27, 2024

Each of the companies of the ENEOS Group (meaning the corporate group comprising of ENEOS Holdings, Inc. and its affiliated companies, the “Group”) hereby commits to comply with the applicable laws and regulations, guidelines, the “ENEOS Philosophy of the Group,” the “ENEOS Code of Conduct,” internal regulations as well as this Privacy Policy in handling the personal data of the Group’s customers (including individual customers and corporate representatives, as well as those who are interested in the Group’s products, services, activities and the like, and our shareholders), as well as handle such personal data appropriately.

1 Framework for Personal data Protection

The Group has established and will maintain a framework to appropriately protect personal data; formulate a compliance program to ensure that its officers and employees fully protect personal data; and continuously implement and improve such framework and program.

2 Security Control of Personal data

In every process of obtaining, using, disclosing and administering personal data, the Group endeavors to administer such personal data in a secure and accurate manner and in the most recent state, and thoroughly implement security control measures, including those enumerated below, to prevent the leakage of, and unauthorized access to, personal data:

  • Establishment of basic policies
    To ensure the appropriate handling of personal data, the Group has established basic policies, including this Privacy Policy.

  • Maintenance of rules on the handling of personal data
    The Group will maintain rules on obtaining, using, disclosing and administering personal data, as well as internal rules and regulations that set forth the responsibilities and the like of the persons handling personal data.

  • Organized security control measures
    The Group will maintain the framework necessary to protect personal data, where our CEO is ultimately responsible therefor.

  • Human security control measures
    The Group has implemented on-the-job trainings and other instruction courses on points to pay attention to, in the handling of personal data.

  • Physical security control measures
    The Group has implemented security control measures to prevent theft, loss and the like of instruments, electronic media, documents, or the like that handle personal data.

  • Technical security control measures
    The Group has implemented access controls where restrictions have been placed on the scope of the handling persons according to the content of the personal data.

  • Understanding the external environment
    For cases where personal data is stored abroad, the Group has implemented appropriate security control measures after understanding the system in the relevant foreign country concerning the protection of personal data.

The Group may also contract out a part of its business and provide personal data to its consignees to the extent necessary to fulfill the purposes of the use of the personal data. In such cases, the Group will enter into an agreement with each consignee concerning the handling of personal data, and appropriately administer and supervise them.

3 Details of Personal data Handled by the Group

The Group obtains the following personal data concerning customers from the customers themselves, companies belonging to the Group, business partners of the Group, and other similar entities:

  • Customer information
    The name, mail address, address, age, sex and nationality, as well as the name and location of, section and title/position in, the company a customer is working at, account information, including SNS, and other customer information.

  • Details of transactions with the Group
    Information concerning the details of customers’ transactions and purchase history, bank accounts and payment information of credit cards or the like and other information generated in the course of customers’ transactions with the Group.

  • Information generated from the use of the Group’s website
    The registered ID, password, IP address, browsing history of and date/time of access to the website, information concerning terminals/OS/browsers or the like that customers are using, location information, other status of use of the services, as well as analytical findings based on such information (such as information concerning the Group’s products and services which customers are presumed to be concerned with or interested in), and other information generated from the customers’ use of the Group’s website.

  • Other information
    Information concerning the customers’ comments, requests, inquiries, replies to surveys to and communication or the like with the Group, records of customers’ entry into and exit from the Group’s offices, security camera footage, and other information provided to the Group based on any involvement of the customers with the Group.

4 Purpose of Use of Personal data

The Group will use the customers’ personal data for the following purposes or other purposes for which a separate notification or the like to the individual is required:

  • Performance of any contract for the Group’s products and/or services as well as communications relating thereto.

  • Provision of products and/or services pursuant to the terms of the subject contracts, and settlements thereunder.

  • Communication on requisite matters concerning the subject contracts.

  • Arrangements, shipments and after-sale services for products and/or services used by the customers.

