Privacy Policy

1. Service Operator

The personal information handler for the service is EXCEEDSYSTEM.

• Address: Shibuya Dogenzaka Tokyu Building 2F-C, 1-10-8 Dogenzaka, Shibuya-ku, Tokyo 150-0043, Japan
• Representative: Yoshiaki Sakamoto
• Contact: contact@exceedsystem.com

We do not currently appoint an EU/EEA/UK representative or a Data Protection Officer. This Policy does not represent that the service is fully compliant with the GDPR or UK GDPR. If those laws apply, we will take necessary steps within a reasonable scope in accordance with applicable law.

2. Information We Collect

We collect or store the following information as needed to provide the service.

• Account information: user ID, email address, display name, profile image, and authentication or session information.
• Service usage information: encrypted bookmark data, creation and update timestamps, encrypted thumbnails, backups, restore data, and information needed to use features such as secret-key changes.
• Encryption-related information: salts needed for encryption, encrypted data used to verify the secret key, and encrypted thumbnails or backup data. The secret key itself is not sent to or stored on our servers.
• Subscription and billing information: plan, subscription status, billing service identifiers, billing period, cancellation status, and similar information. We do not store full payment method details such as card numbers.
• Browser storage information: language preference, display settings, lock-state synchronization, and similar information needed to provide the service.
• Technical information: IP address, user agent, access timestamps, request-related information, and logs.

3. Purposes

We use the information we collect for the following purposes.

• To provide the service, authenticate users, manage accounts, and manage sessions.
• To provide bookmarks, encrypted thumbnails, backup, restore, and secret-key-change features.
• To enforce plan limits, synchronize subscription status, provide billing-related features, and clean up data after downgrades.
• To process account deletion, data deletion, inquiries, and important service notices.
• To detect, prevent, and investigate misuse, unauthorized access, incidents, and security issues.
• To maintain and improve the service, comply with law, and exercise or defend legal rights.

4. Legal Bases

Where the GDPR applies, we primarily rely on the following legal bases.

• Performance of a contract: to create accounts, authenticate users, manage bookmarks, provide backup/restore, and manage subscriptions.
• Legitimate interests: to secure the service, prevent misuse, respond to incidents, improve the service, and protect rights.
• Legal obligations: to keep records required by tax, accounting, or other applicable laws and to respond to lawful requests.
• Consent: where consent is required by law. We do not currently use advertising or analytics cookies.

5. Service Providers

We may use the following third-party service providers to process personal information.

• Clerk: authentication, user management, reauthentication, and subscription or billing-related processing.
• Cloudflare: cloud hosting, data storage, static asset delivery, logs, and security features.
• Other providers as necessary for inquiries, payment-related operations, maintenance, and legal compliance.

We do not sell or share personal information as those terms are used under the CCPA/CPRA. We do not use personal information for cross-context behavioral advertising, advertising cookies, or retargeting advertising.

6. International Transfers

We use services provided by companies such as Clerk and Cloudflare, and information may be processed or stored outside Japan, including in the United States, the EU/EEA, and other countries or regions. We seek to protect personal information through provider contracts and other appropriate safeguards where required by applicable law.

7. Retention and Deletion

We retain personal information only for as long as necessary for the purposes described in this Policy or as required by law.

• Account information, encrypted bookmark data, and subscription or billing information are retained while the user maintains an account.
• After account deletion, user data managed by EXCEEDSYSTEM is deleted or invalidated within a reasonable period.
• Temporary data used for backup, restore, secret-key changes, and similar features is retained only for as long as necessary for processing and is deleted or invalidated after processing is complete or after a limited period.
• Bookmarks that exceed a downgraded plan limit may be deleted after the applicable grace period described in the service.
• Logs and similar records retained by service providers follow each provider's retention policies and settings.
• We may retain information as needed for legal compliance, disputes, misuse investigations, accounting, and tax purposes.

8. Cookies and Browser Storage

The service uses cookies and similar technologies required for Clerk authentication. We also use localStorage or sessionStorage for non-sensitive information needed to provide the service, such as language preference, display settings, and lock-state synchronization. We do not use advertising or analytics cookies.

9. Security

Bookmark content, URLs, notes, thumbnails, backups, and secret-key validation information are encrypted on the client side, and our servers store ciphertext and the metadata needed to provide the service. Secret keys and backup passwords are not sent to or stored on our servers. For encrypted content, the service uses a zero-knowledge design: the service operator cannot decrypt it. Encrypted information may still be personal information or personal data under applicable law when it is linked to an account ID or related metadata.

10. Your Rights

Subject to applicable law, you may request access, correction, deletion, restriction of processing, objection, data portability, or withdrawal of consent regarding your personal information. We will respond within a reasonable scope to requests based on applicable law.

We currently believe that we are not a business subject to the CCPA/CPRA. This Policy does not represent that the service is fully compliant with the CCPA/CPRA. If the CCPA/CPRA applies, we will take necessary steps within a reasonable scope in accordance with applicable law. Because we do not sell or share personal information, we do not provide a "Do Not Sell or Share My Personal Information" link.

To exercise your rights, contact us at the address below. We may request information needed to verify your identity.

11. Children

The service is not directed to children under 13. If we learn that we have collected personal information from a child under 13, we will take reasonable steps to delete it.

12. Changes

We may update this Policy when laws, service features, or operations change. If we make material changes, we will notify users by posting a notice in the service or by another reasonable method.

13. Contact

For questions about this Policy, our handling of personal information, or privacy rights requests, contact us at contact@exceedsystem.com.