Privacy Policy
This document is made in Japanese and translated into English for reference purposes only. In the event of any discrepancy between the Japanese and English versions, the Japanese version shall prevail.
Woodstock K.K. (hereinafter referred to as "the Company") recognizes the importance of protecting Personal Information and Individual Numbers (hereinafter collectively referred to as "Personal Information, etc.") and, in accordance with the following privacy policy (hereinafter referred to as "this Privacy Policy"), strives to ensure their appropriate handling and protection.
1. Compliance with Applicable Laws and Regulations
The Company complies with the Act on the Protection of Personal Information (hereinafter referred to as the "APPI"), the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (hereinafter referred to as the "Number Act"), relevant laws and regulations, and guidelines of supervising authorities (hereinafter collectively referred to as "Applicable Laws and Regulations").
2. Purposes of Use of Personal Information, etc.
The Company uses Personal Information, etc. for the following purposes:
(1) For the provision of services related to stock investment, etc. under the name "Woodstock" operated by the Company (including services whose name or content has been changed for any reason) and other services of the Company (hereinafter referred to as "the Company's Services")
(2) For registration as a customer of the Company's Services
(3) For responding to inquiries, requests for information, etc. regarding the Company's Services
(4) For providing information on the Company's products, services, etc.
(5) For ensuring that advertisements of the Company placed by third parties are appropriately delivered or displayed
(6) For addressing violations of the Company's terms of use, policies, etc. (hereinafter referred to as "Terms, etc.") regarding the Company's Services
(7) For notifying changes to the Terms, etc. regarding the Company's Services
(8) For analyzing information regarding the Customer's usage status of the Company's Services and using it to improve the Company's services, develop new services, etc.
(9) For creating statistical data processed into a form that cannot identify individuals in connection with the Company's Services
(10) For procedures related to application and notification for opening a financial instruments transaction account (hereinafter referred to as "Securities Account") with the affiliated Financial Instruments Business Operator (hereinafter referred to as "Affiliated FIBO") and for preparing and submitting statutory documents related to financial instruments transactions
(11) Other purposes incidental to the above purposes of use
Notwithstanding the provisions of the preceding items, Individual Numbers shall be used only for the purpose set forth in item (10).
3. Methods of Collecting Personal Information, etc.
In providing the Company's Services (as defined in Section 2), the Company collects the following information from customers of the Company's Services through the following methods:
(1) Information Collected
Name, date of birth, age, gender, occupation, address, telephone number, email address, Individual Number, date and time of use of the Company's Services, number of uses, details of use of the Company's Services, usage history, usage status, location information, information necessary for identity verification of the Customer, facial images taken by the Customer and facial feature data extracted or generated from such images (hereinafter referred to as "Face Authentication Data"), information regarding securities held by the Customer and assets, information regarding the Customer's transactions, other information, usage environment, and Cookies, etc.
(2) Collection Methods
① Method by which the Customer inputs information on the Company's Services
② Method of collecting information when the Customer uses the Company's Services
③ Method of receiving information from the Company's business partners (including contractors, information providers, advertisers, advertising delivery partners, etc.)
(3) Retention of Collected Information
The Company retains collected information as necessary while the Customer uses the Company's Services. The Company may, at its discretion, delete information it has collected when the Customer ceases using the Company's Services or when the Company determines that the Customer has ceased using the Company's Services.
4. Changes to Purposes of Use
The Company may change the purposes of use of Personal Information, etc. within a scope reasonably recognized as related to the original purposes, and in the event of such changes, the Company will notify or publicly announce them to the individual who is the subject of the Personal Information, etc. (hereinafter referred to as "the Individual").
