AIOHub Privacy Policy

Enacted: February 19, 2026
Last Updated: April 7, 2026
Operator: LuxuCare Inc.

1. Introduction

LuxuCare Inc. (hereinafter "the Company") recognizes the protection of personal information of Users as an important responsibility in providing the AI business information platform "AIOHub" (hereinafter "the Service"), and complies with the Act on the Protection of Personal Information (APPI) and other applicable laws and regulations.

2. Information We Collect

2-1. Information Provided by Users

• Account Information: Email address, password (stored in hashed form) (at account registration)
• Organization Information: Company/organization name, industry, operating region, website URL (during onboarding)
• Company Profile Information: Business description, service descriptions, FAQs, etc. (during Entry creation and AI Interviews)
• Website Information: Publicly available information retrieved from URLs specified by Users (during AI Interview Stage 1)
• KYB Verification Documents: Identity verification documents (at KYB verification application)
• Inquiry Content: Name, email address, message body (when submitting inquiries)
• Payment Information: Credit card information is managed by Stripe, Inc. and is not retained by the Company (when subscribing to paid plans)

2-2. Automatically Collected Information

• Access Logs: IP address, browser type, access date and time (for service operation and security purposes)
• Usage Data: Page view history, AI Credit consumption history, login history (for service improvement and analysis purposes)
• Cookie Information: Session management cookies (for authentication and session maintenance purposes)

Voice Data: AIOHub does not store any voice data. When using the voice input feature, your browser (such as Chrome) converts speech to text, and AIOHub receives only the resulting text. Voice data is processed by your browser's speech recognition service (such as Google) and is not transmitted to AIOHub's servers.

2-3. Information Provided by Consumer Users (Comment Feature Users)

The Company obtains the following information through Google's OAuth authentication for the use of the comment feature:

• Email address (provided by Google)
• Display name (provided by Google; modifiable by the user)
• Profile image URL (provided by Google)

The Company does not retain any passwords for Consumer Users. Authentication is delegated to Google's OAuth service.

2-4. Information Automatically Recorded When Posting Comments

• IP address and timestamp

The above information is stored for the purpose of responding to disclosure requests for sender identification information under the Act on Limitation of Liability of Specified Telecommunications Service Providers and Right of Demand for Disclosure of Identification Information of Senders (Provider Liability Limitation Act).

Retention period: 1 year from the date of posting. The information is automatically deleted after the retention period expires. It is not used for marketing, behavioral analysis, or profiling purposes.

3. Purpose of Information Use

The Company uses collected information for the following purposes:

1. Provision, operation, and maintenance of the Service
2. User authentication and account management
3. Provision of AI features (AI Interviews, Block generation, etc.)
4. Accessing website URLs specified by Users and retrieving/structuring publicly available information
5. Publication of Company Pages and provision of information to AI search engines
6. Billing and payment processing
7. Conducting KYB Verification
8. Service improvement and new feature development
9. Usage analysis (including statistical processing)
10. Sending notifications and announcements to Users
11. Detection and prevention of fraudulent use
12. Compliance with applicable laws

4. Disclosure of Information to Third Parties

4-1. Publication Based on User Consent

When a User sets their Company Page to "Published," the information posted on that page becomes accessible to third parties through the following means:

• Viewing via web browsers
• Retrieval by AI search engine crawlers (ChatGPT, Gemini, Perplexity, etc.)
• Display on AIOHub Explore (search and category pages)
• Distribution as structured data through JSON-LD, sitemap.xml, and llms.txt

Important: Information posted on Public Pages should consist solely of business information that the User intends to make public. Please do not post information that constitutes "personal data" under the APPI on Public Pages.

4-1a. Scope of Published Information Use

Information on Company Pages that Users have set to "Published" may be used by third parties in the following ways:

• AI services such as ChatGPT, Gemini, and Perplexity may cite or reference your company's information in their responses.
• Search engines such as Google may display it in search results.
• Other users may view it through AIOHub's search feature.
• In the future, external applications may access it through our API.

AIOHub does not guarantee that such citation or reference will occur.

IMPORTANT: Do not publish trade secrets, non-public financial information, personal information, or other confidential information on your public pages.

4-2. Provision to Service Processors (External Data Transmission List)

The Company transmits data to the following external services for the purpose of providing the Service (disclosed pursuant to Article 27-12 of the Telecommunications Business Act).

4-3. Disclosure Required by Law

The Company may provide information to the extent necessary when disclosure is required by applicable law.

5. Handling of Information in AI Features

The Service transmits business information entered by Users to an AI (Anthropic's Claude API) for the generation and optimization of structured data.

For details, please refer to Anthropic's Privacy Policy.

1. Responses entered by Users during AI Interviews are transmitted to Anthropic, PBC's API for AI-powered Block generation.
2. Data sent is not used for model training by Anthropic (per their Acceptable Use Policy).
3. AI-generated content is stored in the Company's database and can be edited or deleted by Users.

5-2. Data Separation Principle

AIOHub does not use drafts, unpublished content, or AI Interview responses entered by a User for the analysis or recommendations of other Users. Cross-industry analysis uses only information from public pages and anonymized statistical data.

