DRAFT — not legal advice; counsel review required.
cloud-itonami — Privacy Policy
Governing law: Japan
Last updated: 2026-07-02 (DRAFT)
This Privacy Policy explains how the cloud-itonami service ("the Service") handles personal data. cloud-itonami is a B2B business operating system. In most cases the Service processes personal data contained in a Customer's business records as a processor on the Customer's behalf; the Customer is the controller for that data. The operator acts as controller only for limited account and operational data.
1. Data We Collect
- Customer Data (processed on behalf of the Customer). Business facts that the Customer ingests or generates in its tenant graph (
{org}/{repo}), including mail, calendar, documents, Teams/chat, CRM, contracts, invoices and billing, financial/accounting records, HR/people records, and PLM/ERP/MES records, together with derived activities, decisions, proposed and executed effects, artifacts and append-only audit events. This may contain personal data about the Customer's own staff, customers and counterparties. - Account and tenant data. Organizations (
itonami.org), repositories (itonami.repo), members (itonami.member) and permissions (itonami.permission). - Authentication data. Operator tokens and CACAO/
did:keyactor credentials. - Operational/technical data. Logs and metadata generated by hosting the Service (e.g. request metadata on Cloudflare).
[CONFIRM: exact operational logging scope and analytics, if any]
2. Purposes of Processing
- To provide, operate and secure the Service.
- To run the
activity → decision → effect → auditflow and agent proposals for the Customer. - To maintain the audit ledger for accountability and traceability.
- To manage accounts, tenants, seats and permissions.
- To comply with legal obligations.
3. Legal Bases (GDPR, where applicable)
- For Customer Data processed as a processor: the Customer's legal basis as controller; the operator processes per the Customer's instructions and the DPA.
- For account/operational data as controller: performance of a contract (Art. 6(1)(b)) and legitimate interests in operating and securing the Service (Art. 6(1)(f)); legal obligation where applicable (Art. 6(1)(c)).
4. Sharing and Disclosure
We do not sell personal data. We share personal data only with subprocessors (Section 5), within the Customer's own organization per its permission model, and where required by law or to protect rights and safety.
5. Subprocessors
[CONFIRM: Cloudflare (Pages/Workers/KV hosting) / net-kotobase (kotobase.net PDS, business-state persistence) / Stripe (billing, if used) — confirm the complete subprocessor list, roles and locations]
6. International Transfers
Customer Data may be stored and processed on infrastructure located outside the Customer's country (e.g. Cloudflare's global edge and the kotobase PDS). Where GDPR/UK GDPR applies, transfers rely on appropriate safeguards such as Standard Contractual Clauses. [CONFIRM: transfer mechanism and hosting regions]
7. Retention
Customer Data is retained for the term of the Customer's use and for a limited period thereafter to permit export, and then deleted or returned. Audit-ledger records may be retained longer for legal, accounting and dispute purposes. [CONFIRM: specific retention periods per data category and audit ledger]
8. Security
The Service uses tenant isolation (per-{org}/{repo} graph separation), capability-based permissions, and authenticated writes (operator token and/or CACAO/did:key). [CONFIRM: encryption at rest/in transit, access controls and incident-response commitments]
9. Your Rights
- APPI (Japan): rights to disclosure, correction, addition or deletion, cessation of use, and cessation of third-party provision of retained personal data. Where the operator acts as a processor, requests from data subjects are generally directed to the Customer as the handling business.
- GDPR/UK GDPR: access, rectification, erasure, restriction, portability, objection, and rights regarding automated decision-making. Note that AI output is proposal-only and executed effects require human approval (see Terms Section 4).
- CCPA/CPRA (California): right to know, delete, correct, and opt out of sale/sharing; we do not sell personal data.
To exercise rights, contact us (Section 11); if the operator is a processor, we will refer or assist the Customer as controller.
10. Children
The Service is a B2B product and is not directed to children.
11. Contact
Controller / operator: Gftd Japan 株式会社 (Gftd Japan K.K.). Email: hello@gftd.co.jp. Registered address: GranTokyo South Tower 11F, 1-9-2 Marunouchi, Chiyoda-ku, Tokyo 100-6611, Japan (Corporate Number 1011101086505). No DPO or EU-UK GDPR Art. 27 representative is designated at this time.
12. Changes
We may update this Policy and will provide notice of material changes.