  • Responses to comments, requests, inquiries and other matters concerning the contracts.

  • Promotions regarding the Group’s products and services.
    a.Information concerning products and/or services and promotions, including newsletters, mail magazines and advertisements.
    b.Promotions on various campaigns, trade exhibitions and the like.
    For avoidance of doubt, to fulfill these purposes, the Group may analyze the information obtained therefor, such as the customers’ browsing history and/or purchase history, and direct messages tailored to the customers’ concerns and/or interests.

  • Planning/development/analysis/improvements of the Group’s products, services and the like.
    a.Planning/development of new products/services
    b.Analysis, quality improvement of, and enhancing dealings with people concerning existing products/services.
    c.Investigation and analysis of the status of sales and usage as well as planning and development using the results thereof.
    d.Implementation/analysis/measurement of effects/use of survey research associated with marketing activities.

  • Improvement of and other activities concerning the Group’s website.
    a.Improvement of user-friendliness and other qualities of the website.
    b.Planning/development based on the usage status of the website.

  • Responses to comments/requests/inquiries to the Group.

  • Rendering services consigned to the Group.

  • The Group’s responses to statutory obligations and requirements (including reports to regulatory authorities in Japan and abroad, judicial/administrative bodies, and exchanges, as well as responding to audits conducted by such authorities and bodies) and implementing the necessary investigations and other responses in relation to governance in the Group and the exercise of its rights.

  • Responses to shareholders (including those who were shareholders in the past) of ENEOS Holdings, Inc.

  • Provision of various information, services and the like concerning the Group.

  • Responses to comments, requests, inquiries and other matters concerning the Group as well as improvements through analysis thereof.

  • Responses based on obligations and requirements under laws and regulations.

  • Planning, review and implementation of various measures to establish and maintain harmonious relationships between our shareholders and the Group.

  • Implementation of other responses associated with fulfilling the aforementioned purposes.

5 Joint Use

The Group may jointly use the following personal data of customers:

  • Personal data to be jointly used: all of the personal data obtained by the Group.

  • Scope of the joint users: all of the companies belonging to the Group (including companies that will join the Group in the future).

  • Purposes of use by the joint users: the purposes of use specified in section 4 above.

  • The company in charge of administering the joint use of personal data: ENEOS Holdings, Inc.

6 Provision to Third Parties

The Group shall not disclose or provide the personal data obtained thereby except for cases that fall under any of the following items:

  • In cases where prior consent by the customer is obtained.

  • In cases where it is necessary to protect human life, body and/or property, and it is difficult to obtain the customer’s consent.

  • In cases where it is specifically necessary for the enhancement of public health or furtherance of the healthy nurturing of children, and it is difficult to obtain the customer’s consent.

  • In cases where it is necessary to cooperate with a national or local government or other entities in implementing public affairs and there is a risk of hindering the implementation of such public affairs by obtaining the customer’s consent.

  • In cases where the relevant third party is an academic research institution or a similar entity and such personal data is required to be handled for the purpose of using the same in academic research (including cases where a part of the purpose of handling the personal data is for academic research except where there is a risk of unjustly infringing on an individual’s rights and interests).

  • Other cases in accordance with laws and regulations.

7 Cross-border Transfer of Personal data

In cases where the Group provides personal data to a third-party entity in Japan or abroad, including a consignee of services and/or joint user, the Group shall take the necessary and appropriate measures in accordance with applicable laws and regulation.

8 Period of Retention of Personal data

The Group shall retain the customers’ personal data only for the period necessary to fulfill the purposes of use of the customers’ personal data, to comply with applicable laws and regulations or to address to customers’ requests. Upon the termination of the retention period, the Group shall delete the customers’ personal data or implement measures to retain such personal data in a manner where such personal data is not capable of identifying the customers.

