Article 1 (Scope of Application and Order of Precedence) #

1. This Policy applies to the handling of personal data and other information that we acquire, use, store, provide, or otherwise process in connection with the provision of this Site and this Service.

2. If we establish separate provisions or notices regarding privacy or information management in relation to this Service (including Terms of Use, notices on individual screens, guides, etc.), such provisions or notices shall supplement this Policy, and in the event of any conflict between them, such provisions or notices shall take precedence.

3. If we enter into a non-disclosure agreement (NDA) or other individual agreement (hereinafter “Individual Agreement”) with you regarding integration services, implementation support, custom development, consulting, or other individual projects in connection with this Service, and such Individual Agreement contains provisions concerning the handling of personal data or confidential information, such provisions shall take precedence over this Policy.

4. Notwithstanding the preceding paragraph, such Individual Agreement shall not exempt or limit our obligations under applicable laws and regulations (including GDPR) or the rights of Data Subjects to the extent not permitted by applicable laws and regulations.

Article 2 (Definitions) #

The principal terms used in this Policy are as follows:

1. “Personal Information”: means personal information as defined in the Act on the Protection of Personal Information and other laws and regulations.

2. “Personal Data”: means personal data as defined in GDPR, or personal information constituting a personal information database, etc.

3. “Processing”: means any and all handling including acquisition, recording, editing, storage, use, provision, deletion, and other operations.

4. “Data Subject”: means an individual identified by personal data.

5. “Controller” and “Processor”: mean the controller and processor as defined in GDPR.

6. “Cookies, etc.”: means information obtained using cookies, advertising identifiers, device identifiers, and other similar technologies.

7. “Usage Logs”: means records automatically generated and accumulated in connection with the use of this Service, etc., including access logs, IP addresses, browser information, operation history, authentication/security logs, and other such data.

Article 3 (Our Role: Controller/Processor) #

1. We, in principle, handle personal data and other information related to our customer management, billing, support, marketing, operation of this Site, etc. as a **Controller**.

2. On the other hand, when we handle data stored or processed by you on cloud/VPS, etc. (which may include personal data that you have obtained from end users, etc.; hereinafter “Customer Content”) for purposes such as maintenance, operations support, or other purposes, we may handle such data as a **Processor** depending on the contractual arrangement. In such cases, we will handle such data in accordance with the Individual Agreement (including DPA, etc.) and your reasonable instructions.

Article 4 (Personal Data, etc. We Collect) #

In providing this Service, we may collect the following personal data, etc.:

1. Account and Contract Information: name (including contact person name), company name, department name, address, telephone number, email address, login ID, authentication information, contract details, etc.

2. Billing and Payment Information: billing information, transaction ID, payment status, invoice/receipt information, etc.

   • When using payment processing services, we may not retain credit card numbers, etc.

3. Support-Related Information: inquiry details, ticket details, response history, communication content, configuration information and logs necessary for troubleshooting, etc.

4. Technical Information/Usage Logs: IP address, access date/time, device/browser information, OS information, pages viewed, referrer, authentication/security logs, operation history, cookies, etc.

5. Domain/SSL Related Information (if provided): registrant information, WHOIS-related information, DNS configuration information, certificate application information (domain ownership verification information, organization information, etc.)

6. Fraud Prevention Information: information necessary for detecting fraudulent orders, unauthorized access, etc. (transaction-related information, logs, identifiers, etc.)

7. Marketing Related Information (if conducted): email distribution consent/opt-out status, survey responses, campaign application information, etc.

8. Other: information specified by us in the service application screens, configuration screens, etc.

Article 5 (Purpose of Use) #

We use the personal data and other information obtained for the following purposes.

1. Provision of the service, account management, contract performance, identity verification (if conducted)

2. Billing of usage fees, payment processing, payment confirmation, refund processing, accounting/tax processing

3. Service operations (monitoring, incident response, security measures, backup, maintenance, etc.)

4. Inquiry response, support provision, notification of important notices (terms of service changes, incident notifications, etc.)

5. Domain registration/transfer/renewal, DNS management, SSL certificate application/issuance/renewal procedures

6. Prevention of fraudulent use, terms of service violation response, rights protection, dispute resolution

7. Service improvement, new feature development, usage analysis, statistical data creation (including in forms where individuals cannot be identified)

8. Campaigns, email newsletter notifications, etc.

Article 6 (Legal Basis for Processing under GDPR) #

When we process personal data of data subjects in the EEA/UK, etc., we primarily process it based on the following legal bases.

1. Contract: service provision, account management, support response, etc.

2. Legal Obligation: accounting/tax, responses based on laws and regulations, etc.

3. Legitimate Interests: ensuring security, fraud prevention, quality improvement, dispute resolution, etc. (we conduct a balancing of interests as necessary)

4. Consent: marketing distribution, cookies requiring consent, etc. (consent may be withdrawn at any time)

5. Vital Interests: protection of life/physical safety, etc.

Article 7 (Voluntary Nature of Provision/Impact of Not Providing) #

1. Provision of personal data and other information is in principle voluntary, but if you do not provide information necessary for service provision, you may not be able to use all or part of the service.