5. Use of Personal Information, etc.
5.1 Except as permitted by Applicable Laws and Regulations, the Company shall not handle Personal Information, etc. beyond the scope necessary to achieve the purposes of use without obtaining the consent of the Individual. In addition, Individual Numbers shall be handled only within the scope prescribed by the Number Act and other Applicable Laws and Regulations. However, this does not apply in the following cases:
(1) When based on laws and regulations
(2) When necessary for the protection of a person's life, body, or property, and it is difficult to obtain the consent of the Individual
(3) When particularly necessary for improving public health or promoting the healthy development of children, and it is difficult to obtain the consent of the Individual
(4) When necessary to cooperate with a national government agency, local government, or a person entrusted thereby in executing affairs prescribed by laws and regulations, and there is a risk that obtaining the consent of the Individual may impede the execution of such affairs
(5) When providing personal data to an academic research institution, etc., and such academic research institution, etc. needs to handle the personal data for academic research purposes (including cases where part of the purpose of handling the personal data is for academic research purposes, excluding cases where there is a risk of unlawfully infringing on the rights and interests of the Individual).
5.2 The Company shall not use Personal Information, etc. in a manner that may encourage or induce illegal or wrongful acts.
6. Proper Acquisition of Personal Information, etc.
6.1 The Company shall acquire Personal Information, etc. by appropriate means and shall not acquire them by fraudulent or other wrongful means.
6.2 With respect to sensitive information (*) as defined in the Guidelines for Personal Information Protection in the Financial Sector, etc., the Company shall not acquire, use, or provide such information to third parties except in the following cases:
(1) When based on laws and regulations
(2) When necessary for the protection of a person's life, body, or property
(3) When particularly necessary for improving public health or promoting the healthy development of children
(4) When necessary to cooperate with a national government agency, local government, or a person entrusted thereby in executing affairs prescribed by laws and regulations
(5) When, based on the consent of the Individual and to the extent necessary for business operations, the Company acquires, uses, or provides sensitive information to third parties due to the necessity of ensuring proper business management of the Company
(6) When using biometric information that falls under sensitive information for identity verification based on the consent of the Individual
* Sensitive information refers to the following information:
- Special Care-Required Personal Information (meaning personal information containing specific descriptions, etc. that require particular care to avoid unjust discrimination, prejudice, or other disadvantages)
- Information regarding labor union membership, family origin, domicile of origin, healthcare, and sexual life (excluding those that fall under Special Care-Required Personal Information) (excluding information that has been made public by the Individual, national government agencies, local governments, academic research institutions, etc., persons listed in each item of Article 57, Paragraph 1 of the APPI or each item of Article 6 of the Enforcement Regulations, or information that is obtained by visual observation or photography of the Individual and is obvious from its external appearance).
- Other personal information that requires particular care in handling to avoid unjust discrimination, prejudice, or other disadvantages to the Individual
6.3 When receiving the provision of Personal Information, etc. from a third party, the Company shall, as prescribed by the Rules of the Personal Information Protection Commission, confirm the following matters; provided, however, that this does not apply if the provision of such Personal Information, etc. by such third party falls under any of the items of Section 5.1 or any of the items of Section 9.1:
(1) The name or trade name and address of such third party, and, in the case of a corporation, the name of its representative (or, in the case of an unincorporated organization with a designated representative or administrator, the name of such representative or administrator)
(2) The circumstances of such third party's acquisition of the Personal Information, etc.
7. Security Control Measures for Personal Information, etc.
The Company exercises necessary and appropriate supervision over its officers and employees to ensure the secure management of Personal Information, etc. against risks such as loss, destruction, falsification, and leakage of Personal Information, etc. In addition, when entrusting all or part of the handling of Personal Information, etc., the Company exercises necessary and appropriate supervision over the entrustee to ensure the secure management of Personal Information, etc.
8. Reporting in Case of Leakage, etc.
In the event of a leakage, loss, damage, or other incident involving Personal Information, etc. handled by the Company, the Company shall report to the Personal Information Protection Commission and notify the Individual as required under Applicable Laws and Regulations when such reporting and notification are required.
9. Provision to Third Parties
9.1 Except in cases falling under any of the items of Section 5.1, the Company shall not provide Personal Information, etc. to third parties without obtaining the prior consent of the Individual. However, the following cases do not constitute provision to third parties as set forth above:
(1) When Personal Information, etc. is provided in connection with entrusting all or part of the handling of Personal Information, etc. within the scope necessary to achieve the purposes of use
(2) When Personal Information, etc. is provided as a result of business succession due to merger or other reasons
(3) When jointly used based on Applicable Laws and Regulations
9.2 Notwithstanding the provisions of Section 9.1, except in cases falling under any of the items of Section 5.1, when providing Personal Information, etc. to a third party located in a foreign country (excluding countries specified by the Rules of the Personal Information Protection Commission under the APPI), excluding persons who have established a system complying with the standards specified by the Rules of the Personal Information Protection Commission under the APPI), the Company shall obtain the prior consent of the Individual to the provision to a third party located in a foreign country.
