Shotoka Shotoka

Privacy Policy

Effective Date: February 6, 2026
Last Updated: February 6, 2026

1. Introduction

At Shotoka K.K. (Kabushiki Kaisha, 株式会社), a Japanese corporation ("Shotoka," "we," "our," or "us"), we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, process, share, and store your information when you use the Shotoka platform, including our web application, mobile applications (when available), APIs, and all related services (collectively, the "Service").

This Privacy Policy is incorporated into and forms part of our Terms and Conditions. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Data Controller and Contact Information

Shotoka K.K. is the data controller responsible for your personal data under this Privacy Policy.

Contact Information:

  • Company: Shotoka K.K. (Shotoka Kabushiki Kaisha / ショトカ株式会社)
  • Location: Fukuoka, Japan
  • Privacy Inquiries:
  • General Support:

3. Scope and Applicability

3.1 Consumer Users vs. Business Users

This Privacy Policy applies to all users of the Service. However, data handling practices may differ between:

  • Consumer Users: Individuals using the Service for personal, non-commercial purposes
  • Business Users: Organizations or individuals using the Service for commercial or business purposes, including API users

Where practices differ, we will clearly indicate which applies to you.

3.2 Third-Party Services

The Service integrates with third-party AI models (OpenAI, Anthropic, Google, etc.). When you use these models through our Service, their respective privacy policies also apply. We encourage you to review the privacy policies of third-party AI model providers.

4. Information We Collect

4.1 Information You Provide to Us

We collect information that you voluntarily provide:

  • Account Information: Email address, name, password, and profile information when you create an account
  • Payment Information: Billing details and payment method information (processed securely through third-party payment processors like Stripe)
  • User Input: Prompts, instructions, documents, files, and other content you provide to create workflows and use AI models
  • Workflow Data: Workflows, configurations, and automation sequences you create
  • Communications: Messages you send to us, feedback, survey responses, and support requests
  • Preferences: Settings, language preferences, and customization choices

4.2 Information We Automatically Collect

When you use the Service, we automatically collect certain information:

  • Device Information: Device type, operating system, browser type and version, device identifiers, IP address
  • Usage Information: Pages visited, features used, actions taken, time spent, workflow executions, AI model usage
  • Log Data: Server logs, error reports, diagnostic data, performance metrics
  • Location Information: General geographic location based on IP address (not precise location)
  • Cookies and Similar Technologies: Information collected through cookies, web beacons, and similar tracking technologies (see Section 12)

4.3 Information from Third Parties

We may receive information from:

  • Authentication Providers: If you sign in using a third-party service (Google, etc.), we receive basic profile information
  • Payment Processors: Transaction confirmation and payment status from Stripe or other payment providers
  • Analytics Providers: Aggregated usage statistics and performance data

5. How We Use Your Information

We use the information we collect for the following purposes:

5.1 To Provide and Maintain the Service

  • Process and execute your workflows and AI model requests
  • Provide access to third-party AI models
  • Store and manage your workflows, data, and configurations
  • Process payments and manage your credits
  • Provide customer support and respond to your inquiries
  • Send service-related communications (confirmations, technical notices, updates)

5.2 To Improve and Develop the Service

  • For Consumer Users: We may use your usage data and, with your consent, your Input and Output to improve the Service and develop new features. You can opt out in your Privacy Settings.
  • For Business Users: We do not use your Input or Output to train AI models or improve the Service. We may use aggregated, anonymized usage statistics.
  • Conduct research and analytics to understand usage patterns
  • Test new features and functionality
  • Monitor and analyze trends, usage, and activities

5.3 For Safety and Security

  • Detect, prevent, and address fraud, abuse, and security issues
  • Enforce our Terms and Conditions and Acceptable Use Policy
  • Investigate and prevent violations of our policies
  • Protect the rights, property, and safety of Shotoka, our users, and the public

5.4 For Legal Compliance

  • Comply with legal obligations and regulatory requirements
  • Respond to lawful requests from authorities
  • Establish, exercise, or defend legal claims

5.5 With Your Consent

We may use your information for other purposes with your explicit consent, which you can withdraw at any time.

