1. Introduction
KyotoTech LLC (合同会社KyotoTech) ("Company," "we," "us," or "our") is committed to protecting your privacy and handling your personal information responsibly.
This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our website (kyototech.co.jp), software products (including SaQura, KyotoTech Vault, and KisoStats), and services.
KisoStats — No Data Collection
KisoStats is a macOS menu bar system monitor and disk cleanup utility. KisoStats does not collect, transmit, store, or process any personal data whatsoever. The application operates entirely offline and locally on your Mac. It does not make network requests, does not contain analytics or telemetry, does not require user accounts, and does not communicate with any server. No data of any kind is sent to KyotoTech LLC or any third party. System metrics (CPU, RAM, SSD, network speed) are read from macOS system APIs, displayed in real-time, and are not stored or logged.
Legal Framework
As a Japanese company serving international customers, we comply with:
- APPI - Japan's Act on the Protection of Personal Information (個人情報保護法)
- GDPR - EU General Data Protection Regulation (for EU/EEA residents)
- Other applicable data protection laws in your jurisdiction
In case of conflict between this Policy and applicable law, the applicable law shall prevail.
2. Data Controller Information
Data Controller
KyotoTech LLC (合同会社KyotoTech)
〒612-8083 京都市伏見区京町2丁目237-202
Kyoto, Japan
Email: support@kyototech.co.jp
Data Protection Inquiries
For questions about this Privacy Policy or our data practices, please contact:
3. Personal Information We Collect
Information You Provide Directly
| Data Category |
Data Elements |
Purpose |
Legal Basis (GDPR) |
| Contact Information |
Name, Email, Phone (optional), Message |
Respond to inquiries |
Legitimate interest / Consent |
| License Information |
Email address |
License delivery |
Contract performance |
| Account Information |
Email, License Key |
License management |
Contract performance |
| Vault Account Information |
Email, Name, Organization Name, Password (hashed) |
Account management, file storage |
Contract performance |
| Vault Collaboration Guest Data |
Email address (provided by space owner) |
Guest access to shared folders |
Contract performance / Legitimate interest |
Information Collected Automatically
| Data Category |
Data Elements |
Purpose |
Legal Basis (GDPR) |
| License Activation Data |
License Key, Hardware ID (hashed), Machine Name, OS/Platform, Timestamp |
License validation, prevent abuse |
Contract performance |
| Technical Logs |
IP address (anonymized), Browser type, Access times |
Security, troubleshooting |
Legitimate interest |
| Vault Audit Logs |
IP address, User-Agent (browser), Timestamps, Actions performed (login, upload, download, rename, delete) |
Security audit trail, compliance, dispute resolution |
Legitimate interest |
| Vault Virus Scan Results |
File scan status, scan timestamps |
Malware protection |
Legitimate interest |
Information We Do NOT Collect
We explicitly DO NOT collect:
- Your encryption keys or passwords created with our Software
- Content of files you encrypt
- Usage patterns or telemetry from the Software
- Precise geolocation data
- Biometric data
- Data from children under 16
- Sensitive personal data (racial/ethnic origin, political opinions, religious beliefs, health data, sexual orientation)
4. How We Use Your Information
Purposes of Processing
| Purpose |
Categories of Data |
Legal Basis (GDPR) |
APPI Basis |
| Respond to inquiries |
Contact information |
Legitimate interest |
Specified purpose |
| Deliver licenses |
Email, License Key |
Contract performance |
Contract fulfillment |
| Validate licenses |
Activation data |
Contract performance |
Service provision |
| Prevent license abuse |
Hardware ID (hashed) |
Legitimate interest |
Fraud prevention |
| Provide technical support |
Contact info, License data |
Contract performance |
Customer service |
| Improve services |
Aggregated analytics |
Legitimate interest |
Service improvement |
| Legal compliance |
Various |
Legal obligation |
Legal requirement |
| Vault file storage & sharing |
Account data, uploaded files (encrypted) |
Contract performance |
Service provision |
| Vault collaboration guest access |
Guest email, IP address, User-Agent |
Legitimate interest |
Security / Service provision |
| Vault security audit trail |
Audit logs (all user/guest actions) |
Legitimate interest |
Security / Compliance |
| Vault malware protection |
Uploaded files (scanned locally) |
Legitimate interest |
Security |
What We Do NOT Do
- No Selling: We DO NOT sell, rent, or trade your personal information to third parties for marketing purposes.
- No Profiling: We DO NOT use your personal information for automated decision-making or profiling that produces legal effects.
- No Marketing: We DO NOT send unsolicited marketing emails unless you have explicitly opted in.