9.3 When obtaining the consent of the Individual for provision to a third party located in a foreign country pursuant to Section 9.2, the Company shall provide the Individual with information on the following matters; provided, however, that if the matter in item (1) cannot be identified, the Company shall instead provide the fact that item (1) cannot be identified and the reason therefor, as well as any information that may be useful as a reference for the Individual in place of such matter:
(1) The name of the foreign country
(2) Information on the system regarding the protection of personal information in the foreign country
(3) Information on the measures taken by the third party for the protection of personal information (if such information cannot be provided, the fact and the reason therefor)
9.4 When the Company has provided personal information to a third party, the Company shall create and retain records in accordance with the APPI.
9.5 When receiving the provision of personal information from a third party, the Company shall make necessary confirmations in accordance with the APPI, and shall create and retain records of such confirmations.
9.6 For the purpose of ensuring that appropriate advertisements are delivered or displayed, the Company may provide part of the personal information it holds (such as email addresses) to third-party advertising delivery operators (hereinafter referred to as "Advertising Delivery Operators"). In such cases, the Advertising Delivery Operators will perform irreversible conversion of the data into a form in which the Individual cannot be identified (hereinafter, the converted data is referred to as "Irreversibly Converted Data").
Advertising Delivery Operators will match such Irreversibly Converted Data with information they hold, and deliver or display the Company's advertisements based on the results. The Advertising Delivery Operators shall not use the data provided by the Company or such Irreversibly Converted Data for any purpose other than delivering or displaying the Company's advertisements. In addition, regarding advertisements from these Advertising Delivery Operators, the Customer can choose to enable or disable "behavioral targeting advertising" on the websites of the Advertising Delivery Operators.
9.7 Regarding the provision of Irreversibly Converted Data to the Advertising Delivery Operators set forth in Section 9.6, the location of such Advertising Delivery Operators may be in a foreign country. Therefore, in obtaining the Customer's consent as set forth in Section 9.2, the Company provides the following information pursuant to Section 9.3:
(1) Name of the foreign country to which the data is provided
- United States of America
(2) Information on the system regarding the protection of personal information in the United States of America
- Please check the website of the Personal Information Protection Commission. https://www.ppc.go.jp/files/pdf/USA_report.pdf
(3) Information on the measures taken by the Advertising Delivery Operators for the protection of personal information
10. Disclosure of Personal Information, etc.
10.1 When the Company is requested by the Individual to disclose Personal Information, etc. pursuant to the APPI, the Company shall, after confirming that the request is made by the Individual themselves, disclose such information to the Individual without delay (if the relevant Personal Information, etc. does not exist, the Company will notify the Individual to that effect). However, this does not apply if the Company is not obligated to disclose under Applicable Laws and Regulations. Please be advised that a fee may be charged for the disclosure of Personal Information, etc.
10.2 The provisions of the preceding paragraph shall apply mutatis mutandis to records of provision to third parties created pursuant to Section 9.4 and records of provision from third parties created pursuant to Section 9.5 that pertain to Personal Information, etc. by which the Individual is identified; provided, however, that the provisions regarding fees shall be excluded.
11. Correction, etc. of Personal Information, etc.
When the Company is requested by the Individual to correct, add, or delete (hereinafter referred to as "Correction, etc.") the content of Personal Information, etc. pursuant to the APPI on the grounds that it is not true, the Company shall, after confirming that the request is made by the Individual themselves, conduct the necessary investigation without delay within the scope necessary to achieve the purposes of use, and based on the results, make Correction, etc. of the content of the Personal Information, etc. and notify the Individual to that effect (or, if a decision is made not to make Correction, etc., notify the Individual to that effect). However, this does not apply if the Company is not obligated to make Correction, etc. under Applicable Laws and Regulations.