6. Model Training and Service Improvement

6.1 Business Users

We do not use Business User Input or Output to train AI models or improve the Service. This applies to all commercial use, including API access and business accounts.

6.2 Consumer Users

For Consumer Users, we may use your Input, Output, and usage data to improve the Service and strengthen safeguards against harmful usage only if you choose to allow it.

  • Opt-In/Opt-Out: You can choose your preference during account creation and change it anytime in your Privacy Settings
  • Data Retention: If you allow data use for improvement, we retain data for up to 5 years. If you opt out, we retain data for 30 days for safety monitoring only
  • What We Don't Do: We do not use your data to train third-party AI models or share it with third parties for their model training

6.3 Third-Party AI Models

When you use third-party AI models (OpenAI, Anthropic, Google, etc.) through our Service, your Input is sent to those providers. Their model training policies apply to that data. We recommend reviewing their privacy policies and opting out of training where available.

7. How We Share Your Information

We do not sell your personal data. We share your information only in the following circumstances:

7.1 Third-Party AI Model Providers

When you use third-party AI models, we transmit your Input to those providers (OpenAI, Anthropic, Google, etc.) to generate Output. This is necessary to provide the Service. Each provider has its own privacy policy governing how they handle your data.

7.2 Service Providers and Subprocessors

We share data with trusted third-party service providers who assist us in operating the Service:

  • Cloud hosting providers (for infrastructure and data storage)
  • Payment processors (Stripe) for payment processing
  • Analytics providers for aggregated usage analytics
  • Email service providers for transactional emails
  • Customer support tools for managing support requests

These providers are bound by confidentiality obligations and may only use your data to provide services to us.

7.3 Business Transfers

If Shotoka is involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

7.4 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal processes (subpoenas, court orders, search warrants)
  • Requests from law enforcement or government authorities
  • Protection of our rights, property, or safety, or that of our users or the public
  • Investigation of fraud, security issues, or violations of our policies

7.5 With Your Consent

We may share your information for other purposes with your explicit consent or at your direction.

8. Data Retention

8.1 Account and Workflow Data

We retain your account information, workflows, and configurations indefinitely while your account is active. You can delete your account at any time, which will trigger deletion of your data according to our retention schedule.

8.2 Input and Output Data

  • Consumer Users (opt-in to improvement): Up to 5 years for service improvement purposes
  • Consumer Users (opt-out): 30 days for safety monitoring, then deleted
  • Business Users: 30 days for safety monitoring, then deleted (unless you configure longer retention in your account settings)

8.3 Log Data

We retain server logs and diagnostic data for up to 90 days. Some logs may be retained longer for security investigations or legal compliance.

8.4 After Account Deletion

When you delete your account, we provide a 30-day grace period during which you can retrieve your data. After this period, we permanently delete your data, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, legal compliance).

9. International Data Transfers

Shotoka K.K. is based in Fukuoka, Japan. Your information may be transferred to, stored, and processed in Japan and other countries where Shotoka or our service providers operate.

9.1 Legal Basis for Transfers

When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

  • Standard Contractual Clauses approved by the European Commission
  • Your explicit consent to the transfer
  • Other legally recognized transfer mechanisms

9.2 Data Protection Standards

We ensure that transferred data receives adequate protection by requiring our service providers to implement appropriate safeguards consistent with applicable data protection laws, including the EU GDPR and Japan's Act on the Protection of Personal Information (APPI).

