Privacy Policy
Last Updated: April 1, 2026
Section 1. Basic Policy
JPSM Group ("we," "our," or "us") treats privacy and informational self-determination as core trust requirements for SmoothQ, a nationwide wait-time prediction platform serving facilities with strong public relevance. We handle information in accordance with the Act on the Protection of Personal Information, the Telecommunications Business Act, related regulations, and guidance issued by the Personal Information Protection Commission, and we maintain organizational, human, physical, and technical safeguards on an ongoing basis.
Section 2. Scope of Application
This Policy applies to information we obtain or hold in connection with the SmoothQ website, APIs, inquiries, incident reports, materials requests, accessibility requests, authentication, maintenance operations, and anti-abuse controls. Information independently collected by municipalities, medical institutions, third-party platforms, or linked external websites is governed by those entities' own rules rather than this Policy. This Policy should be read together with our Cookie Policy, Terms of Service, and Security Policy.
Section 3. Categories of Information We May Collect
We may collect information such as name, email address, organization, prefecture, inquiry contents, incident descriptions, login identifiers, authentication history, IP address, timestamps, viewed URLs, referrers, device identifiers, browser type, operating system, screen resolution, cookie identifiers, approximate location data used for map rendering, search conditions, viewed facilities, accessibility preferences, and wait-time refresh history. Even where such information does not directly identify a person on a standalone basis, it may still be managed as personal related information or user-related information under applicable law.
Section 4. Means of Collection
We may receive information directly from users through forms, email, API submissions, identity confirmation materials, and similar channels. We may also automatically obtain technical data generated by browsers or applications, authentication tokens, CSRF protection tokens, access logs, error logs, monitoring signals, and communications required for third-party map tile delivery. When we lawfully receive information from partners or service providers, we confirm the source, collection context, and legal basis before using it for legitimate purposes.
Section 5. Purposes of Use
We use collected information for service provision, authentication, identity verification, operations monitoring, maintenance, improvement of wait-time prediction quality, anti-fraud and anti-abuse controls, inquiry handling, distribution of important notices, legal and contractual compliance, generation of statistical insights, accessibility improvements, quality review, dispute response, and audit trail retention. If we need to use information beyond those purposes, we will specify the additional purpose and take required measures such as notice or consent unless a legal exception applies.
Section 6. Applicable Legal and Regulatory Framework
Our internal rules are built primarily on the Act on the Protection of Personal Information and the related PPC guidelines, while also taking into account the external transmission requirements under the Telecommunications Business Act, the Act on Specified Commercial Transactions, the Consumer Contract Act, the Unauthorized Computer Access Prohibition Act, the Basic Act on Cybersecurity, and other relevant rules. Unless otherwise defined, terms in this Policy should be interpreted consistently with applicable Japanese law and guidance.
Section 7. External Transmission and Browsing Data
SmoothQ uses cookies for authentication and anti-forgery protection, browser storage for user settings, and external map tile delivery for map rendering. In light of the external transmission rules under the Telecommunications Business Act, we disclose in our Cookie Policy or other appropriate notices the categories of information transmitted, the destination, the purpose, and available controls. As of April 1, 2026, our public site does not ordinarily deploy optional advertising or third-party behavioral advertising cookies on a permanent basis. If we introduce optional analytics or advertising technologies in the future, we will provide appropriate notice, controls, and, where required, consent mechanisms.
Section 9. Management of Contractors
We may outsource certain functions such as cloud infrastructure, monitoring, inquiry handling, email delivery, or vulnerability assessment. In those cases, we evaluate the contractor's information governance, subcontracting controls, confidentiality, incident reporting, deletion and return procedures, and possible international data movement before engagement. Contractual safeguards and ongoing oversight are used to ensure that outsourced processing remains appropriate.
Section 10. Transfers to Foreign Third Parties
If we need to entrust or provide personal data to a party located outside Japan, we review the legal framework of the destination country or region, the recipient's safeguards, contractual protections, and any other measures required by law. We assess necessity, available alternatives, data sensitivity, and potential public impact before deciding whether such transfer is appropriate.
Section 11. Security Safeguards
Our safeguards include access control, privilege separation, TLS 1.3-preferred transport protection, avoidance of TLS versions below 1.2 except where unavoidable for compatibility, AES-256-equivalent encryption for data at rest where appropriate, audit log preservation, vulnerability assessments, configuration management, encrypted backups, malware controls, environment-variable-based secret handling, workforce training, and vendor oversight. Additional operational details are implemented under our Security Policy and internal standards.
Section 12. Retention Periods
Retention periods are set based on the purpose of use, legal obligations, audit needs, dispute readiness, and operational necessity. As a general reference point, authentication and access logs are retained for 180 to 365 days, inquiry records for three years after completion, incident records for five years to support corrective action, and encrypted backups for up to 35 days. We may retain data longer where required by law, regulators, audits, or dispute response, but only to the extent reasonably necessary.
Section 13. Requests Regarding Retained Personal Data
Subject to applicable law, data subjects may request notification of purpose of use, disclosure, correction, supplementation, deletion, suspension of use, erasure, or suspension of third-party provision with respect to retained personal data. We will respond within a reasonable period after verifying identity and, where applicable, agency authority. We may be unable to fulfill some or all of a request where legal retention obligations apply, another person's rights would be harmed, or the request is otherwise excluded by law.
Section 14. Children and Minors
SmoothQ is broadly available to the public, but if a minor submits an inquiry, registers an account, or enters personal information, we recommend that such action be taken with the involvement of a parent or other legal representative. We apply heightened caution to information relating to minors and do not use it for unnecessary profiling or advertising-oriented purposes.
Section 15. Response to Leakage or Other Incidents
If we become aware of a leakage, loss, damage, or similar incident involving personal data, or a reasonable possibility thereof, we promptly investigate facts, identify scope, contain impact, preserve evidence, and formulate recurrence-prevention measures. Where reporting or notification is required by law, we will report to the relevant authorities and notify affected data subjects with information regarding the nature of the incident, likely impact, cause, and mitigation steps.
Section 16. Amendments to This Policy
We may revise this Policy in response to legal changes, regulatory guidance, service expansion, technical changes, or revised risk assessments. Material changes will be communicated through service notices, updated effective dates, and, where appropriate, direct notice. Unless otherwise stated, revised terms take effect when posted on the Service.
Section 17. Contact Window
Questions regarding this Policy, the handling of personal information, requests concerning retained personal data, external transmission, security, or accessibility may be submitted to the contact point below. Depending on the nature of the inquiry, we may conduct fact-finding, identity confirmation, and coordination with technical or legal teams. We aim to provide an initial response within ten business days under normal circumstances.
Operator
JPSM Group Supervising Operations Executive: Haruki Ogasawara Locations: Tokyo / Okayama / Ibaraki Contact: contact@smoothq.jp
SmoothQ: https://smoothq.jp/