Privacy Policy
1. General
We at Espacio Enterprise Co. Ltd. (hereinafter referred to as “we”, “us”, “our” or “Espacio”) value your privacy and are committed to take care of your data, and we take this responsibility very serious. Please take the time to carefully read our Privacy Policy, which explains why we collect your Personal Data and how we process it when you:
- visit our website www. espacioenterprise.com, www.nagoyakankohotel.co.jp, www.houoh.jp (coming soon)(see, in particular, Section 3.1)
- use our products and/or services such as making a booking with us (see, in particular, Section 3.2)
- are a potential customer (see, in particular, Section 3.3)
- are our supplier or business partner (see, in particular, Section 3.4)
Controller | Espacio Enterprise Inc:
23-18, Nishiki 3-chome, Naka-ku, Nagoya-shi, Aichi Nagoya, Aichi 460-0003 |
2. Definitions
Unless otherwise indicated, capitalized terms used in this Privacy Policy are defined in Annex 1. Most of the definitions are derived from the California Consumer Privacy Act of 2018 (CCPA) which you can access from here and the California Privacy Rights Act of 2020 (CPRA) , and the General Data Protection Regulation (GDPR) which you can access from here.
3. How do we process your Personal Data?
We process your data in different ways depending on whether you visit our website, make a reservation with us, are our supplier, business partner or job applicant.
We do not sell your Personal Data within the meaning of Section 1798.140 (ad) of the CPRA. The term Selling has a broad meaning and includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration, according to Section 1798.140. (ad) (1-2) of the CPRA.
3.1 Processing of Personal Data relating to visitors of your website
Like many other websites, we use so-called “cookies”. Cookies are small text files that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our website. If you have given your consent to our use of cookies, we do so to improve the use of our website. You can revoke your consent any time.
3.2 Processing of Personal Data relating to use of our products and services
Purpose and legal basis
When you use our products and services such as making a reservation with us, we process your Personal Data. For all Personal Data we collect from other sources please have a look at Section 4: Collection of Personal Data from sources other than the directly from the Data Subject (Art 14 GDPR). The primary purpose for processing data when you use our products and services such as making a reservation with us is to fulfil the contractual relationship between you and Espacio, ensuring that we can provide you the products and services you have requested. We further might process Personal Data to comply with legal obligations, such as for tax reporting purposes.
We may process Personal Data concerning health or allergies voluntarily provided by you or obtained through direct communication with our staff for the purpose of ensuring your safety and satisfaction during your stay. Where we process any such allergen information, we will obtain your explicit consent to the processing at the point at which such information is collected.
Besides that, we use your contact information to send you information on our products and services as a form of Direct Marketing. Your email address might be added to a contact list of those who may receive email messages containing information of commercial or promotional nature as a result of signing up to our website or after making a reservation.
The processing activity related to Direct Marketing is based on Legitimate Interest. You have the right, at all times, to object to the Processing of your Personal Data for the purpose of Direct Marketing, without being required to state your reasons, and can do so by sending us a letter or emailing us at [[email protected]]. The Processing of your Personal Data for the purpose of Direct Marketing is not required in order to conduct our contractual relationship.
Personal Data processed
We mainly process the Personal Data you provide us with. For all Personal Data we collect from other sources please have a look at Section 4: Collection of Personal Data from sources other than the directly from the Data Subject (Art 14 GDPR).
We collect:
Identifiers (CPRA Category A)
- Name
- E-mail address
- Billing address
- Social security number
- Passport or ID
Personal information (CPRA Category B)
- Telephone number
- Payment data
- Credit/Debit card number,
- Reservation number
- Memberships
Protected classification characteristics under California or federal law (CPRA Category C)
- Date of Birth
Sensitive information (CPRA Category L)
- Information on allergies and other health information
Recipients
To achieve the objectives described above, it may be necessary to disclose your Personal Data to the following Recipients in certain cases. This includes the transmission of Personal Data to the e-commerce platforms engaged by us when we are sending our newsletter. Personal Data may be disclosed by being transferred, disseminated, or provided by other means to:
Recipient | Data Location | Basis for transfer to third party country | |
1 | Satori | Japan | Adequacy Decision |
2 | Futureshop | Japan | Adequacy Decision |
3 | Tax and Legal consultants | Japan | Adequacy Decision |
4 | Vendors | Japan | Adequacy Decision |
5 | Government and Law Enforcement agencies | Japan | Adequacy Decision |
Retention period
Personal Data necessary for tax purposes, especially contracts, invoices and other bookkeeping documents as well as relevant correspondence in relation to our contractual relationship we store to comply with legal obligations or upon order of an authority.