12. Suspension of Use, etc. of Personal Information, etc.
When the Company is requested by the Individual, pursuant to the APPI, (1) to suspend use of or erase (hereinafter referred to as "Suspension of Use, etc.") Personal Information, etc., (2) to suspend provision (hereinafter referred to as "Suspension of Provision") thereof, or (3) to suspend use of or erase or suspend provision thereof, and it is found that there is reason for such request, the Company shall, after confirming that the request is made by the Individual themselves, suspend use of or erase (hereinafter referred to as "Suspension of Use, etc.") or suspend provision (hereinafter referred to as "Suspension of Provision") of the Personal Information, etc. without delay, and notify the Individual to that effect. However, this does not apply if the Company is not obligated to suspend use of or erase or suspend provision under the APPI or other laws and regulations.
(1) Requests for Suspension of Use, etc.
① When the Personal Information, etc. of the Individual is handled beyond the scope of the purposes of use publicly announced in advance
② When it is used in a manner that may encourage or induce illegal or wrongful acts
③ When the Personal Information, etc. of the Individual was acquired by fraudulent or other wrongful means
(2) Requests for Suspension of Provision
When Personal Information, etc. is provided to a third party without the consent of the Individual
(3) Requests for Suspension of Use or Suspension of Provision
① When the Company no longer needs to use the Personal Information, etc. of the Individual
② When a situation prescribed under the APPI regarding the Personal Information, etc. of the Individual has occurred
③ When there is a risk that the rights or legitimate interests of the Individual may be harmed by the handling of the Personal Information, etc. of the Individual
13. Provision of Personally Referenced Information to Third Parties
13.1 When it is anticipated that a third party will acquire Personally Referenced Information (as defined in the APPI, limited to information constituting a Personally Referenced Information Database, etc. as defined in Article 16, Paragraph 7 of the APPI; the same applies hereinafter) as personal data, the Company shall not provide such Personally Referenced Information to such third party without confirming the following matters in advance as prescribed by the Rules of the Personal Information Protection Commission, except in cases listed in the items of Section 5.1:
(1) That the consent of the Individual has been obtained to the effect that the third party is permitted to receive the Personally Referenced Information from the Company and acquire it as personal data by which the Individual is identified.
(2) In the case of provision to a third party located in a foreign country, when seeking to obtain the consent of the Individual set forth in the preceding item, the information regarding the system for protecting personal information in such foreign country, measures taken by the third party for protecting personal information, and other information that may serve as a reference for the Individual has been provided to the Individual in advance, as prescribed by the Rules of the Personal Information Protection Commission.
13.2 When the Company has provided Personally Referenced Information to a third party, the Company shall create and retain records in accordance with the APPI.
13.3 When receiving the provision of Personally Referenced Information from a third party, the Company shall make necessary confirmations in accordance with the APPI, and shall create and retain records of such confirmations.
14. Handling of Anonymously Processed Information
14.1 When the Company creates Anonymously Processed Information (as defined in the APPI, limited to information constituting an Anonymously Processed Information Database, etc. as defined in the APPI; the same applies hereinafter), the Company shall process Personal Information, etc. in accordance with the standards prescribed by the Rules of the Personal Information Protection Commission.
14.2 When the Company has created Anonymously Processed Information, the Company shall implement measures for security control in accordance with the standards prescribed by the Rules of the Personal Information Protection Commission.
14.3 When the Company has created Anonymously Processed Information, the Company shall publicly announce the categories of information relating to individuals contained in such Anonymously Processed Information, as prescribed by the Rules of the Personal Information Protection Commission.
14.4 When the Company provides Anonymously Processed Information (including that created by the Company and that provided by a third party; the same applies hereinafter unless otherwise specified) to a third party, the Company shall, as prescribed by the Rules of the Personal Information Protection Commission, publicly announce in advance the categories of information relating to individuals contained in the Anonymously Processed Information to be provided to the third party and the method of provision, and also indicate to such third party that the information to be provided is Anonymously Processed Information.
