Privacy Policy

Effective: June 2, 2026

This Privacy Policy describes how STANDOUT Inc. ("Provider", "we", "us") collects, uses, and protects information in connection with the VATES service ("Service"). This Policy applies to customers ("Customer", "you") who use the Service and to end-users who interact with VATES widgets embedded in customer sites.

1. Information We Collect

1.1 Customer Account Information

When the Customer creates an account, we collect:

• Business name, contact name, and email address.
• Billing information (handled through our payment processor; we do not store full payment card numbers).
• Account configuration (instance settings, branding preferences, embedded site domains).

1.2 Conversation Data

When end-users interact with VATES, we process:

• User input (text, images, audio, file uploads as applicable).
• System-generated context (ES-IFM knowledge entries auto-injected for the request).
• Generated responses from upstream AI providers.
• Token usage statistics for billing purposes.

1.3 Operational Data

For service operation and security, we automatically collect:

• IP addresses, user agent strings, and timestamps of access.
• Audit logs of administrative actions.
• Performance and error logs.

2. How We Use Information

We use the collected information to:

• Provide, maintain, and improve the Service.
• Process billing and manage account balances.
• Detect, prevent, and respond to fraud, abuse, or security threats.
• Communicate with the Customer regarding service updates, billing, and support.
• Comply with legal obligations.

We do not use Customer Content or end-user conversations to train AI models.

3. Sharing with Upstream Providers

VATES is built on upstream AI providers (Anthropic, OpenAI, and others as configured). To deliver the Service, user input and ES-IFM context are transmitted to these providers under their respective commercial terms. Each upstream provider has its own data handling policy:

• Anthropic: Anthropic Privacy Policy
• OpenAI: OpenAI Privacy Policy

These providers, under their commercial API terms, do not use API inputs to train their models.

4. Data Storage and Security

Customer data is stored on cloud infrastructure (Amazon Web Services, located in the Asia Pacific (Tokyo) region). We implement the following security measures:

• Passkey (WebAuthn/FIDO2) and two-factor authentication (2FA) for administrative access.
• IP-based access restrictions for sensitive operations.
• Per-tenant rate limiting and abuse protection.
• Encryption of data in transit (TLS) and at rest.
• Web Application Firewall (WAF) protection.
• Regular automated backups.
• Audit logs of all administrative actions.
• Per-customer instance isolation, so that each tenant's data is managed independently.
• Continuous monitoring through error tracking, uptime monitoring, and dependency vulnerability scanning.
• Origin Pull Authentication that blocks direct access to the origin server.

While we maintain industry-standard security practices, no system can be guaranteed against all threats. The Customer is responsible for maintaining the confidentiality of its own credentials.

5. Data Lifecycle and Deletion

Data in this service is processed according to retention periods determined for each data type, applying the strictest standards from applicable jurisdictions. The complete specification for each data type (physical location, retention period, deletion function, legal basis) is available at any time through the "Data Lifecycle" setting screen in the service, or in the public Data Catalog specification.

Upon account termination or written deletion request, data progresses through the following lifecycle:

• Active: Normal operation.
• Suspended: Service paused, data retained.
• Logical deletion: Data marked as deleted, hidden from interfaces. Retention: 30 days (withdrawal grace period). During this period, restoration is possible upon written request.
• Pseudonymization: Personal identifiers are replaced with irreversible hash values (SHA-256+salt). Retention varies by data type: PII as short as 1 month, audit logs 2 years.
• Physical deletion: Data permanently removed from disk.

Legally retained data:

• Customer balance, balance history, usage aggregates: 10 years (Japanese Companies Act Article 432)
• Instance audit logs, global audit log: 2 years (SOC2 CC7.2)

Audit Log Tamper-Evidence: Audit logs are protected by a SHA-256 hash chain that cryptographically links each event to the one before it, together with a per-tenant sequence number. Any alteration or deletion of a recorded entry is therefore detectable upon verification. Exported audit logs include the hash and sequence columns, so Customers can independently verify the integrity of their own audit trail without relying on our systems — a mathematical guarantee that we have not altered the audit record after the fact.

Note on backups: This service maintains encrypted automatic backups for 30 days. Deletion requests are not immediately reflected in backup data; however, when data is restored from backup, deletion processing is immediately re-executed after restoration.

Deletion processing in this service is automatically executed by a systemd timer weekly batch, applied to all data types registered in the canonical data catalog (common/data_catalog.py). Adding new data types only requires registration in the catalog; automatic deletion processing is included by design.

Customers may request account deletion through the "Data Lifecycle" setting screen. However, information subject to legal retention obligations (e.g., tax records) takes precedence.

6. Customer and End-User Rights

Subject to applicable law, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your information (subject to legal retention requirements).
• Object to or restrict certain processing activities.
• Receive a copy of your data in a portable format.

To exercise these rights, contact us at the address below. We will respond within 30 days of receipt.

7. Cookies and Tracking

The Service uses only cookies and local storage strictly necessary for the operation of the Service.

• Session cookies for authentication and instance state.
• Functional cookies for UI preferences (color theme, language).

The Service does not use third-party advertising cookies, cross-site tracking, or analytics/behavioral tracking cookies (e.g., Google Analytics).

All cookies used by the Service fall outside the scope of consent requirements under applicable laws, and accordingly we do not display a cookie consent banner (EU/EEA: strictly necessary exception under the ePrivacy Directive; Japan: outside the scope of the external transmission rule of the amended Telecommunications Business Act; United States: no sale or sharing under CCPA/CPRA; United Kingdom: strictly necessary exception under UK PECR).

8. International Data Transfers

Data may be transferred to and processed in countries other than the Customer's country of residence, including the United States (where upstream AI providers operate). All transfers are conducted under appropriate safeguards, including the standard contractual clauses required by applicable data protection laws.

9. Children's Privacy

The Service is intended for business use and is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Customers at least 30 days before the effective date. The "Effective" date at the top of this Policy indicates the latest revision.

11. Contact

For privacy-related inquiries:
STANDOUT Inc.
Email: [email protected]

Last updated: June 2, 2026