5. Data Sharing & Disclosure
Service Providers
We share personal information with the following categories of service providers:
| Provider Category |
Purpose |
Data Shared |
Location |
Safeguards |
| Payment Processor (Stripe) |
Payment processing |
Email (for receipts) |
USA |
Standard Contractual Clauses |
| Hosting Provider |
Website/API hosting |
All data processed |
Japan |
APPI compliance |
Legal Disclosures
We may disclose personal information when required by law, including:
- Court orders or legal process
- Requests from law enforcement agencies
- Protection of our legal rights
- Investigation of fraud or security incidents
- Protection of the rights, property, or safety of our users or the public
Business Transfers
In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the acquiring entity. We will notify you of any such change.
No Other Sharing
We do not share personal information with third parties except as described in this Policy.
6. International Data Transfers
Primary Storage
Personal information is primarily stored on servers located in Japan.
Cross-Border Transfers
When we transfer personal information outside Japan, we ensure adequate protection through the following mechanisms:
| Destination |
Mechanism |
Safeguards |
| EU/EEA |
Adequacy decision |
Japanese data protection law recognized as adequate by EU |
| USA (Stripe) |
Standard Contractual Clauses (SCCs) |
Contractual data protection obligations |
| Other countries |
Case-by-case assessment |
Appropriate safeguards per APPI |
Your Consent
For transfers to countries without adequate data protection, we will obtain your explicit consent where required by APPI or GDPR.
7. Data Retention
Retention Periods
| Data Category |
Retention Period |
Basis |
| Contact form submissions |
2 years after last contact |
Business necessity |
| License activation data |
Duration of license + 1 year |
Contract fulfillment |
| Payment records |
7 years |
Japanese tax law requirements |
| Support tickets |
2 years after resolution |
Customer service |
| Security logs |
1 year |
Security requirements |
| Vault account data |
Duration of account + 30 days |
Contract fulfillment |
| Vault uploaded files |
Duration of account (soft-deleted files purged after 30 days) |
Service provision |
| Vault collaboration audit logs |
1 year after collaboration space is revoked |
Security / Compliance |
| Vault collaboration guest data |
Duration of collaboration space + 1 year |
Audit trail |
Deletion
After the retention period expires, personal information is securely deleted or anonymized.
8. Data Security
Technical Measures
We implement appropriate technical security measures, including:
- Encryption of data in transit (TLS 1.3)
- Encryption of sensitive data at rest
- Secure password hashing for authentication
- Regular security updates and patches
- Access controls and authentication requirements
- Network security measures (firewalls, intrusion detection)
Organizational Measures
- Limited access to personal information on a need-to-know basis
- Employee training on data protection
- Incident response procedures
- Regular security assessments
KyotoTech Vault — Additional Security Measures
For KyotoTech Vault, we implement the following additional measures:
- End-to-end encryption: All uploaded files are encrypted at rest using AES-256 with per-organization RSA key pairs
- Automated virus scanning: All uploaded files are scanned using ClamAV (locally, no data sent to third parties)
- Collaboration guest security: Optional password protection and email-based OTP verification for shared spaces
- Comprehensive audit logging: All actions (login, upload, download, rename, delete) are logged with IP address, User-Agent, and timestamps
- Session management: Guest sessions expire after 7 days or 15 minutes of inactivity
Uploaded Content — Liability Disclaimer
Users and collaboration guests are solely responsible for the content they upload to KyotoTech Vault. KyotoTech does not review, endorse, or assume liability for uploaded content. We reserve the right to remove content that violates applicable laws or our Terms of Service. Files identified as malware by our automated virus scanning will be quarantined.
No Guarantee
While we implement reasonable security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
Breach Notification
In the event of a data breach that affects your personal information, we will notify you and the relevant authorities as required by applicable law (APPI, GDPR).
9. Your Rights
Rights Under APPI (Japan)
Under Japan's Act on the Protection of Personal Information, you have the following rights:
| Right |
Description |
| Access (開示請求) |
Request disclosure of your personal information |
| Correction (訂正請求) |
Request correction of inaccurate information |
| Deletion (削除請求) |
Request deletion of your personal information |
| Suspension of Use (利用停止請求) |
Request cessation of use of your information |
| Third-Party Disclosure |
Request information about third-party disclosures |
Additional Rights Under GDPR (EU/EEA Residents)
If you are located in the EU/EEA, you additionally have the right to:
| Right |
Description |
| Data Portability |
Receive your data in a structured, machine-readable format |
| Restriction of Processing |
Request limitation of processing in certain circumstances |
| Object to Processing |
Object to processing based on legitimate interests |
| Withdraw Consent |
Withdraw consent at any time (where processing is based on consent) |
| Lodge a Complaint |
File a complaint with a supervisory authority |
How to Exercise Your Rights
To exercise any of these rights, please contact us at:
Response Time
- APPI: Without delay, and in any case within 2 weeks
- GDPR: Within 1 month (extendable by 2 months for complex requests)
Verification
We may require verification of your identity before processing requests.