10. Your Rights and Choices

You have certain rights regarding your personal data, which vary depending on your location:

10.1 Rights for All Users

  • Access: Request access to your personal data
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Data Portability: Request a copy of your data in a structured, machine-readable format
  • Opt-Out of Marketing: Unsubscribe from marketing communications (service-related emails cannot be opted out of while using the Service)

10.2 Additional Rights for EEA, UK, and Swiss Users (GDPR)

  • Object to Processing: Object to processing based on legitimate interests
  • Restrict Processing: Request restriction of processing in certain circumstances
  • Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
  • Lodge a Complaint: Lodge a complaint with your local supervisory authority

10.3 Additional Rights for California Users (CCPA/CPRA)

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information (subject to exceptions)
  • Right to opt out of the sale or sharing of personal information (we do not sell)
  • Right to non-discrimination for exercising privacy rights

10.4 Additional Rights for Japanese Users (APPI)

  • Right to disclosure of personal information
  • Right to request correction, addition, or deletion
  • Right to request suspension of use or erasure
  • Right to request suspension of provision to third parties

10.5 How to Exercise Your Rights

To exercise your rights, you can:

  • Access your Privacy Settings in your account
  • Contact us at
  • Submit a request through our support system

We will respond to your request within the timeframe required by applicable law (typically 30 days for GDPR requests, 45 days for CCPA requests).

11. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

11.1 Security Measures

  • Encryption of data in transit (TLS/SSL) and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and vulnerability testing
  • Employee training on data protection and security
  • Incident response and breach notification procedures
  • Secure development practices and code reviews

11.2 Your Responsibility

You are responsible for maintaining the confidentiality of your account credentials. We recommend using a strong, unique password and enabling two-factor authentication if available. Please notify us immediately if you suspect unauthorized access to your account.

11.3 No Absolute Security

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. You should maintain backups of important data.

12. Cookies and Tracking Technologies

12.1 What We Use

We use cookies, web beacons, and similar tracking technologies to collect information about your use of the Service.

12.2 Types of Cookies

  • Essential Cookies: Necessary for the Service to function (authentication, security, preferences)
  • Analytics Cookies: Help us understand how users interact with the Service
  • Functional Cookies: Remember your preferences and settings

12.3 Your Cookie Choices

You can control cookies through your browser settings. Note that disabling cookies may affect the functionality of the Service. Essential cookies cannot be disabled while using the Service.

12.4 Do Not Track

Some browsers have a "Do Not Track" feature. We do not currently respond to Do Not Track signals, but we do not track your browsing activity across third-party websites.

13. Children's Privacy

The Service is not intended for children under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at . We will delete such information promptly.

14. Legal Basis for Processing (GDPR)

For users in the EEA, UK, and Switzerland, we process your personal data based on the following legal grounds:

  • Contract: Processing is necessary to perform our contract with you (providing the Service)
  • Consent: You have given clear consent for specific processing purposes (e.g., marketing, service improvement)
  • Legitimate Interests: Processing is necessary for our legitimate interests (improving the Service, fraud prevention, security) where not overridden by your rights
  • Legal Obligation: Processing is necessary to comply with legal obligations

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will notify you by:

  • Updating the "Last Updated" date at the top of this Privacy Policy
  • Sending an email notification to your registered email address
  • Displaying a prominent notice in the Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

16. Additional Information for Specific Jurisdictions

16.1 European Union, UK, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

16.2 California

California residents can request information about personal information we have disclosed to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

California "Shine the Light" Law: You can request information about third-party disclosures by contacting privacy@shotoka.ai.

16.3 Japan

We comply with Japan's Act on the Protection of Personal Information (APPI). If you are in Japan, you have rights to disclosure, correction, suspension of use, and erasure of personal information under the APPI.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

  • Email:
  • General Support:
  • Company: Shotoka K.K. (ショトカ株式会社)
  • Location: Fukuoka, Japan

For data protection inquiries from the EEA, UK, or Switzerland, you may also contact your local supervisory authority.

18. Data Processing Addendum for Business Users

Business Users who process personal data through the Service may require a Data Processing Addendum (DPA) to comply with data protection laws. A DPA is available upon request.

To request a DPA, please contact us at .