9 Use of Cookies and the Like

A cookie is a small text file downloaded in the browser of a device (such as a computer and smart phone) and used when a customer accesses a website. Through the use of cookies, the Group can recognize the device of a customer, and obtain information concerning the customer’s browsing history, status of use of the website or the like.
The Group uses “Google Analytics” of Google LLC. While Google Analytics collects, records, and analyzes the user’s status of using this service, the Group utilizes the findings therefrom to improve the Group’s website.

For the structure in which data is collected and processed through Google Analytics, please see.(https://policies.google.com/technologies/partner-sites)

10 Response to Inquiries and Requests for Disclosure, Correction, Suspension of Use and Other Requests

In cases where an inquiry by a customer is received concerning the handling of his/her own personal data (limited to information specified as the subject of the disclosure or the like by applicable laws and regulations, such as the “personal data held by the business” stipulated under Japanese law), hereinafter the same shall apply in this section 10), or cases where a request is made for the exercise of any of the following rights, the Group shall appropriately and quickly address the same after confirming that the inquiry or the request was made directly by the customer:

  • Notification of purposes of use of personal data or disclosure of personal data.

  • Correction, addition or deletion of personal data.

  • Suspension of use of personal data or the provision thereof to third parties.
    Customers may request for the correction, addition, or deletion of personal data. The Group shall address the same to the extent provided by laws and regulations after acknowledging such request.

<Where to Inquire>

  • Inquiries to ENEOS Holdings, Inc.

  • Upon making an inquiry, please acknowledge and accept the terms set forth in the prescribed form for inquiries.

  • Inquiries to other entities of the Group
    Each entity of the Group shall address the inquiries. In cases where an inquiry is made in the manner described in item (1) above, please note in advance that it may be referred to each of the entities of the Group.

11 Amendments to this Privacy Policy and Notifications

The Group may amend all or a part of this Privacy Policy. In case of an amendment, notice on the details thereof shall be provided on the Group’s website.

12 Processing of Personal Data of Customers Residing in the EEA or the UK

Customers residing in the European Economic Area (EEA) or the UK are advised to also see the following items:

  • Legal basis for the processing of personal data
    The Group processes customers’ personal data to fulfill the purposes of use stipulated in items (1) to (8) of section 4, based on the following legal bases:

  • Performance of any contract involving the Group’s products and/or services.
    The Group uses the customers’ basic information and other information, including contact information, to perform any contract involving the Group’s products and/or services.

  • Promotions regarding the Group’s products and services
    The Group uses the customers’ basic information and other information, including contact information, to give promotions regarding the Group’s products and/or services. The legal basis for the processing of such personal data is the Group’s legitimate interest of providing better options for the customers by providing information on products and/or services, or the customer’s consent.

  • Planning/development/analysis/improvement of the Group’s products, services and the like
    The Group uses the customers’ personal data for the planning, development, analysis and improvement of the Group’s products and/or services. The legal basis for such processing of personal data is the legitimate interest of [the Group of] continuously improving its products and services towards safer and more superior products and services for the customers.

  • Improvement and other development of the Group’s website
    The Group may use the information processed in association with the use of the Group’s website for the improvement and other development thereof. The legal basis for such processing of such information is the legitimate interest of the Group to achieve the benefit of having a more convenient and comfortable use of the Group’s website.

  • Responses to comments/requests/inquiries to the Group
    The Group may use the information concerning comments and other communications given it to respond to customers regarding the same. The legal basis in this case is the performance of the contract with the customer, or the customer’s consent.

  • Rendering services consigned to the Group
    The Group may use the customers’ personal data to render services consigned to the Group. The legal basis in this case is the legitimate interest of providing more fulfilling services to customers.

  • The Group’s responses to statutory obligations and requirements
    The Group may use the customers’ personal data to respond to statutory obligations.

  • Responses to our shareholders (including those who were shareholders in the past)
    The Group uses our shareholders’ basic information and other information, including contact information, for the purpose of use stipulated in item (8) of section 4. The legal basis for the processing of such personal data is the legitimate interests of the Group, the consent of our shareholders, or responses to statutory obligations.