2. Marketing distribution and optional surveys, etc. are operated in a manner that does not cause disadvantages from non-provision (except where benefits are provided, etc.).

Article 8 (Provision to Third Parties) #

1. We will not provide personal data to third parties without the consent of the individual, except where permitted by applicable laws and regulations.

2. However, we may provide data to the following categories of third parties to the extent necessary for providing the Service (including domestic and foreign providers).

   1. Payment service providers and financial institutions (credit card payments, PayPal, etc.)

   2. Domain registration-related entities (registrars, registries, etc.)

   3. SSL certificate-related entities (certificate authorities, verification agencies, etc.)

   4. Fraud detection and security-related service providers

   5. Providers of delivery, notification, support tools, etc.

3. In connection with domain registration, etc., part of the registration information may be published or disclosed to third parties according to registry rules (this varies depending on the TLD and registration type).

4. We may provide personal data, etc., to the extent necessary in response to disclosure requests based on laws and regulations (courts, administrative agencies, etc.).

Article 9 (Outsourcing/Sub-processors) #

1. We may outsource all or part of the processing of personal data, etc., to third parties to the extent necessary to achieve the purposes of use.

2. We conduct screening based on appropriate criteria when selecting outsourcing parties, require security management measures and confidentiality obligations through outsourcing agreements, etc., and provide necessary and appropriate supervision.

3. When we handle Customer Content as a processor, we may use sub-processors in accordance with the agreement.

Article 10 (International Transfers) #

1. We may handle personal data, etc., outside the EEA/UK (including Japan) in order to provide the Service.

2. We will implement appropriate safeguards based on applicable laws and regulations, such as adequacy decisions, standard contractual clauses (SCCs), or other measures, for transfers to which GDPR applies.

3. If you wish to receive additional information regarding international transfers, please contact us at the point of contact set forth in Article 21.

Article 11 (Retention Period/Deletion) #

1. We retain personal data, etc., only for the period necessary to achieve the purposes of use, and appropriately delete or anonymize it when it becomes unnecessary.

2. We retain and delete data generally in accordance with **Appendix 1 (Retention Period/Deletion Criteria)**, based on the settings in the client portal.

3. However, we may retain data to the minimum extent necessary when there are legitimate reasons, such as legal compliance (accounting, tax, etc.), protection of rights (dispute resolution, etc.), security assurance, or other valid grounds.

4. If a different retention period or deletion condition is agreed upon with the customer through an individual agreement (DPA/NDA, etc.), such agreement will take precedence (limited to the extent not inconsistent with applicable laws and regulations).

Article 12 (Data Subject Rights) #

When GDPR, etc., applies, data subjects have the following rights within the scope of applicable laws and regulations.

1. Right of access (confirmation of retained personal data)

2. Right to rectification

3. Right to erasure (“right to be forgotten”)

4. Right to restriction of processing

5. Right to data portability

6. Right to object (to processing based on legitimate interests, etc.)

7. Right to withdraw consent (for processing based on consent)

8. Right to lodge a complaint with a supervisory authority

Article 13 (Procedures for Exercising Rights and Response Deadlines) #

1. Requests under the preceding Article (hereinafter referred to as “rights exercise requests”) shall be accepted at the contact point specified in Article 21.

2. We may request additional information for identity verification (or verification of authority to act as a representative) when processing rights exercise requests.

3. In accordance with applicable laws and regulations, we will respond in principle within one month from receipt of the request. However, if the request is complex or numerous, the response deadline may be extended to the extent permitted by applicable laws and regulations.

4. We may decline to respond to a rights exercise request if we are unable to comply based on applicable laws and regulations, or if the request exceeds a reasonable scope. In such cases, we will explain the reasons to the extent possible.

Article 14 (Export and Deletion in Client Portal) #

1. We provide a mechanism in the client portal that allows customers to export their own information. The scope of exportable information may change depending on our provision status, but includes, for example:

   • Contacts

   • Accounts/Services

   • Domains

   • Change logs

   • Transactions (payments/transactions)

   • Invoices

   • Tickets

2. We provide a mechanism in the client portal that allows customers to request deletion of their own account.

3. When an account deletion request is made, we will delete or anonymize personal data, etc. that we hold after a certain grace period has elapsed.

4. Notwithstanding the preceding paragraph, we may retain some information to the extent necessary for legal compliance (accounting, taxation, etc.) or protection of rights (dispute resolution, etc.) (e.g., paid invoices, etc.).

Article 15 (Use of Cookies, etc.) #

1. We may use cookies, etc. to improve the convenience of this site, ensure security, and perform access analysis, etc.

2. For cookies, etc. that require consent, we provide a consent acquisition mechanism in accordance with applicable laws and regulations.