5-3. Website URL Reading Feature (AIOHubBot)

• Only targets URLs entered by Users themselves
• Respects robots.txt directives
• Retrieved HTML data is discarded after AI processing and is not stored long-term
• Retrieved data is not used for model training

5-4. Use of Anonymized Statistical Data

AIOHub uses the following anonymized statistical data to improve AI Interview question accuracy by industry:

Data we use:

• Statistical information on which types of questions were effective, aggregated by industry

Data we do not use:

• Company names, original response text, or any information that could identify individuals

This statistical data is generated only when a sufficient number of data points have been collected, and individual companies or responses cannot be identified from it.

5-5. Data Integration via API

Users on Pro and Business plans may issue API keys to integrate with external systems. Data registered or retrieved via the API is subject to the same access controls as data registered through the dashboard (users can only access their own organization's data).

6. Use of Cookies

The Service uses cookies for the following purposes:

• Session Cookies: Maintaining login status (essential)
• Authentication Cookies: Storing session tokens (essential)

The Service does not use advertising cookies or third-party tracking cookies.

The following external services may use cookies or similar technologies within the Service (disclosed pursuant to Article 27-12 of the Telecommunications Business Act):

• Cloudflare Turnstile: Bot detection (functional cookie)
• Vercel Analytics: Access analytics (analytics cookie)

No advertising cookies or third-party tracking cookies are used.

7. Information Storage and Security

1. User information is transmitted and received through encrypted communications (TLS).
2. Passwords are stored in hashed form and are never retained in plain text.
3. Row Level Security (RLS) is applied to the database to ensure Users can only access their own organization's data.
4. KYB verification documents are securely stored after verification is complete.

8. Data Retention Periods

9. User Rights

Users may exercise the following rights under the Act on the Protection of Personal Information (APPI):

1. Right to Disclosure — You may request disclosure of personal information held by the Company
2. Right to Correction, Addition, or Deletion — You may request correction if your personal information is inaccurate
3. Right to Suspension or Erasure — You may request suspension of use when grounds exist under applicable law
4. Right to Stop Third-Party Provision — You may request cessation of third-party provision when grounds exist under applicable law

To exercise your rights, please contact us at the address provided in Section 12. We will respond within the period prescribed by law after verifying your identity.

10. Cross-Border Transfer

Some of the Service's infrastructure is operated on servers located outside Japan (Vercel Inc.: United States, Supabase, Inc.: United States, Anthropic, PBC: United States). User information may be transferred to these countries to the extent necessary for providing the Service, with appropriate security measures in place.

11. Changes to This Policy

If the Company changes this policy, the amended policy will be posted on the Service, and Users will be notified at least 30 days before the effective date of the changes.

12. Contact Information

For inquiries regarding the handling of personal information, please contact us at:

Operator: LuxuCare Inc.
Data Protection Manager: Genki Kono
Email: info@aiohub.jp

13. Privacy Policies of Related Services

The privacy policies of external services used by the Service are as follows:

14. Additional Information for Users in the European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), the following additional provisions apply to the processing of your personal data under the General Data Protection Regulation (EU) 2016/679 ("GDPR").

14-1. Data Controller

LuxuCare Inc.
4-19-24 Ichinomiya-Nishimachi, Kochi-shi, Kochi 781-8136, Japan
Email: info@aiohub.jp

14-2. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary for the performance of our contract with you, including account creation, service provision, and payment processing.
• Legitimate interest (Art. 6(1)(f) GDPR): Processing necessary for our legitimate interests, including service improvement, security, fraud prevention, and analytics, where these interests are not overridden by your rights and freedoms.

14-3. Your Rights Under GDPR

In addition to the rights described in Section 9, if you are located in the EEA, you have the following rights:

• Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data concerning you is being processed and to access such data.
• Right to Rectification (Art. 16 GDPR): You have the right to obtain rectification of inaccurate personal data concerning you.
• Right to Erasure (Art. 17 GDPR): You have the right to obtain erasure of your personal data under certain conditions ("right to be forgotten").
• Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Restriction of Processing (Art. 18 GDPR): You have the right to obtain restriction of processing under certain conditions.
• Right to Object (Art. 21 GDPR): You have the right to object to processing of your personal data based on legitimate interests at any time.

To exercise any of these rights, please contact us at info@aiohub.jp. We will respond to your request within one month.

14-4. International Data Transfers

Your personal data is transferred to and processed in the following countries outside the EEA:

• Supabase, Inc. — United States (database and authentication)
• Vercel Inc. — United States (web hosting)
• Anthropic, PBC — United States (AI feature provision)

These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection.

14-5. Data Retention

• Active accounts: Data is retained while your account is active and the Service is being used.
• Deleted accounts: A 30-day recovery period applies after account deletion, after which data is permanently deleted except as required by law.
• Audit logs: Anonymized after the applicable retention period to ensure they no longer contain personal data.

14-6. Data Protection Officer

As the Company has fewer than 250 employees, a Data Protection Officer (DPO) is not required under Art. 37 GDPR. For all data protection inquiries, please contact info@aiohub.jp.

14-7. Supervisory Authority

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

Revision History

Enacted: February 19, 2026