  • Exercise of rights by customers
    Customers have the following rights in relation to the Group’s processing of personal data in addition to the matters set forth in section 10 above:

  • In cases where consent to the Group’s processing of personal data is given, the right to withdraw such consent.

  • The right to request data portability

  • In the following cases, the right to object to the Group’s processing of personal data:
    - In cases where the Group uses customers’ personal data for the purpose of direct marketing.
    - In cases where the Group is using a customer’s’ personal data for the Group’s legitimate interests, and if there is a reasonable ground for the customer to object thereto.

  • The right to file an objection with the competent supervisory authority

  • Cross-border transfer
    Based on the manner of its use, customers’ personal data may be transferred to any country outside of the EEA and the UK. In this case, prior to such transfer, the Group shall ensure that an appropriate standard for data protection can be achieved. For instance, it means that a standard for data protection that is similar to that of the EEA or the UK can be achieved by using the standard contractual clauses specified by, or relying on an adequacy decision issued by, the EEA or the UK.

13.Processing of Personal Data of Customers Residing in the State of California

Customers residing in the State of California are advised to also see the following items:

  • The Group’s obtaining of customers’ personal data
    The following are the categories of customers’ personal data to be collected and have been collected for the past twelve (12) months by the Group to fulfill the purposes of use stipulated in section 4:

  • Customers’ name, contact information, and identifiers, such as online identifiers.

  • Customers’ name, contact information, identity certificate issued by a government, signature, payment card number, financial information, medical information, insurance information, educational information, employment information and other similar information, which are defined as personal data under the laws on customer records in the State of California.

  • Customers’ sex, age, marital status, race and other similar information, which are protected under the laws of the State of California or federal law.

  • Customers’ transaction information, purchase history, detailed financial information, payment information and other information concerning commercial transactions.

  • Information on customers’ activities via the internet or other electronic networks, including browsing history, online conduct, internet data, interactions with the Group’s website or other websites.

  • Information concerning the location of customers’ devices, IP location, geolocation data, and other location information.

  • Audio, electronic, or similar information.

  • Professional or employment-related information.

  • Information regarding education, such as an academic background.

  • Inferences drawn from any of the information described above to create a profile about a customer reflecting the customer’s preferences and characteristics.

  • The Group’s selling and sharing of customers’ personal data
    In the last twelve (12) months, the Group has sold and shared identifiers and activities pertaining to activities via the internet to business entities analyzing websites and advertisement delivery companies, for purposes of improving the Group’s websites and distributing appropriate advertisements to customers.

  • Selling or sharing of personal data of customers under the age of 16
    The Group has no knowledge of having sold or shared the personal data of customers under the age of 16.

  • The Group’s disclosure of the customers’ personal data to third parties
    In the past twelve (12) months, the Group has disclosed the personal data obtained thereby to companies comprising the Group to fulfill the purposes of use of personal data (section 4 above).

  • Use and/or disclosure of sensitive personal data.
    The Group will not use or disclose customers’ sensitive personal data without their consent, for any purpose other than the purposes stipulated in §7027(m) of the regulations of the California Consumer Privacy Act (the “CCPA”) (the “CCPA Regulations”).

  • Exercise of rights by customers
    Customers have the following rights in relation to the Group’s processing of personal data in addition to the matters set forth in section 10 above:

  • In cases where the Group sells and/or shares personal data, the right to opt-out of such sale and/or sharing.

  • In cases where the Group uses or discloses sensitive personal data for any purpose other than the purposes prescribed in §7027(m) of the CCPA Regulations, the right to restrict such use and/or disclosure.

  • The right to not be discriminated against because of exercising any privacy-related right.

Miyata Tomohide, Representative Director, CEO
ENEOS Holdings, Inc.
1-1-2 Otemachi, Chiyoda-ku, Tokyo, 100-8162, Japan