1. About this notice
In this notice, we provide you with information related to the processing of your personal data. This notice sets out the basis on which any personal data that you provide to us, or that we obtain about you from other sources, will be processed by us. Please take the time to read and fully understand this notice.
2. Information about us
For the purposes of data protection law, Sanrio Company, Ltd. (“we”, “us,” and “our”) is a data controller in respect of your personal data, and we are committed to respecting your privacy. Our contact details are as follows:
(a) Main office address: 1-11-1, Osaki, Shinagawa-Ku, Tokyo 141-8603;
(b) Tel: +81-3-3779-8163
(c) Email: sanrio-kojinhogo@sanrio.co.jp
3. Definitions
In this notice:
(a) “Personal Data” means any data/information which relates to you from which you can be identified, as well as other data/information defined as “personal data,” ”personal information,” or equivalent term under applicable data protection laws. It includes your contact details, other personal information, and photographs; and
(b) “Processing” means any activity or operation that is carried out in respect of your Personal Data, such as collecting, storing, using, transferring, or deleting it.
4. How we collect your Personal Data and what Personal Data we collect
We may Process Personal Data about you collected through your completion of forms on our websites or otherwise. Such Personal Data typically includes your name, birthdate, company, address, region, e-mail address, credit card information, identification documents (e.g., driver’s license card, driving record certificate, residence card, special permanent resident certificate, passport), account information, login information, password, creator ID, screen name, nickname, thumbnail. images, language setting, information on artwork/content, and posted comments and other texts/images.
When you visit our websites, we may automatically collect, store, and use technical information about your equipment and your interaction with our websites, including cookies and browsing history. Please see our cookie policy for more information about our use of cookies and how to disable them.
5. Purpose and legal basis of Processing Personal Data
We use the Personal Data that we hold about you for the following purposes:
- Providing Charaforio services;
- Payment and tax procedures;
- Coordination of sales territories;
- Identity verification;
- Sending direct marketing materials;
- Responding to questions, requests and other inquiries we receive from you;
- Managing or transferring our assets or liabilities, for example in the case of an acquisition, disposition or merger;
- Protecting us, yourself and others from fraud and error and to safeguard our business interests; and
- Submitting various applications and reports to the government, public agencies and other third parties as required by any applicable laws or if it is considered to be necessary.
The legal basis for the Processing of your Personal Data is as follows:
- Provision of your consent in accordance with Art.6 (1)(a) of the General Data Protection Regulation (“GDPR”);
- Where the Processing of your Personal Data is necessary to entering into a contract with you, or fulfill obligations under a contract with you in accordance with Art.6 (1)(b) of the GDPR;
- Where the Processing of your Personal Data is necessary to comply with applicable laws in accordance with Art.6 (1)(c) of the GDPR;
- Where the Processing of your Personal Data is necessary to pursue our legitimate interests in accordance with Art.6 (1)(f) of the GDPR (e.g., coordination of sales territories).
We do not Process your “sensitive data” (information about your race, ethnic origin, religion, physical or mental health, political opinions, sexual life, any actual or alleged criminal offence, or genetic and biometric data).
6. Disclosure of Personal Data to recipients
We may share your Personal Data with recipients in the following situations:
(a) Internal use by us: Our employees who are authorized and who have a need to access such data;
(b) Service providers: We may share your Personal Data with third-party service providers that perform certain services, such as providing IT services;
(c) Legal procedures and security: We may disclose your Personal Data to legal or government regulatory authorities as required by any applicable laws. We may also disclose your Personal Data to third parties as required by any applicable laws in connection with any claims, disputes, or legal proceedings, when otherwise required by any applicable laws, or if we determine that such disclosure is necessary to protect the health and safety of you or any other person, or to enforce our legal rights or contractual commitments that you have made; and
(d) Business transfers: Your Personal Data may be disclosed as a part of a corporate business transaction, such as a merger, acquisition, company split, business transfer, joint venture, or the financing or sale of company assets, and may be transferred to a third party as one of the business assets in such a transaction. Your Personal Data may also be disclosed in the event of insolvency, bankruptcy, or receivership.
