Privacy Policy

1. Introduction

This Privacy Policy explains how Phennec ("we," "us," "our," or "Company") collects, uses, discloses, and safeguards information when you use our online service that acts as a proxy for third-party client data. We are committed to protecting your privacy and ensuring you have a positive experience on our platform.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our service. By accessing and using this service, you acknowledge that you have read, understood, and agree to be bound by all the provisions of this Privacy Policy.

2. Definitions and Key Terms

Data Controller – The third-party client whose data is being proxied through our service; typically the entity that determines the purposes and means of data processing.

Data Subject – The individual to whom personal data relates.

Personal Data – Any information relating to an identified or identifiable natural person.

Processing – Any operation performed on data, including collection, storage, transmission, use, analysis, or deletion.

Proxy Service – Our intermediary service that receives, transmits, and manages data on behalf of third-party clients without storing or using that data for our own purposes.

3. Data We Process and Our Role

3.1 Types of Data Processed

We process data solely as a proxy for our third-party clients. The specific data we handle depends on each client's use case and may include:

Personal identification information (names, email addresses, phone numbers)
Account credentials and authentication data
Transaction and payment information
Location data
Device identifiers and technical data
Health, financial, or other sensitive information (depending on client requirements)

3.2 Our Role as a Data Processor

We operate as a Data Processor on behalf of our Data Controllers (third-party clients). This means:

We do not determine why or how data is collected or used
We process data only according to documented instructions from our clients
We do not use data for our own business purposes or marketing
We do not sell, rent, or share data with third parties except as instructed by clients
We maintain data security and confidentiality as contractually required

You should review the privacy policy of the third-party client whose service you are using to understand how your data is collected, used, and protected at the source.

4. How We Collect and Process Data

4.1 Data Collection Methods

We receive data from third-party clients through:

API integrations – Automated data transmission via secure application programming interfaces
Direct uploads – Clients uploading data files to our platform
Real-time data streams – Continuous data transmission from client applications
Form submissions – Data entered through client-provided interfaces that route through our proxy

4.2 Data Processing Activities

Our processing activities include:

Transmission – Routing data between clients and their designated endpoints
Storage – Temporary or persistent data storage as specified by client contracts
Authentication – Verifying user identity and access credentials
Logging – Recording transaction details for security and compliance purposes
Encryption – Securing data in transit and at rest
Deletion – Removing data upon client request or contract termination

5. Legal Bases for Processing

We process data based on the following legal grounds:

Contractual Necessity – Processing is necessary to fulfill our service agreement with third-party clients
Legal Obligation – We process data to comply with applicable laws, regulations, and court orders
Legitimate Interests – We process data for security, fraud prevention, and platform maintenance
Client Consent – Where clients have obtained consent from data subjects, we process on their behalf

We do not share data with third parties except in the following circumstances:

Client Instructions – When our client directs us to transmit data to specific endpoints or service providers
Service Providers – With vendors who assist us in operating our platform (hosting providers, security firms, payment processors), under strict confidentiality agreements
Legal Requirements – When required by law, court order, or government request
Subprocessors – With other processors engaged by our clients (disclosed in our subprocessor list)

6.2 International Data Transfers

If we transfer data across borders, we implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs) – EU-approved contractual protections for cross-border transfers
Binding Corporate Rules (BCRs) – Internal policies approved by data protection authorities
Adequacy Decisions – Where applicable, reliance on jurisdictions deemed adequate by regulators
Data Subject Consent – Where required by law

7. Data Security

7.1 Security Measures

We implement industry-standard security measures to protect data from unauthorized access, alteration, or loss:

Encryption – Data encrypted in transit (TLS/SSL) and at rest (AES-256 or equivalent)
Access Controls – Role-based access restrictions; employees access data only as needed
Authentication – Multi-factor authentication (MFA) for platform access
Monitoring – Continuous security monitoring and intrusion detection
Firewalls – Network firewalls and DDoS protection
Audits – Regular security audits and penetration testing
Incident Response – Documented procedures for responding to security breaches

7.2 Limitations

While we employ reasonable security measures, no system is completely secure. We cannot guarantee absolute security against all threats, including sophisticated attacks, insider threats, or zero-day vulnerabilities.

7.3 Notification of Data Breach

In the event of a personal data breach, we will take the following steps:

Authority Notification – Notify the competent data protection authority within 72 hours of becoming aware of the breach, where GDPR applies
Data Subject Notification – Notify affected data subjects without undue delay in cases of high risk to their rights and freedoms
Client Notification – Notify affected clients within the timeframe specified in the applicable service agreement

8. Data Retention

8.1 Retention Periods

Data retention depends on client contracts and legal requirements:

Active Service – Data is retained while your account or service is active
Client Instruction – We retain data according to retention schedules specified by clients
Legal Requirements – We may retain data longer if required by law (tax, regulatory, litigation holds)
Deletion Requests – Upon client or data subject request, we delete data within 30 days, subject to legal holds

8.2 Deletion Procedures

When data is deleted, we:

Remove it from active systems
Purge it from backup systems within 90 days
Document deletion in our records
Provide deletion confirmation to clients upon request

9. Your Privacy Rights

9.1 Rights of Data Subjects

Depending on your jurisdiction, you may have the following rights:

