CROM Privacy Policy

We value your privacy and are committed to protecting your Personal Information. This Privacy Policy explains how we handle Personal Information in connection with the CROM service (hereinafter referred to as "the Service").

1. Basic Policy

1.1. We comply with the Act on the Protection of Personal Information and other applicable laws and related guidelines, and handle your Personal Information appropriately.

1.2. We will not disclose or provide your Personal Information to third parties without your consent, except as required by law.

1.3. We implement appropriate technical and organizational measures to ensure the security of your Personal Information.

2. Definition of Personal Information

"Personal Information" as used in this Privacy Policy refers to personal information as defined by the Act on the Protection of Personal Information, meaning information relating to a living individual that can identify a specific individual by name, date of birth, email address, or other descriptions contained in such information (including information that can be easily cross-referenced with other information and thereby used to identify a specific individual).

3. Types of Information Collected

3.1. Account Information

• Email address
• Username / Nickname
• Password (encrypted)

3.2. Service Usage Information

• Viewing and reading history of works
• Account details (user ID, nickname, icon, bio, etc.)
• Posted content
• Favorites
• CROM points and coin usage history
• In-service activity history

3.3. Payment Information

• Type of payment method
• Payment date, time, and amount
• Payment status
* Credit card numbers and other payment details are managed by our payment processing partners and are not stored by us

3.4. Device and Technical Information

• IP address
• Device identifiers (advertising ID, etc.)
• OS and browser type and version
• Screen resolution and language settings
• Access date, time, and URL
• Referrer information

3.5. Inquiry Information

• Content of inquiries
• Support history
• Contact information

4. Methods of Information Collection

4.1. Direct Provision by Users: Information that you directly enter or provide during account registration, posting, submitting inquiries, and similar activities

4.2. Automatic Collection: Information that is automatically collected through technical means when you use the Service (log data, etc.)

4.3. Acquisition from Third Parties: Information lawfully obtained from payment processing partners, social media integrations, external authentication services, and similar sources

4.4. Public Information: Posted content and other information that you have set to be publicly available

5. Purposes of Use

5.1. Service Provision and Operation

• Account management and authentication

• Content delivery and display

• Payment processing and billing management

• Customer support and inquiry handling

5.2. Service Improvement and Development

• Analysis and statistical processing of usage patterns

• Development of new features and improvement of existing features

• Enhancement of user experience and personalization

5.3. Safety and Security

• Detection and prevention of unauthorized use and fraud

• Monitoring and enforcement of Terms of Service violations

• Maintenance and improvement of system security

• Appropriate delivery of content

5.4. Marketing and Advertising

• Notifications about services and campaigns

• Delivery of personalized advertisements

• Conducting surveys and research

• Display of recommended content

5.5. Legal Compliance

• Compliance with laws and regulations

• Handling of legal matters such as rights infringement

• Responding to requests from courts, government agencies, and similar authorities

6. Disclosure to Third Parties

6.1. Prohibited in Principle: We will not provide Personal Information to third parties without your consent.

6.2. Exceptions: We may provide Personal Information to third parties only in the following cases:

• When we have obtained your consent

• When required by law

• When necessary to protect the life, body, or property of an individual

• When especially necessary for improving public health or promoting the sound development of children

• When requested by a government authority pursuant to applicable law

6.3. Outsourcing: We may provide Personal Information to the following types of service providers:

• Payment processing partners
• Cloud service providers
• Data analytics providers
• Customer support providers
• Content delivery and CDN providers
* We exercise appropriate oversight over our service providers and enter into confidentiality agreements with them

6.4. Statistical Information: We may provide statistical information that has been processed so that no individual can be identified to third parties.

7. International Data Transfers

7.1. Through the use of cloud services and similar technologies, the Service may process your Personal Information on servers located outside of Japan.

7.2. When transferring data internationally, we will verify the personal information protection framework of the destination country and implement appropriate safeguards.

8. Use of Cookies and Similar Technologies

8.1. Use of Cookies: The Service uses cookies to improve our services.

8.2. Types of Cookies

• Essential Cookies: Cookies that are strictly necessary for the provision of the Service

• Functional Cookies: Cookies that store user preferences and settings

• Analytics Cookies: Cookies that analyze usage patterns

• Advertising Cookies: Cookies that deliver personalized advertisements

8.3. Cookie Settings: You can disable cookies through your browser settings; however, some features of the Service may become unavailable.

