Privacy Policy

Preamble

New Summer Inc. (hereinafter "the Company") establishes the following privacy policy (hereinafter "this Policy") regarding the handling of all personal information processed through the AI conversation application "KidTalk" (hereinafter "the Service") provided by the Company, for its users (primarily parents or legal guardians of children, hereinafter "Guardians").

Although the Service is designed for children (individuals under 18 years of age, hereinafter the same) as the primary users, the contractual relationship is established with the Guardian, and the Service becomes available upon the Guardian's agreement to this Policy.

The Company complies with applicable laws, including Japan's Act on the Protection of Personal Information (hereinafter "APPI"), the EU General Data Protection Regulation (hereinafter "GDPR"), the U.S. Children's Online Privacy Protection Act (hereinafter "COPPA"), and the California Consumer Privacy Act (hereinafter "CCPA"), to manage personal information appropriately and securely.

Article 1 (Business Operator Information and Data Protection Officer)

The Company's name and contact information are as follows:

• Corporate Name: New Summer Inc.
• Data Protection Officer: info@kidtalkapp.com

For inquiries regarding the handling of personal information and requests to exercise various rights, please contact the Data Protection Officer (DPO) above. The Company will respond within a reasonable period (in principle, within 30 days) after receiving the request.

Article 2 (Scope of Application)

This Policy applies to all personal information and quasi-personal information acquired and processed by the Company in connection with the use of the Service. Although the Service is designed for children, the contractual party with the Company is the Guardian, and children shall use the Service under the Guardian's consent and supervision.

This Policy does not apply to websites, applications, or services operated by third parties (including those linked from the Service).

Article 3 (Applicable Laws)

The Company complies with the following laws according to the user's location and applicable governing law.

Article 4 (Types of Personal Information Collected)

The Company collects the following information only to the extent necessary for providing the Service.

1. Account Information
   • Email address (of the Guardian)
   • User ID (system-generated)
   • Profile information voluntarily registered by the Guardian
2. Voice Data
   • Voice input data from the child
   • Text data from voice-to-text conversion (text after Speech-to-Text processing)
   • Text data used for generating AI responses
3. Usage Information
   • Service usage frequency and history
   • IP address
   • Device information (OS, model, version, etc.)
   • Application crash logs and diagnostic information
4. Payment Information

   Payment processing is handled by the third-party payment processor Stripe, Inc. (USA). The Company does not directly collect or store sensitive payment information such as credit card numbers. The Company only acquires tokens issued by Stripe and information related to subscription status.

Article 5 (Purpose of Use)

The Company uses the collected personal information only for the following purposes. If the information is to be used beyond the scope of these purposes, the Guardian's prior consent will be obtained.

• Providing and operating the Service (including AI response generation, Speech-to-Text, and Text-to-Speech processing)
• User authentication and account management
• Maintaining and improving service quality (based on statistical, anonymized analysis)
• Preventing fraudulent use and ensuring security
• Responding to user inquiries and providing customer support
• Fulfilling legal obligations and exercising rights
• Billing and payment management

Article 6 (Legal Basis for Processing: GDPR Art. 6 & 9)

The processing of personal data for EU/EEA residents is based on the following legal grounds:

Article 7 (Special Handling of Voice Data)

Voice data, being particularly sensitive information within the Service, is handled strictly as follows:

• Real-time Processing: Voice input is sent for real-time Speech-to-Text processing (e.g., Google Cloud Speech-to-Text).
• Principle of Minimum Storage: Original voice data is generally not stored. If temporarily stored, it is deleted promptly after processing (usually within seconds to minutes).
• Explicit Third-Party Transmission: Voice data may be sent to external cloud services like Google Cloud for AI processing. Appropriate Data Processing Addendums (DPAs) are in place with such third parties.
• Prohibition of Use for Other Purposes: Voice data is not used for purposes other than AI response generation (e.g., selling to third parties, ad targeting).

Article 8 (Handling of Children's Personal Information: COPPA Compliance)

As the Service is primarily targeted at children under 13, it complies with the requirements of the U.S. Children's Online Privacy Protection Act (COPPA).

1. Verifiable Parental Consent

   The Company obtains verifiable parental consent from the Guardian before collecting or processing personal information from a child under 13. The method of obtaining consent, withdrawal procedures, and the effects of withdrawal are detailed in our separate consent management procedure.

2. Guardian's Rights

   Guardians can exercise the following rights regarding their child's personal information:

   • Request access to the child's collected personal information.
   • Request correction or completion of the child's personal information.
   • Request deletion of the child's personal information.
   • Request to stop further collection or use of the information.

   To exercise these rights, please send a written request (including electronic methods) to the DPO at info@kidtalkapp.com. The Company will respond within a reasonable period after verifying your identity.