3. Customers can refuse cookies through browser settings, but in such cases, some functions of this site or this service may not be available.

Article 16 (Access Analysis, Advertising, etc.) #

1. We may use access analysis tools, etc. for the purpose of service improvement, etc. Information collected by access analysis tools, etc. is handled in accordance with the provisions of the provider of such tools.

2. When we use advertising distribution services, such service providers may use cookies, etc. to obtain browsing information, etc.

3. When we use analytics and advertising-related tools, we will provide information on the tool names, opt-out methods, etc. on this site as necessary.

Article 17 (Security Control Measures and Information Security) #

1. We implement organizational, human, physical, and technical security control measures to prevent leakage, loss, damage, unauthorized access, etc. of personal data.

2. We implement reasonable measures including access authority management, enhanced authentication, encryption, log management, vulnerability response, and supervision of contractors.

3. When we handle Customer Content as a processor, we will implement appropriate technical and organizational measures in accordance with the contract.

Article 18 (Response to Personal Data Breaches) #

In the event of a personal data breach (leakage, loss, damage, unauthorized access, etc.), we will take measures in accordance with applicable laws and regulations, including impact assessment, recurrence prevention, notification to supervisory authorities, and notification to data subjects (if necessary).

Article 19 (Automated Decision-Making and Profiling) #

We may automatically analyze usage status, etc. for the purpose of preventing fraudulent use and ensuring security. When we conduct automated decision-making (including profiling) that has a significant impact on data subjects as required by law, we will provide necessary information in accordance with applicable laws and regulations.

Article 20 (Minors) #

We do not intentionally collect personal data of minors. When minors use the Service, consent from a parent or guardian may be required in accordance with applicable laws and regulations.

Article 21 (Contact Information) #

For inquiries regarding this Policy, handling of personal data, requests for disclosure, complaints and consultations, please contact the following office:

• Business Name: BESTNET LLC

• Office: Personal Data Inquiry Office

• Contact: Inquiry Form URL

• Hours: Weekdays 10:00–17:00 (excluding public holidays and New Year holidays)

Article 22 (Business Information) #

• Business Name: BESTNET LLC

• Location: 161-1 Kitanaganehara, Aza-Onuki, Tajiri, Osaki City, Miyagi Prefecture

• Representative: Representative Member, Hideyuki Chinda

Article 23 (Additional Information for EEA/UK Residents) #

1. When we handle personal data concerning residents of the EU/EEA or the UK due to the extraterritorial application of GDPR, etc., data subjects have the right to lodge a complaint with the supervisory authority having jurisdiction over their place of residence, etc.

2. We will appoint an EU/UK representative as necessary and publish their contact information on this site.

Article 24 (Amendments) #

1. We may amend this Policy in response to legal amendments, service changes, etc.

2. The amended Policy will be publicized by posting on this site or by other methods we deem appropriate, and will be effective from the posting date or the date determined by us.

【Enactment Date: April 1, 2020】
【Last Amended: February 19, 2026】

Appendix 1 (Retention Period & Deletion Criteria: Client Portal) #

There are exceptions such as not being deleted if they contain active services, paid invoices, approved commissions, etc. Additionally, data may be retained to the minimum extent necessary for legal compliance, dispute resolution, etc.

1. Client (Customer) Profile #

• Inactive (from last payment): Automatically archived after 18 months

• Archived: Automatically deleted after **120 months (10 years)** (counted from the date of archiving)

• Registration-only client profile: Automatically deleted after 3 months (counted from registration)

• Automatic deletion of inactive (from last payment): Automatically deleted after **120 months (10 years)**
  *When multiple criteria above coexist, the application order and deletion timing of deletion/archiving, etc. may vary depending on system status and conditions.

2. Invoices #

• Cancelled invoices: Automatically deleted after **365 days (1 year)** from scheduled date

3. Orders #

• Cancelled orders: Automatically deleted after **365 days (1 year)** from creation

• Fraudulent orders: Automatically deleted after **730 days (2 years)** from creation

• Pending orders: Automatically deleted after **180 days (approx. 6 months)** from creation

• Order drafts: Automatically deleted after 30 days from creation
  *When an order is deleted, items included in the order may also be deleted.
  *Orders containing active services, paid invoices, or approved commissions may not be deleted.

4. Services/Domains #

• Cancelled accounts: Automatically deleted after **180 days (approx. 6 months)** from last change

• Terminated accounts: Automatically deleted after **365 days (1 year)** from last change

• Cancelled domains: Automatically deleted after **180 days (approx. 6 months)** from last change

• Expired domains: Automatically deleted after **120 days (approx. 4 months)** from expiration date
  *Depending on our cancellation processing settings, cancellation requests may be processed as “Terminate” rather than “Cancel.”

5. Account Deletion Processing (Portal Function) #

• Customers can request deletion on the portal

• Deletion is performed 30 days after the last login

• However, data necessary for accounting, tax, dispute resolution, etc. may be retained to the minimum extent necessary