Furthermore, we may be allowed to retain Personal Data whenever you have given consent to such processing (e.g. subscription to our newsletter), as long as such consent is not withdrawn.
Summary
Purpose | Legal Basis | Recipients |
Reservation and Service | Contract Performance | 1-5 |
Communication | Contract Performance | – |
Invoicing | Contract Performance | 3-5 |
Allergen and Health Information | Explicit Consent | 4 |
Tax obligation | Legal Obligation | 3 |
Direct Marketing | Legitimate Interest | 1-2 |
Newsletter subscription | Consent | 1-2 |
3.3 Processing of Personal Data relating to potential customers
Purpose and legal basis
When you contact us to inquire about our products and/or services, we process the Personal Data you include in such a message, including the contact form on our website, in emails or collected during phone calls to answer and process such inquiry prior to a booking being made. Such processing is necessary in order to take steps at your request prior to entering into a contract with you and our legal basis for processing such data is Contract Performance. Contract Performance is also the purpose of any processing of your personal data when you decide to make a reservation with us or book a service.
Furthermore, we may process the data you provide as part of your inquiry for Direct Marketing purposes as we have a Legitimate Interest to provide you with information about our services including those that are the same or similar to the ones you have inquired about. You have the right, at all times, to object to the Processing of your Personal Data for the purpose of Direct Marketing, without being required to state your reasons, and can do so by sending us a letter or emailing us at [email protected]. The Processing of your Personal Data for the purpose of Direct Marketing is not required in order to conduct our contractual relationship.
Personal Data processed
We mainly process the Personal Data you provide to us during as part of your inquiry and any pre-contractual discussions we have with you prior to you making a booking. For all Personal Data we collect from other sources please have a look at Collection of Personal Data from sources other than the directly from the Data Subject (Art 14 GDPR).
We collect:
Identifiers (CPRA Category A)
- Name
- E-mail address and other contact details
Personal information (CPRA Category B)
- Telephone number
Protected classification characteristics under California or federal law (CPRA Category C)
- Date of Birth
- Gender
Internet information (CPRA Category F)
- IP Address and IP location
- Number, duration and time of visits (your interaction with our website)
- Device information
Recipients
To achieve the objectives described above, it may be necessary to disclose your Personal Data to the following Recipients in certain cases. Personal Data may be disclosed by being transferred, disseminated, or provided by other means to:
Recipient | Data Location | Basis for transfer to third party country | |
1 | Satori | Japan | Adequacy Decision |
2 | Futureshop | Japan | Adequacy Decision |
Retention period
Personal Data collected for purposes related to Contract Performance shall be retained until such contract has been fully performed.
We may be allowed to retain Personal Data whenever you have given consent to such processing (e.g. subscription to our newsletter), as long as such consent is not withdrawn.
Summary
Purpose | Legal Basis | Recipients |
Communication with you | Contract Performance | – |
Direct Marketing | Legitimate Interest | 1-2 |
Newsletter subscription | Consent | 1-2 |
3.4 Processing of Personal Data relating to suppliers and business partners
Purpose and legal basis
Your Personal Data is processed, first and foremost, for the purpose of Contract Performance regarding Espacio’s services. This includes our distribution partners who sell or market our services and products. The purpose of processing your Personal Data is the performance of our legal relationship.
Processed Personal Data
We mainly process the Personal Data you provide us with.
We collect:
Identifiers (CPRA Category A)
- Name
- E-mail address
Personal information (CPRA Category B)
- Telephone number
- Payment data
- Billing address
Professional or employment-related information (CPRA Category I)
- Company name
- Company address
- Company phone number
If your company details include a name of an individual, we may be required that you provide us with your Personal Data to enable us to enter into a business relationship with you.
Recipients
To achieve these desired objectives, it may be necessary to disclose your Personal Data to the following Recipients in certain cases. This includes platforms regarding the support of our dealer network to collect dealer contact info and user data for purposes of servicing the account. Personal Data may be disclosed by being transferred, disseminated, or provided by other means to:
Recipient | Registered Office (Country) | Basis for transfer to third party country | |
1 | Tax and legal consultants | Japan | Adequacy decision |
2 | Accountants | Japan | Adequacy decision |
3 | Law enforcement and Government agencies | Japan | Adequacy decision |
Retention period
All Personal Data necessary for tax purposes, especially contracts, invoices and other bookkeeping documents as well as relevant correspondence in relation to our contractual relationship we store to comply with legal obligations or upon order of an authority.