3. Minimum Necessary Collection

   The Company collects only the personal information necessary to provide the Service (principle of data minimization). Information about the child does not include directly identifying information such as the user's full name or photos.

Article 9 (Provision to Third Parties)

The Company does not provide personal information to third parties, except in the following cases:

• To Service Providers: When outsourcing necessary operations for the Service (e.g., cloud computing, payment processing), information is provided to the minimum extent necessary. Contracts concerning the protection of personal information are concluded with these providers.
• Based on Legal Requirements: When requested by courts, investigative bodies, or other public institutions based on laws and regulations.
• With Guardian's Consent: When explicit prior consent is obtained from the Guardian.
• Business Succession: In the event of a business transfer through merger, company split, or other reasons (limited to cases where protection equivalent to this Policy is ensured by the successor).

Key data processors include:

• Google LLC (Google Cloud): Voice processing (STT/TTS), cloud infrastructure
• Stripe, Inc.: Payment processing

Article 10 (International Data Transfer)

The processing of personal data in the Service may be carried out on servers and by processors located outside of Japan (mainly in the United States). The Company takes the following protective measures for such international data transfers:

• For EU/EEA Residents: Conclusion of Standard Contractual Clauses (SCCs) as defined by the European Commission.
• For UK Residents: Conclusion of the International Data Transfer Agreement (IDTA) approved by the UK ICO.
• For Other Regions: Fulfilling procedures for providing data to third parties in foreign countries based on the APPI.

Google Cloud and Stripe, which we use, have obtained security certifications (e.g., ISO 27001) applicable to such international transfers, ensuring an adequate level of protection.

Article 11 (Data Retention Period)

The Company retains personal information only for the period necessary to achieve the purpose of use. The main data retention periods are as follows:

Article 12 (Security Management Measures)

The Company takes the following measures to prevent leakage, loss, or damage of personal information and to otherwise manage its security:

1. Technical Security Measures
   • Encryption of communications (TLS 1.2 or higher)
   • Encryption of stored data (AES-256 equivalent)
   • Recording and monitoring of access logs
   • Regular vulnerability scans and penetration testing
2. Organizational Security Measures
   • Access control based on the principle of least privilege
   • Regular education and training for personnel handling personal information
   • Establishment and operation of personal information handling regulations
   • Maintenance of an Incident Response Plan
3. Physical Security Measures
   • Access control for data centers
   • Proper disposal of equipment and recording media

In the event of a security incident, the Company will notify the supervisory authorities and affected data subjects within the period prescribed by applicable law.

Article 13 (User Rights)

Guardians (and data subjects of children they represent if residing in the EU/EEA) have the following rights:

To exercise these rights, please contact the DPO at info@kidtalkapp.com. We will respond within 30 days (extendable to 60 days for valid reasons). EU/EEA residents also have the right to lodge a complaint with a supervisory authority.

Article 14 (Management of Guardian Consent)

To start using the Service, Guardians must provide explicit consent for the following:

• The collection of the child's voice data and its use for AI processing.
• Transmission to cloud services (like Google Cloud) necessary for providing the Service.
• The use of AI technologies (such as large language models) employed by the Service.
• The entire content of this Policy.

Consent can be withdrawn by the Guardian at any time. Withdrawal of consent may affect the future use of the Service. To withdraw consent, please contact the DPO at info@kidtalkapp.com.

Article 15 (Cookies and Other Tracking Technologies)

The Service may use cookies and other tracking technologies ("Cookies") for the following purposes:

• Session management and maintaining login status (Essential Cookies).
• Analyzing service usage (Analytics Cookies, subject to Guardian's consent).
• Detecting and preventing unauthorized access (Security Cookies).

We do not use cookies for advertising purposes or third-party behavioral tracking. You can change your cookie settings from your device's browser settings. However, disabling essential cookies may prevent some features of the Service from functioning.

Article 16 (Policy Revision)

The Company may revise this Policy due to changes in laws, services, or other reasons. For significant changes, we will notify you of the changes and their effective date in advance through a notice within the Service or by email (generally 30 days prior to the effective date).

Your continued use of the Service after the effective date of the revised Policy will constitute your agreement to the revised Policy. For significant changes, we may ask for the Guardian's re-consent.

Article 17 (Governing Law and Jurisdiction)

The interpretation and application of this Policy shall be governed by the laws of Japan. Disputes concerning this Policy shall be subject to the jurisdiction of the courts of Japan. However, if GDPR or other mandatory laws apply, they shall be followed.

Article 18 (Contact Information)

For questions about this Policy, consultations about the handling of personal information, or to exercise your rights, please contact the following:

• Data Protection Officer (DPO): info@kidtalkapp.com
• Supported Languages: Japanese, English
• Business Hours: Weekdays 9:00 AM - 6:00 PM JST
• Response Target: In principle, within 30 days