We jointly use your Personal Data with our group companies within the following scope in accordance with the Act on the Protection of Personal Information of Japan (Act No.57 of 2003)
Scope of the joint users | Sanrio Company, Ltd., Sanrio Entertainment Co., Sanrio Enterprise Co., Ltd., Kokoro Company Ltd., Sanrio Music Publications Co., Ltd. |
Purpose for which the personal data will be used |
・Providing Charaforio services; ・Payment and tax procedures; ・Coordination of sales territories; ・Identity verification; ・Sending direct marketing materials; ・Responding to questions, requests and other inquiries we receive from you; ・Managing or transferring our assets or liabilities, for example in the case of an acquisition, disposition or merger; ・Protecting us, yourself and others from fraud and error and to safeguard our business interests; and ・Submitting various applications and reports to the government, public agencies and other third parties as required by any applicable laws or if it is considered to be necessary. |
Personal data that will be used jointly | Name, birthdate, company, address, region, e-mail address, credit card information, identification documents (e.g., driver’s license card, driving record certificate, residence card, special permanent resident certificate, passport), account information, login information, password, creator ID, screen name, nickname, thumbnail images, language setting, information on artwork/content, and posted comments and other texts/images |
Name of the joint user responsible for managing the personal data |
Sanrio Company, Ltd. Please see the corporate website about the address and the name of the president |
We may disclose or provide your Personal Data to the following categories of third-parties in accordance with the Act on the Protection of Personal Information of Japan (Act No.57 of 2003)
1. Affiliates: We may disclose or provide your Personal Data to Sanrio group companies (*1).
*1: Sanrio Company, Ltd., Sanrio Entertainment Co., Ltd., Sanrio Enterprise Co., Ltd., Kokoro Company Ltd., Sanrio Music Publications Co., Ltd.
2. Employees: We may disclose or provide your Personal Data to our employees who are authorized and who have a need to access such data.
3. Service Providers: We may disclose or provide your Personal Data to service providers that perform certain services, such as IT service providers (including data servers, cloud service providers, AI service providers, digital wallet service providers), data analytics service providers, advertising or email distribution service providers, payment service providers.
7. Transfer of Personal Data outside the European Economic Area and the United Kingdom
Personal Data that we hold about data subjects residing in the EEA and/or the UK may be transferred to, and stored by, a third party outside the EEA and/or the UK. In cases where we transfer such Personal Data outside the EEA and/or the UK, we will ensure that:
(a) The recipient destination has been subject to a finding by the European Commission that it ensures an adequate level of protection in relation to the rights and freedoms that the data subjects possess in respect of their Personal Data and/or the Government of the UK has specified the recipient destination as a country that ensures an adequate level of protection as provided under the Data Protection Act 2018; or
(b) The recipient enters into standard data protection clauses with us that have been approved by the European Commission and/or the Government of the UK.
You may obtain more details on the protection given to such Personal Data when it is transferred outside the EEA and/or the UK (including a copy of the standard data protection clauses and the binding corporate rules) by contacting us using the information about us indicated in Section 2 above.