Summary
Purpose | Legal Basis | Recipients |
Cooperation | Contract Performance | |
Debt Collection | Contract Performance | 1-3 |
Invoicing | Contract Performance | 1-2 |
Audit | Legal Obligation | 1-2 |
Accounting | Legal Obligation | 2 |
4. Collection of Personal Data from sources other than directly from the Data Subject (Art 14 GDPR)
Purpose and legal basis
If we process your Personal Data we usually collect Personal Data directly from you when you provide such information to us. Nevertheless, in individual cases, we may also obtain Personal Data from other sources.
Processed Personal Data
The Personal Data we obtain from third sources about you which is stored in our systems is limited to:
Identifiers (CPRA Category A)
- Name
- E-mail address
- Billing address
- Social security number
Personal information (CPRA Category B)
- Telephone number
- Payment data
- Credit/Debit card number,
- Reservation number
Protected classification characteristics under California or federal law (CPRA Category C)
- Date of Birth
Sources
- Agoda
- Ateam Brides (Hanayume Desk)
- ANA
- ANA Travelers
- com
- D-EDGE
- Gurunavi
- Hotelbeds
- IBJ (Omiai)
- Ikyu
- i-honex
- JALPAK
- Liberty Tours
- Recruit (Zexy Navi)
- SATORI
- Starz Publishing (Ozmall) Starts Publishing Coorporation
- Table check
- Tripla Inc.
- com Group
- The Leading Hotels of the World
- Yahoo!
This processing is based on our Legitimate Interest in a complete set of Personal Data required for professional communication, contract performance and our business relationships.
5. Data security
We handle Personal Data only as permitted by data protection regulations. We use a variety of technical and organizational measures to help protect your Personal Data from unauthorized access, disclosure, modification, loss or destruction in accordance with applicable data protection laws.
When handling Personal Data, our employees are obliged to comply with the regulations of the GDPR.
6. What are your rights with respect to Processing of Personal Data?
6.1. Rights under the GDPR
CPRA, GDPR and other applicable data protection laws protect certain rights for Data Subjects. In particular:
Right of Access – right to obtain confirmation of which of your Personal Data is processed and information about it, for instance, which are the purposes of the Processing, what are the conservation periods, among others.
Right to Erasure or “right to be forgotten” – right to erase your Personal Data, provided that there are no valid grounds for its retention, for example in cases where we have to keep the Personal Data to comply with legal obligation or because a court case is in progress.
Right to Data Portability – right to receive the Personal Data you have provided us in a digital format of current use and automatic reading or to request the direct transmission of your Personal Data to another entity that becomes the new responsible for your Personal Data, however only if technically possible.
Right of Rectification – right to request modification of your Personal Data that is inaccurate or request incomplete Personal Data, such as the address, VAT, email, telephone contacts, or others.
Right to object and ADM –Espacio may use personal data for automated decision-making including profiling within the meaning of Art 22 GDPR.
When the Processing of Personal Data, including the Processing for the definition of profiles, is exclusively automatic (without human intervention) and may have effects in your legal sphere or significantly affect it, you shall have the right not to remain subject to any decision based on such automatic Processing, except as otherwise provided by law and shall have the right that we take appropriate measures to safeguard its rights and freedoms and legitimate interests, including the right to have human intervention in decision making by us, the right to express its point of view or contest the decision taken on the basis of automated individual information Processing.
6.2 Rights exclusively under the GDPR
Right to Withdraw Consent or Right of Opposition – right to object or withdraw consent at any time to Processing, for example in the case of Processing for marketing purposes, provided that no Legitimate Interests exist prevailing over your interests, rights and freedoms, such as defending a right in a judicial process.
Right of Limitation – right to request the limitation of the Processing of your Personal Data, in the form of: (i) suspension of Processing or (ii) limitation of the scope of Processing to certain categories of Personal Data or purposes of Processing.
Right to complain – right to complain to the supervisory authority, in addition to us.
For rights asserted by Data Subjects from the EU under the GDPR the period for handling a request is 30 days unless it is a particularly complex request.
Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
6.3 Rights exclusively under the CPRA
Right to opt-out of third-party sales and sharing – right to opt-out of third-party sharing of your Personal Data for cross-context behavioural advertising purposes and selling this data. This means that whenever you request us to stop selling or/ and sharing your data, we will abide by your request.
