AIOHub Privacy Policy

Enacted: February 19, 2026
Last Updated: February 25, 2026
Operator: LuxuCare Inc.

1. Introduction

LuxuCare Inc. (hereinafter "the Company") recognizes the protection of personal information of Users as an important responsibility in providing the AI business information platform "AIOHub" (hereinafter "the Service"), and complies with the Act on the Protection of Personal Information (APPI) and other applicable laws and regulations.

2. Information We Collect

2-1. Information Provided by Users

• Account Information: Email address, password (stored in hashed form) (at account registration)
• Organization Information: Company/organization name, industry, operating region, website URL (during onboarding)
• Company Profile Information: Business description, service descriptions, FAQs, etc. (during Entry creation and AI Interviews)
• Website Information: Publicly available information retrieved from URLs specified by Users (during AI Interview Stage 1)
• KYB Verification Documents: Identity verification documents (at KYB verification application)
• Inquiry Content: Name, email address, message body (when submitting inquiries)
• Payment Information: Credit card information is managed by Stripe, Inc. and is not retained by the Company (when subscribing to paid plans)

2-2. Automatically Collected Information

• Access Logs: IP address, browser type, access date and time (for service operation and security purposes)
• Usage Data: Page view history, AI Credit consumption history, login history (for service improvement and analysis purposes)
• Cookie Information: Session management cookies (for authentication and session maintenance purposes)

3. Purpose of Information Use

The Company uses collected information for the following purposes:

1. Provision, operation, and maintenance of the Service
2. User authentication and account management
3. Provision of AI features (AI Interviews, Block generation, etc.)
4. Accessing website URLs specified by Users and retrieving/structuring publicly available information
5. Publication of Company Pages and provision of information to AI search engines
6. Billing and payment processing
7. Conducting KYB Verification
8. Service improvement and new feature development
9. Usage analysis (including statistical processing)
10. Sending notifications and announcements to Users
11. Detection and prevention of fraudulent use
12. Compliance with applicable laws

4. Disclosure of Information to Third Parties

4-1. Publication Based on User Consent

When a User sets their Company Page to "Published," the information posted on that page becomes accessible to third parties through the following means:

• Viewing via web browsers
• Retrieval by AI search engine crawlers (ChatGPT, Gemini, Perplexity, etc.)
• Display on AIOHub Explore (search and category pages)
• Distribution as structured data through JSON-LD, sitemap.xml, and llms.txt

Important: Information posted on Public Pages should consist solely of business information that the User intends to make public. Please do not post information that constitutes "personal data" under the APPI on Public Pages.

4-2. Provision to Service Processors (External Data Transmission List)

The Company transmits data to the following external services for the purpose of providing the Service (disclosed pursuant to Article 27-12 of the Telecommunications Business Act).

4-3. Disclosure Required by Law

The Company may provide information to the extent necessary when disclosure is required by applicable law.

5. Handling of Information in AI Features

The Service transmits business information entered by Users to an AI (Anthropic's Claude API) for the generation and optimization of structured data.

For details, please refer to the Anthropic Privacy Policy.

1. Responses entered by Users during AI Interviews are transmitted to Anthropic, PBC's API for AI-powered Block generation.
2. The transmitted data is not used for training Anthropic's models (pursuant to Anthropic's API Terms of Use).
3. AI-generated content is stored in the Company's database and can be edited or deleted by Users.

5-2. Website URL Reading Feature (AIOHubBot)

• Only targets URLs entered by Users themselves
• Respects robots.txt directives
• Retrieved HTML data is discarded after AI processing and is not stored long-term
• Retrieved data is not used for model training

6. Use of Cookies

The Service uses cookies for the following purposes:

• Session Cookies: Maintaining login status (essential)
• Authentication Cookies: Storing session tokens (essential)

The Service does not use advertising cookies or third-party tracking cookies.

7. Information Storage and Security

1. User information is transmitted and received through encrypted communications (TLS).
2. Passwords are stored in hashed form and are never retained in plain text.
3. Row Level Security (RLS) is applied to the database to ensure Users can only access their own organization's data.
4. KYB verification documents are securely stored after verification is complete.

8. Data Retention Periods

9. User Rights

Users may exercise the following rights under the Act on the Protection of Personal Information (APPI):

1. Right to Disclosure — You may request disclosure of personal information held by the Company
2. Right to Correction, Addition, or Deletion — You may request correction if your personal information is inaccurate
3. Right to Suspension or Erasure — You may request suspension of use when grounds exist under applicable law
4. Right to Stop Third-Party Provision — You may request cessation of third-party provision when grounds exist under applicable law

To exercise your rights, please contact us at the address provided in Section 12. We will respond within the period prescribed by law after verifying your identity.

10. Cross-Border Transfer

Some of the Service's infrastructure is operated on servers located outside Japan (Vercel Inc.: United States, Supabase, Inc.: United States, Anthropic, PBC: United States). User information may be transferred to these countries to the extent necessary for providing the Service, with appropriate security measures in place.

11. Changes to This Policy

If the Company changes this policy, the amended policy will be posted on the Service, and Users will be notified at least 30 days before the effective date of the changes.

12. Contact Information

For inquiries regarding the handling of personal information, please contact us at:

Operator: LuxuCare Inc.
Data Protection Manager: Genki Kono
Email: support@luxucare.co.jp

13. Privacy Policies of Related Services

The privacy policies of external services used by the Service are as follows:

14. Additional Information for Users in the European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), the following additional provisions apply to the processing of your personal data under the General Data Protection Regulation (EU) 2016/679 ("GDPR").

14-1. Data Controller

LuxuCare Inc.
4-19-24 Ichinomiya-Nishimachi, Kochi-shi, Kochi 781-8136, Japan
Email: support@luxucare.co.jp

14-2. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary for the performance of our contract with you, including account creation, service provision, and payment processing.
• Legitimate interest (Art. 6(1)(f) GDPR): Processing necessary for our legitimate interests, including service improvement, security, fraud prevention, and analytics, where these interests are not overridden by your rights and freedoms.

14-3. Your Rights Under GDPR

In addition to the rights described in Section 9, if you are located in the EEA, you have the following rights:

• Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data concerning you is being processed and to access such data.
• Right to Rectification (Art. 16 GDPR): You have the right to obtain rectification of inaccurate personal data concerning you.
• Right to Erasure (Art. 17 GDPR): You have the right to obtain erasure of your personal data under certain conditions ("right to be forgotten").
• Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Restriction of Processing (Art. 18 GDPR): You have the right to obtain restriction of processing under certain conditions.
• Right to Object (Art. 21 GDPR): You have the right to object to processing of your personal data based on legitimate interests at any time.

To exercise any of these rights, please contact us at support@luxucare.co.jp. We will respond to your request within one month.

14-4. International Data Transfers

Your personal data is transferred to and processed in the following countries outside the EEA:

• Supabase, Inc. — United States (database and authentication)
• Vercel Inc. — United States (web hosting)
• Anthropic, PBC — United States (AI feature provision)

These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection.

14-5. Data Retention

• Active accounts: Data is retained while your account is active and the Service is being used.
• Deleted accounts: A 30-day recovery period applies after account deletion, after which data is permanently deleted except as required by law.
• Audit logs: Anonymized after the applicable retention period to ensure they no longer contain personal data.

14-6. Data Protection Officer

As the Company has fewer than 250 employees, a Data Protection Officer (DPO) is not required under Art. 37 GDPR. For all data protection inquiries, please contact support@luxucare.co.jp.

14-7. Supervisory Authority

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

Revision History

Enacted: February 19, 2026