NOREN · Legal
Privacy Policy
Last revised: 2026-05-16
Miki Matsushima (the "Operator") sets out this Privacy Policy (the "Policy") regarding the handling of personal information of users of the inbound experience-booking platform "NOREN" (URL: noren-trip.com, the "Service") operated by the Operator.
Because the Service primarily targets inbound international travelers to Japan, this Policy is grounded in Japan's Act on the Protection of Personal Information (APPI) while also respecting the principles of the EU General Data Protection Regulation (GDPR) and other applicable data-protection laws.
1. Definition of Personal Information
In this Policy, "personal information" means information about a living individual that can identify a specific individual through the name, date of birth, or other descriptions contained in the information, or that contains a personal identification code.
2. Information Collected
The Operator may collect the following information in providing the Service.
2-1. Information Collected Directly from Users
- Full name
- Email address
- Phone number
- Nationality / country of residence
- Language preference
- Number and attributes of participants (adults / children, etc.)
- Dietary restrictions, allergies, and other information necessary to deliver the Experience
- Emergency contact (only where required by the Experience)
- Hotel or other accommodation (for Experiences involving pickup)
- Inquiry content
- Reviews, comments, and other submissions
2-2. Information Collected Automatically
- IP address
- Browser type and version
- OS information
- Access timestamps
- Pages viewed and duration of stay
- Information collected via cookies and similar technologies
2-3. Payment Information
Credit card and other payment information is collected directly by the Operator's payment service provider (Square). The Operator does not retain sensitive payment data such as card numbers.
3. Purposes of Use
The Operator uses collected personal information for the following purposes.
- Provision and operation of the Service
- Booking intake, confirmation, modification, and cancellation handling
- Coordination and communication between Users and Organizers / Hosts
- Payment processing and revenue management
- Responses to inquiries and complaints
- Service improvement, new-feature development, and usage analysis
- User identity verification and fraud prevention
- Marketing communications (only where the User has consented)
- Compliance with laws and responses to legitimate requests from public authorities
4. Disclosure to Third Parties
The Operator does not disclose personal information to third parties except in the following cases.
4-1. With Consent
Where the User has given prior consent.
4-2. Disclosure to Organizers and Hosts
After a Booking is confirmed, the Operator provides Organizers and Hosts with personal information to the extent necessary for delivering the Experience (name, number of participants, emergency contact, special notes, etc.).
4-3. Disclosure to Subcontractors
To the extent necessary to operate the Service, the Operator may disclose personal information to the following subcontractors. Each subcontractor is contractually obligated to maintain safeguards equivalent to the Operator's own.
| Subcontractor | Information Provided | Purpose |
|---|---|---|
| Square, Inc. (US) | Payment information | Credit card payment processing |
| Vercel Inc. (US) | Access information | Website hosting |
| Supabase (US) | Registration and booking data | Database services |
| Resend, Inc. (US) | Email addresses and message content | Delivery of notification emails |
| Google LLC (US) | Access information | Site analytics (Google Analytics) |
Some of these subcontractors are located in the United States, which means personal information is transferred outside Japan (see "5. International Transfers" below).
4-4. Required by Law
Where disclosure is required by law or where a legitimate request is received from a court, administrative agency, or similar authority.
4-5. Protection of Life or Property
Where disclosure is necessary to protect a person's life, body, or property and obtaining the User's consent is difficult.
5. International Transfers
Some of the Operator's subcontractors are located in the United States, and User personal information may therefore be transferred outside Japan. The Operator implements appropriate measures through service agreements to ensure that an equivalent level of protection to Japan's Act on the Protection of Personal Information is maintained at the destination.
For Users residing in the EU or the UK, transfers are conducted in compliance with GDPR transfer requirements, relying on appropriate safeguards (contractual clauses, etc.).
6. Retention Period
The Operator retains personal information only for the period necessary to fulfill the purposes of use. Specific retention periods are as follows.
| Type of Information | Retention Period |
|---|---|
| Booking and transaction records | 7 years after transaction completion (per tax and commercial law requirements) |
| Account information | 30 days after account closure, then promptly deleted |
| Inquiry records | 2 years after the inquiry is resolved |
| Marketing-delivery history | Until the User opts out |
7. Security Measures
The Operator implements the following measures to prevent leakage, loss, or damage of personal information.
- SSL / TLS encryption of communications
- Encrypted storage of sensitive information in databases
- Access controls (only the minimum necessary personnel may access)
- Subcontractor selection criteria and contractual safety obligations
- Management of devices and media that handle personal information
- Compliance with applicable laws and guidelines
8. User Rights
Users have the following rights regarding their personal information.
- Right of disclosure — to request disclosure of personal information held by the Operator
- Right of correction, addition, or deletion — to request correction, addition, or deletion of personal information
- Right to suspend use or erase — to request the suspension of use or erasure of personal information
- Right to suspend third-party disclosure — to request that disclosure to third parties be suspended
- Right to data portability (for GDPR-eligible Users) — to receive personal information in a structured format and transfer it to another service
To exercise any of these rights, please contact us through "13. Contact" below. After identity verification, we will respond within a reasonable period.
9. Cookies and Similar Technologies
The Service uses cookies and similar technologies to improve user experience, analyze usage, and measure marketing effectiveness.
- Essential cookies — required for basic Service functions such as maintaining login state, language preference, and security
- Analytics cookies — for site analytics via Google Analytics and similar tools (anonymized aggregated data only)
- Marketing cookies — for measuring marketing effectiveness (only where the User has consented)
Users can refuse cookies through browser settings. However, disabling cookies may prevent certain Service functions from working correctly.
10. Children's Personal Information
The Service is generally intended for users aged 18 and over. If a person under 18 uses the Service, it should be done with the consent of a guardian. If the Operator unintentionally collects personal information from a User under 18, it will be promptly deleted.
11. Changes to this Privacy Policy
The Operator may update this Policy in response to changes in law, the Service, or other circumstances. Any updated version takes effect from the moment it is posted on the Service. Material changes will be communicated on the Service or by email.
12. Governing Law
This Policy is governed by the laws of Japan.
13. Contact
For inquiries about the handling of personal information, please contact:
- Person responsible for personal information: Miki Matsushima
- Email: customer-support@noren-trip.com
- Address: 501 Burg Hakata Ekimae, 3-18-8 Hakataekimae, Hakata-ku, Fukuoka 812-0011, Japan
- Phone: +81-50-1793-3827 (Mon–Fri, 10:00–18:00 JST)