No Fee
We will not charge a fee for reasonable requests, except as permitted by law for manifestly unfounded or excessive requests.
10. Cookies & Tracking
Cookies We Use
| Cookie Type |
Purpose |
Duration |
Consent Required |
| Essential |
Website functionality |
Session |
No (strictly necessary) |
| Language Preference |
Remember language selection |
1 year |
No (functional) |
KyotoTech Vault — Browser Storage
KyotoTech Vault uses browser storage (localStorage and sessionStorage) for the following purposes:
- Authentication tokens: JWT tokens stored in localStorage (registered users) or sessionStorage (collaboration guests) to maintain your session
- User preferences: Language and theme settings stored in localStorage
These are not cookies and are not sent to third parties. Session storage is automatically cleared when the browser tab is closed.
What We Do NOT Use
- Third-party advertising cookies
- Cross-site tracking
- Social media tracking pixels
- Fingerprinting technologies
Analytics
We use privacy-first analytics that:
- Does not use cookies
- Does not track individual users
- Collects only anonymous, aggregated data
- Does not share data with third parties
11. Newsletter Subscriptions
Purpose & Scope
If you subscribe to our newsletter, we process your data for the sole purpose of sending product updates, industry insights, and announcements about KyotoTech services. Subscription is voluntary and not required to use any of our products.
Data Collected at Subscription
| Data Element |
Purpose |
Storage |
| Email address |
Newsletter delivery, unsubscribe handling |
Encrypted at rest (AES-256-GCM) |
| Confirmation / unsubscribe token (UUID) |
Opt-in verification, one-click unsubscribe |
Plain (per-subscriber random value) |
| Subscription timestamp |
Proof of consent, audit trail |
Plain |
| Country (ISO 3166 alpha-2) derived from IP |
Determines applicable consent process (see below) |
Plain. The IP address itself is not stored. |
| Selected interface language (de / en / ja) |
Localization of the welcome / confirmation email; consent process selection |
Plain |
Consent method (double_opt_in / single_opt_in) |
Audit record of how consent was obtained |
Plain |
Legal Basis
- GDPR (EU/EEA), UK GDPR, Swiss revDSG: Art. 6(1)(a) GDPR — explicit consent obtained via the subscription form and confirmed via double opt-in.
- APPI (Japan): Specified purpose with prior consent obtained via the subscription form (Art. 17, 18 APPI). The Japanese Act on Regulation of Transmission of Specified Electronic Mail (特定電子メール法) requires prior opt-in but does not require a separate confirmation step.
- Other jurisdictions: Consent obtained via the subscription form, confirmed via double opt-in by default.
Consent Process (Region-Dependent)
To balance the legal requirements of different jurisdictions with usability for our subscribers, the consent process is determined automatically based on the language you selected on our website and on the country derived from your IP address at the time of subscription.
| Detected context |
Process |
| German interface language |
Double opt-in (overrides IP detection) |
| EU/EEA, United Kingdom or Switzerland (by IP) |
Double opt-in |
| Japan (by IP) |
Single opt-in (immediate activation, welcome email with one-click unsubscribe) |
| Any other / unknown location |
Double opt-in (conservative default) |
Double opt-in: After you submit the subscription form, we send a confirmation email containing a verification link. Your email address is added to the active mailing list only after you click that link. Unconfirmed subscriptions are removed automatically after 24 hours.
Single opt-in: Your email address is added to the active mailing list immediately upon submitting the form. We send a welcome email containing a one-click unsubscribe link. You can withdraw your consent at any time using that link.
Email Delivery & Recipients
Newsletter emails are delivered via Google Workspace (Gmail SMTP), operated by Google LLC (United States). When sending an email, your email address and message content are transmitted to Google's mail servers for delivery.
- Google is contractually bound by the EU Standard Contractual Clauses for international data transfers
- Google's privacy policy applies to their processing: policies.google.com/privacy
- We do not share subscriber data with any other third party for marketing or analytics purposes
Newsletter Analytics
Our newsletters contain a 1×1 pixel image and link redirects that allow us to measure aggregated, anonymous engagement (how many people opened a given newsletter and which links were clicked). We use this only to evaluate which content is useful and to improve future editions.