8. Storage limit of Personal Data
We will retain the Personal Data that we collect about you for the period necessary to Process such Personal Data, except to the extent that we are required by law to retain it for a longer period of time, in which case, we will retain it for the period required by law. In regard to the storage period of cookies, please see our cookie policy. Specifically, we will apply the retention period stated below for each of the specific categories of the Personal Data we collect for the Charaforio services, provided that we may retain such Personal Data for a longer period if required by law:
(a) Account registry information (email address, login information, password, creator ID, nickname, screen name, date of birth, language setting, profile image, self introduction): until up to 2 years after withdrawing from Charaforio services:
(b) Comments, articles, works, reaction, thumbnail image, information on artwork/content, and any other texts/images you posted: until up to 2 years after withdrawing from Charaforio services
(c) Social tipping you conducted: until up to 2 years after withdrawing from Charaforio services
(d) Payment registry information (credit card information, company, address, region, and email address): until up to 2 years after withdrawing from Charaforio services
(e) Information on identification documents: until the end of using Charaforio services
(f) Pseudonymized data of the data above (a) and (b) stored on analytical infrastructure: until less than 6 years after withdrawing from Charaforio services
9. Your rights
You have a number of legal rights in relation to the Personal Data that we hold about you. These rights may vary depending on where you are located and which data protection laws apply to the relationship between you and us, but will typically include the following:
(a) Right to obtain information regarding the Processing of your Personal Data and to access the Personal Data that we hold about you;
(b) Right to request rectification of your Personal Data if it is inaccurate or incomplete;
(c) Right to request erasure of your Personal Data in certain circumstances. This may include circumstances in which:
(i) It is no longer necessary for us to retain your Personal Data for the purposes for which we collected it;
(ii) We are only entitled to Process your Personal Data with your consent, and you withdraw such consent;
(iii) You object to our Processing of your Personal Data for our legitimate interests, and such legitimate interests do not override your own interests, rights, or freedoms; and
(iv) Your Personal Data has been unlawfully Processed by us;
(d) Right to request that we restrict our Processing of your Personal Data in certain circumstances. This may include circumstances in which:
(i) You dispute the accuracy of your Personal Data (but only for the period of time necessary for us to verify its accuracy);
(ii) We no longer need to use the Personal Data except to establish, exercise, or defend legal claims;
(iii) You object to our Processing of your Personal Data for our legitimate interests (but only for the period of time necessary for us to assess whether such legitimate interests override your own interests, rights, or freedoms); and
(iv) Your Personal Data has been unlawfully Processed by us, but you oppose the erasure of your Personal Data and instead request the suspension of its use;
(e) Right to object to our Processing of your Personal Data;
(f) Right to receive any Personal Data which we Process about you on the basis of your consent (as opposed to any other legal ground) and where such Processing is carried out by automated means in a structured, commonly used, and machine-readable format and/or to request that we transmit such Personal Data to a recipient where this is technically feasible. Please note that this right only applies to Personal Data which you have provided to us;
(g) Right to withdraw your consent to our Processing of your Personal Data at any time. However, please note that we may still be entitled to Process your Personal Data if we can rely on another legal ground for doing so.
You may exercise any of your rights by contacting us using the information about us indicated in Section 2 above. You may also lodge a complaint with the competent data protection authority if you believe that any of your rights have been infringed by us.
For Residents in California
Last Updated: [08/07/2024]
If you are a California “consumer” within the meaning of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), this addendum applies to you.
1. Collection, use, and disclosure of Personal Data
A. Categories, sources, and purposes of your Personal Data collected or to be collected
We may collect, and have collected the following categories of Personal Data (as listed in the CCPA) during the last twelve (12) months:
- Identifiers, such as your name, address, email address, creator ID, screen name, nickname, and cookies;
- Other information, such as birthdate, credit card information; thumbnail image, language setting, information on artwork/content, and posted comments and other texts/images;
- Internet or network activity information, such as cookies and browsing history;
- Geolocation data, such as region;
- Professional or employment-related information, such as company name; and
- Sensitive personal information, such as image of identification document (e.g., driver’s license card, driving record certificate, residence card, special permanent resident certificate, passport), and account information and login information in combination with password.
Business or commercial purposes. Section 5 (Purpose and legal basis of Processing Personal Data) of this notice lists the business or commercial purposes for which the categories of Personal Data will be collected and used, or were collected during the last twelve (12) months.
Categories of sources. The following is a list of the categories of sources from which Personal Data was collected during the last twelve (12) months:
- Directly from you; and
- Passively from your activities on our websites
Retention period. We retain each categories of Personal Data as described in Section 8 (Storage limit of Personal Data) of this notice.
B. Disclosure of your Personal Data
(A) Sharing of your Personal Data
We may share your Personal Data for cross-context behavioral advertising with third parties. The table below describes: (i) the categories of Personal Data that we have shared during the last twelve (12) months; and (ii) the categories of third parties with whom we have shared such Personal Data during the last twelve (12) months.