Right of Access – You may request a copy of personal data we hold about you
Right to Rectification – You may request correction of inaccurate data
Right to Erasure – You may request deletion of your data ("right to be forgotten")
Right to Restrict Processing – You may limit how your data is processed
Right to Data Portability – You may request your data in a structured, portable format
Right to Object – You may object to certain processing activities
Right to Lodge a Complaint – You may file a complaint with your data protection authority
Rights Related to Automated Decision-Making – You may request human review of automated decisions

9.2 How to Exercise Your Rights

To exercise any of these rights, please:

Contact the third-party client whose service you use (they are the primary Data Controller)
Contact us directly at privacy@phennec.ai if you cannot reach the client
Provide sufficient information to identify yourself and the data in question
Allow 30 days for us to respond to your request

10. Children's Privacy

Our service is not directed to children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete such data immediately.

If you are a parent or guardian and believe your child has provided data to us, please contact us at privacy@phennec.ai.

11. Cookies and Tracking Technologies

11.1 Cookies We Use

We use cookies and similar technologies for:

Session Management – Maintaining your login session
Security – Detecting and preventing fraud
Analytics – Understanding how our service is used (aggregate, non-personal data)
Preferences – Remembering your settings and preferences

11.2 Types of Cookies

Essential – Required for service functionality (session or persistent)
Analytical – Understand usage patterns (persistent, typically 1–2 years)
Preference – Remember user settings (persistent)
Third-Party – Analytics and security services (varies by provider)

You can control cookies through:

Your browser settings (block or delete cookies)
Our cookie consent banner (opt-in/opt-out)
Do Not Track (DNT) signals (we honor DNT requests where possible)

Note: Disabling essential cookies may impair service functionality.

12. Third-Party Links and Services

Our platform may contain links to third-party websites and services. We are not responsible for their privacy practices. We strongly encourage you to review the privacy policies of any third-party service before providing your data.

13. Data Protection Officer and Contact Information

13.1 Data Protection Officer

If you have privacy concerns, contact our Data Protection Officer:

Email: privacy@phennec.ai
Mailing Address: i3DESIGN Co., Ltd., 3F NMF Aoyama Ichome Building, 1-22 Akasaka 8-chome, Minato-ku, Tokyo 107-0052, Japan
Response Time: We aim to respond within 30 business days

13.2 Privacy Inquiries

For general privacy questions:

Email: privacy@phennec.ai
Mailing Address: i3DESIGN Co., Ltd., 3F NMF Aoyama Ichome Building, 1-22 Akasaka 8-chome, Minato-ku, Tokyo 107-0052, Japan

14. Your Rights Regarding Automated Decision-Making

If we use automated decision-making or profiling that produces legal or similarly significant effects, you have the right to:

Request human review of the decision
Express your point of view
Obtain an explanation of the decision logic

Currently, we do not engage in automated decision-making of this nature. If this changes, we will update this policy and notify affected users.

15. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know – Request what personal information we collect and how it is used
Right to Delete – Request deletion of personal information (with exceptions)
Right to Opt-Out – Opt out of the "sale" or "sharing" of personal information
Right to Correct – Request correction of inaccurate personal information
Right to Limit Use – Limit our use of sensitive personal information
Non-Discrimination – We will not discriminate against you for exercising your rights

To submit a request, contact privacy@phennec.ai. We will verify your identity and respond within 45 days.

If you are located in the European Union, United Kingdom, or EEA, the General Data Protection Regulation (GDPR) applies:

You have all rights outlined in Section 9 of this policy
You may lodge a complaint with your national data protection authority
We have appointed a Data Protection Officer (see Section 13)
International transfers are protected by Standard Contractual Clauses or equivalent safeguards

17. Japanese Privacy Rights (APPI)

If you are a resident of Japan, you have the following rights under the Act on the Protection of Personal Information (APPI):

Right to request disclosure of retained personal data
Right to request correction, addition, or deletion of retained personal data
Right to request suspension of use or erasure of retained personal data
Right to request suspension of third-party provision of personal data

To exercise these rights, please contact us at privacy@phennec.ai. We will verify your identity and respond within the period required by applicable law.

18. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Posting the updated policy on our website with a "Last Updated" date
Sending you an email notification (if you have provided an email address)
Requiring your consent (if the changes significantly increase your privacy risks)

Your continued use of our service following notification constitutes your acceptance of the updated Privacy Policy.

19. Limitation of Liability

To the extent permitted by law, we are not liable for:

Unauthorized access to data due to circumstances beyond our reasonable control
Misuse of data by third parties, clients, or data subjects
Indirect, incidental, or consequential damages related to data processing
Data loss due to client error, deletion, or misuse

Our liability is limited to the amount you have paid us in the 12 months preceding the claim, except where prohibited by law.

20. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of Japan, without regard to its conflict of laws principles. Any legal action or proceeding shall be brought exclusively in the courts of Japan, and you consent to the personal jurisdiction of such courts.

21. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

i3DESIGN Co., Ltd.
Privacy Team
Email: privacy@phennec.ai
Mailing Address: 3F NMF Aoyama Ichome Building, 1-22 Akasaka 8-chome, Minato-ku, Tokyo 107-0052, Japan
Website: https://phennec.ai

Last Updated: February 2026
Effective Date: February 2026