What we collect for analytics:
- The newsletter slug (which edition was opened or clicked)
- The country derived from your IP via GeoIP — the IP itself is not stored
- The newsletter language
- A coarse device class (mobile / tablet / desktop / mail proxy / bot)
- The timestamp of the open or click
- For clicks: the destination URL
What we do not do:
- No subscriber identifier is included in the pixel or link — we cannot link an open or click to your email address.
- No cookies or browser-storage are set — this is why no cookie banner is shown.
- No third-party analytics provider is involved.
- No individual profiles, no re-targeting, no advertising IDs.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in measuring the effectiveness of our own newsletter, balanced against the minimal, fully anonymised data collected.
Retention: Aggregated analytics rows are kept for up to 24 months and then deleted automatically.
Limitations to be aware of: Apple Mail Privacy Protection pre-loads all images, which inflates open rates for iOS recipients. Image proxies (e.g. Gmail) may report a server location instead of the recipient's. Open figures should be treated as a trend, not as exact numbers.
Retention
Your subscription data is retained until you unsubscribe. Once you unsubscribe:
- Your email address is removed from the active mailing list immediately
- An anonymized record (date of unsubscription only) may be retained for audit purposes for up to 12 months
Right to Withdraw Consent
You can withdraw your consent at any time, with no justification required:
- Unsubscribe link: Every newsletter email contains a one-click unsubscribe link at the footer
- Email request: Send a request to support@kyototech.co.jp
Withdrawing consent does not affect the lawfulness of processing prior to the withdrawal.
12. Third-Party Services
Payment Processing (Stripe)
We use Stripe for payment processing. When you make a purchase:
- Your payment information is processed directly by Stripe
- We do not receive or store your credit card information
- Stripe is PCI DSS compliant
- Stripe's privacy policy applies: stripe.com/privacy
Email Delivery (Google Workspace / Gmail SMTP)
Transactional and newsletter emails are delivered via Google Workspace (Gmail SMTP), operated by Google LLC (United States):
- Recipient email address and message content are processed by Google for delivery
- International transfer is covered by the EU Standard Contractual Clauses
- Google's privacy policy applies: policies.google.com/privacy
NuGet Package Distribution
Our Software is distributed via NuGet (nuget.org):
- NuGet's privacy policy applies to package downloads
- We do not receive personal information from NuGet downloads
Links to External Sites
Our website may contain links to external sites. We are not responsible for the privacy practices of other sites. We encourage you to read their privacy policies.
13. Children's Privacy
Age Restriction
Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16.
Parental Notice
If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.
Contact Us
If you believe we have collected information from a child under 16, please contact us immediately at support@kyototech.co.jp.
14. Changes to This Policy
Right to Update
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.
Notification
We will notify you of material changes by:
- Posting the updated Policy on our website
- Updating the "Effective Date" at the top
- For significant changes, sending email notification to affected users
Review
We encourage you to review this Policy periodically.
15. Contact Us
Privacy Inquiries
For any questions, concerns, or requests regarding this Privacy Policy or our data practices:
Postal Address
KyotoTech LLC (合同会社KyotoTech)
〒612-8083 京都市伏見区京町2丁目237-202
Kyoto, Japan
Supervisory Authorities
Japan (APPI):
Personal Information Protection Commission (個人情報保護委員会)
www.ppc.go.jp
EU/EEA (GDPR):
You have the right to lodge a complaint with a supervisory authority in your country of residence.
Version History
| Version |
Date |
Changes |
| 3.4 | April 18, 2026 | Added newsletter analytics: anonymous open-pixel and click-redirect aggregation (slug, country from GeoIP, language, device class, timestamp). No subscriber identifier, no cookies, no IP storage. Retention 24 months. Legal basis Art. 6(1)(f) legitimate interest. |
| 3.3 | April 18, 2026 | Newsletter consent process is now region-dependent: double opt-in for EU/EEA/UK/CH and German-language signups, single opt-in for Japanese IP addresses (APPI). Documented derived country, language and consent_method as audit data; clarified that the IP address itself is not stored. |
| 3.2 | April 16, 2026 | Added newsletter subscription processing: double opt-in, data collected, Google Workspace SMTP delivery, retention, withdrawal rights |
| 3.1 | March 17, 2026 | Added KisoStats: explicit no-data-collection statement for macOS system monitor utility |
| 3.0 | March 13, 2026 | Added KyotoTech Vault: file storage, collaboration spaces, guest access, audit logging, virus scanning, uploaded content liability disclaimer |
| 2.0 | December 31, 2025 | Major update: Added GDPR/APPI compliance details, international transfers, data retention, expanded rights |
| 1.0 | January 2025 | Initial release |