Category of Personal Data Shared | Third Parties with whom Personal Data Was Shared During the Last Twelve (12) Months |
Identifiers | Advertising network |
Internet or network activity information | Advertising network |
(B) Disclosure of Personal Data for business purposes
The table below describes: (i) the categories of Personal Data that we may have disclosed for our business purposes during the last twelve (12) months; and (ii) the categories of third parties to whom we have disclosed such Personal Data for our business purposes during the last twelve (12) months.
Category of Personal Data Disclosed | Third Parties to whom Personal Data Was Disclosed During the Last Twelve (12) Months |
Identifiers | Service providers including server management service providers, and platform management service providers. |
Other information | Service providers including server management service providers, platform management service providers, and payment service providers. |
Internet or network activity information | Service providers including server management service providers, and platform management service providers. |
Geolocation data | Service providers including server management service providers and platform management service providers. |
Professional or employment-related information | Service providers including server management service providers and platform management service providers. |
Sensitive personal information | Service providers including server management service providers and platform management service providers. |
Business or commercial purposes. Section 5 (Purpose and legal basis of Processing Personal Data) of this notice lists the business or commercial purposes for which the categories of Personal Data were disclosed during the last twelve (12) months.
2. Your rights and requests
If you are a California consumer, you have certain choices regarding your Personal Data, as described below:
I. Access: You have the right to request, twice in a 12-month period, that we disclose to you the following information we have collected, used, and disclosed about you during the twelve (12) months preceding your request:
(I) The categories of Personal Data we collected about you;
(II) The categories of sources from which we collected such Personal Data;
(III) The business or commercial purpose(s) for collecting such Personal Data about you;
(IV) The categories of third parties to whom we disclosed such Personal Data; and
(V) The specific pieces of Personal Data we have collected about you.
II. Deletion: You have the right to request that we delete certain Personal Data we collected from you.
III. Correction: You have the right to request that we correct inaccurate Personal Data we maintain about you.
IV.Opt-out: You have the right to opt-out of the sharing of Personal Data.
How to submit a request. To make an access, deletion, or correction request (described above), please contact us by any of the following means:
- Calling +1-(202)-804-2960
- Submitting a webform via Data Subject Access Request Form
- Sending an e-mail to sanrio-kojinhogo@sanrio.co.jp
- Sending mail to Shinagawa-ku Osaki 1-11-1, Tokyo, Japan
To prevent your Personal Data from being shared, you can contact us via the link below.
Data Subject Access Request Form
Additionally, we process opt-out preference signals from Global Privacy Control (“GPC”). GPC is a browser-level technical specification that you can use to inform websites that you opt out of sharing of personal information for cross-context behavioral advertising. If you use GPC, our website will treat the browser you use to access our website as opted-out from sharing to the extent we engage in such processing. If you access our website from another browser, you will need to install GPC on that browser, unless we know that you previously enabled GPC on your original browser. You may learn how to set up GPC by visiting https://globalprivacycontrol.org.
Verifying requests. To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your Personal Data or complying with your deletion or correction request. Upon receiving an access, deletion, or correction request from you, we will first verify your identity by requiring you to submit information necessary to verify your identity, such as your name and email address, and by matching the information you provide with what we already have on file.
If you use an authorized agent to make an access, deletion, or correction request on your behalf, we may require the authorized agent to provide proof that you gave the agent signed permission to make the request. Also, we may require you to either (1) verify your own identity directly with us (as described above), or (2) directly confirm with us that you provided the authorized agent permission to submit the request.
Additional information. If you choose to exercise any of your rights under the CCPA, you have the right to not receive discriminatory treatment by us. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.
Please note, we do not use or disclose Sensitive Personal Information (as defined in CCPA) for any purposes not expressly permitted by the CCPA. that require us to support the right to limit the use or disclosure of Sensitive Personal Information.
3. Changes to this addendum
We review and may change this addendum from time to time. The “Date last updated” at the top of this page states when this addendum was last updated; any changes will become effective upon our posting the revised addendum.
We request you to bookmark and periodically review this addendum in order to ensure continuing familiarity with the most current version of this addendum.
4. Contact us
If you have any questions or concerns regarding this addendum or our privacy practices, please contact us at +1-(202) 804-2960 or sanrio-kojinhogo@sanrio.co.jp.