14.5 In handling Anonymously Processed Information, the Company shall not engage in any of the following acts for the purpose of identifying the Individual pertaining to the Personal Information, etc. used to create the Anonymously Processed Information:
(1) Comparing Anonymously Processed Information with other information
(2) Acquiring, with respect to Anonymously Processed Information provided by a third party, descriptions, etc. or personal identification codes deleted from the relevant Personal Information, etc., or information regarding the methods of processing carried out pursuant to the provisions of the APPI
14.6 The Company shall endeavor to implement necessary and appropriate measures for the security control of Anonymously Processed Information, handle complaints regarding the creation and other handling of Anonymously Processed Information, and take other measures necessary to ensure the proper handling of Anonymously Processed Information, and shall endeavor to publicly announce the content of such measures.
15. Use of Cookies and Other Technologies
The Company's Services may use Cookies and similar technologies. These technologies assist the Company in understanding the usage status of the Company's Services and contribute to improving services. Customers who wish to disable Cookies may do so by changing their web browser settings. However, disabling Cookies may result in the inability to use some functions of the Company's Services.
16. Continuous Improvement
The Company will review this privacy policy as appropriate in light of laws, social conditions, advances in information technology, and other factors, and will strive for continuous improvement to ensure the appropriate handling of retained Personal Information, etc. relating to customers.
17. Handling of Face Authentication Data
In connection with procedures for opening a Securities Account with the Affiliated FIBO, when the Company acquires Face Authentication Data for the purpose of identity verification and prevention of unauthorized use, the Company shall handle such data in accordance with the following provisions in addition to the provisions set forth in the preceding sections:
17.1 Content of Information Collected
The Company strictly manages the Customer's Face Authentication Data as information falling under "Personal Identification Codes" under the APPI.
17.2 Purposes of Use
The Company acquires the Customer's Face Authentication Data for use for the following purposes in addition to the purposes of use of Personal Information, etc. set forth in Section 2:
(1) Identity verification and confirmation of identity of the Customer when opening a Securities Account with the Affiliated FIBO
(2) Prevention of unauthorized access to and impersonation-based use of the Securities Account with the Affiliated FIBO
(3) Confirmation of the Customer's compliance status with laws and regulations after opening a Securities Account with the Affiliated FIBO
17.3 Provision to Third Parties
To facilitate the smooth execution of Securities Account opening procedures, achieve the purposes of use set forth in the preceding paragraph, and fulfill the obligation of identity verification under laws and regulations, the Company provides the collected Face Authentication Data to the Affiliated FIBO or external contractors responsible for identity verification procedures:
(1) Recipients: AlpacaJapan Co., Ltd. (Affiliated FIBO)
: Liquid Co., Ltd. (External Contractor)
(2) Purpose of Provision: Execution of Securities Account opening and identity verification procedures
(3) Information Provided: Face Authentication Data
17.4 Retention and Management
When the Company has provided data to the Affiliated FIBO and external contractors, retention shall be carried out in accordance with the privacy policies and security control measures under the APPI as separately prescribed by the Affiliated FIBO and the external contractors.
In addition, the external contractor Liquid Co., Ltd. retains such information on Amazon Web Services Japan GK and Google Cloud Platform (as quoted from its "Privacy Policy").
Furthermore, when the Company directly retains Face Authentication Data, it does so in accordance with Sections 3(3) and 7. Specifically, after the Securities Account opening procedures are completed, the data is retained on Amazon Web Services Japan GK for the period prescribed by laws and regulations, and records are created and retained in accordance with Section 9.4.
17.5 Disclosure
When the Company is requested by the Individual to disclose Face Authentication Data, the Company shall do so in accordance with Section 10 of this Policy.
18. Inquiries
Requests for disclosure, etc., opinions, questions, complaints, and other inquiries regarding the handling of Personal Information, etc. should be directed to the following contact:
Woodstock K.K.
E-mail: support@woodstock.co
[Established: March 29, 2022]
[Revised: October 6, 2022]
[Revised: August 1, 2024]
[Revised: November 20, 2024]
[Revised: February 4, 2026]
[Revised: February 21, 2026]