Right to Limit Use and Disclosure of Sensitive Personal Information (SPI) – right to limit the use and disclosure of their SPI to that which is necessary to perform the services or provide the goods.
Right to Opt-Out of ADM technology – right to opt-out of being subject to automated decision-making processes, including profiling.
The exercise of rights is free of charge, except in the case of a manifestly unfounded or excessive request, in which case a reasonable fee may be charged regarding its costs.
The information must be provided in writing but may be given orally if requested. In this case, we should verify your identity by means other than oral.
The response to requests based on the provisions of the CPRA should be provided within a maximum of 45 days. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.
For rights asserted by Data Subjects from the EU under the GDPR the period for handling a request is 30 days unless it is a particularly complex request.
Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
7. Non-Discrimination
We will not discriminate against you for exercising any of your CPRA rights. Unless permitted by the CPRA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
8. Processing data related to children
Our services are not intended for and may not permissibly be used by individuals under the age of 13. Espacio does not knowingly collect personal data from persons under 13 or allow them to register. If it comes to our attention that we have collected or processed personal data from such a person, we may delete this information without notice.
9. Changes to our data protection provisions
We reserve the right to modify this Privacy Policy, so it is always in compliance with the current legal requirements or to implement changes to services in the Privacy Policy, e.g., when introducing new services. In this case, your future visits to our website will be subject to the updated Privacy Policy.
If you have additional questions regarding the processing of your Personal Data, please feel free to contact us directly, either by email at [[email protected]] .
10. Contact information
10.1. General
If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Personal Data, your choices and rights regarding such use please do not hesitate to contact us:
Phone: [052-211-9017]
Website: [https://www.espacioenterprise.com/privacy/]
Email: [[email protected]]
Postal Address: 23-18, Nishiki 3-chome,
Naka-ku, Nagoya-shi, Aichi
Nagoya, Aichi 460-0003
Attn: Personal Information Administration Office
10.2. Data Subject Requests from EU and UK Data Subjects according to the GDPR
We value your Data Subject Rights under GDPR and therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:
European Union (EU)
United Kingdom (UK)
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://prighter.com/q/19363884230
10.3. Requests from California residents according to the CPRA
To exercise the data subject rights described above in 6.1. and 6.3., California residents may submit a verifiable consumer request to us by either:
Email us at [[email protected]
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or for disclosure what personal information is sold or shared and to whom, twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Annex 1
ADM | means Automated decision-making; |
CCPA | means the California Consumer Privacy Act (CCPA) signed into law on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375 |
CPRA | means the California Privacy Right Act of 2020, |
Consent of the Data Subject | means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her; |
Contract Performance | means concluding, maintaining, and completing of a contract concluded between the Controller and a Data Subject, including Processing activities which take place at the request of the Data Subject before entering into a contractual relation; |
Controller | means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law; |
Data Subject | is any natural person whose Personal Data is being collected, held or processed. Examples of a Data Subject can be an individual, a customer, a prospect, an employee, a contact person, etc; |
Direct Marketing | means personal data processed to communicate a marketing or advertising message. This definition includes messages from commercial organisations, as well as from charities and political organisations; |
General Data Protection Regulation (GDPR) | is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA); Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) https://eur-lex.europa.eu/eli/reg/2016/679/oj ; |
Legitimate Interest | means the Controller’s interest to process Personal Data in order to carry out tasks related to the Controller‘s business activities. The processing of Personal Data in that context may not necessarily be justified by a legal obligation or carried out to execute the terms of a contract with a Data Subject; |
Personal Data | means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes, but is not limited to the term ‘Personal Information’ according to Section 1798.140. (v) (1-3) of the CPRA.; |
Personal Information | means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household, according to Section 1798.140. (v) (1-3) of the CPRA; |
Processing | means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
Processor | means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller; |
Recipient
|
means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients; the Processing of those Personal Data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the Processing; |
Selling | means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration, according to Section 1798.140. (ad) (1-2) of the CPRA. |
Sensitive Personal Information | means personal information that reveals: the social security, driver’s license, state identification card, or passport number. An account log-in, financial account, debit card, or credit card number, or credentials allowing access to an account, the precise geolocation, racial or ethnic origin, religious or philosophical beliefs, or union membership, content of a consumer’s mail, email and text messages unless the business is the intended recipient of the communication, and genetic data, according to Section 1798.140. (ae) (1-3) of the CPRA. |