8.4. Third-Party Cookies: Third-party services such as Google Firebase and advertising delivery services may set their own cookies.

9. Storage and Management of Personal Information

9.1. Retention Period: Personal Information is retained only for the period necessary to fulfill the purposes of use and is deleted without delay when no longer needed.

9.2. Specific Retention Periods

• Account information: 30 days from account deletion

• Usage history: 3 years from last use

• Inquiry records: 2 years from resolution

• Log information: 1 year from collection

9.3. Security Measures

• Data encryption (at rest and in transit)

• Access control and authentication systems

• Employee education and training

10. Your Rights

10.1. Right to Request Disclosure: You may request disclosure of the Personal Information we hold about you.

10.2. Right to Request Correction, Addition, or Deletion: If the content of your Personal Information is inaccurate, you may request correction, addition, or deletion.

10.3. Right to Request Suspension of Use or Erasure: You may request the suspension of use or erasure of your Personal Information.

10.4. Right to Request Cessation of Third-Party Disclosure: You may request that we cease providing your Personal Information to third parties.

10.5. Opt-Out of Marketing Communications: You may request the cessation of marketing communications, including emails.

How to Exercise Your Rights: To exercise the above rights, please submit a request through our inquiry form after identity verification. Please note that we may be unable to fulfill certain requests in accordance with applicable law.

11. Personal Information of Minors

11.1. We do not intentionally collect Personal Information from users under the age of 13.

11.2. Users aged 13 or older but under 18 must obtain consent from a parent or legal guardian before using the Service.

11.3. We handle the Personal Information of minors with particular care and implement appropriate protective measures.

11.4. If we discover that we have collected Personal Information from a user under the age of 13, we will promptly delete such information.

12. Integration with External Services

12.1. Social Media Integration: When linking with social media accounts such as X, the privacy policies of the respective social media services apply.

12.2. Payment Services: When using payment services provided by Apple, Google, or similar companies, the privacy policies of the respective services apply.

12.3. Advertising Services: We use third-party advertising delivery services, which may set their own cookies independently.

12.4. Analytics Services: We use analytics services such as Google Firebase.

13. Response to Data Breaches

13.1. In the event of a security incident involving a breach of Personal Information, we will promptly investigate the facts and take appropriate countermeasures.

13.2. As necessary, we will report the incident to the relevant authorities and notify affected users.

13.3. To prevent recurrence, we will review and strengthen our security framework.

14. Changes to This Privacy Policy

14.1. We may amend this Privacy Policy due to changes in applicable laws, modifications to our business operations, or other reasons.

14.2. In the case of material changes, we will notify you in advance through in-Service notifications, email, or other means.

14.3. The revised Privacy Policy will be published within the app and on our website, and will take effect upon publication.

14.4. If you do not agree to the changes, you may discontinue your use of the Service.

15. Contact Us / Complaints

15.1. General Inquiries: Please contact us through the inquiry form within the app.

15.2. Complaints and Consultations: If you have any complaints or concerns regarding the handling of Personal Information, please contact us. We will respond appropriately.

15.3. External Organizations: If the matter cannot be resolved by us, you may consult external organizations such as the Personal Information Protection Commission.

Contact Information:
Email: crom@crom.info
Business Hours: Weekdays 10:00-18:00 (excluding weekends, public holidays, and the year-end/New Year period)
* Please note that it may take some time for us to respond to your inquiry

16. Governing Law and Jurisdiction

This Privacy Policy shall be governed by the laws of Japan. Any disputes arising in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the Tokyo District Court as the court of first instance, except where mandatory local consumer protection laws provide otherwise for users residing in the EU, UK, or United States.

17. Additional Rights for EU / UK / EEA / Swiss Residents (GDPR)

This section applies in addition to the clauses above if you reside in the European Economic Area (EEA), the United Kingdom, or Switzerland. For these users, we act as the controller of your Personal Data within the meaning of the EU General Data Protection Regulation 2016/679 ("GDPR") or the UK GDPR.

17.1. Controller: The data controller is the entity operating the crom Service (contact: crom@crom.info). If you are in the EU, you may contact us using the email above for all GDPR-related requests.

17.2. Legal bases for processing (Art. 6 GDPR): We process Personal Data only when we have a lawful basis, which includes: (a) your consent; (b) performance of a contract to which you are a party (e.g., providing the Service); (c) compliance with a legal obligation; (d) our legitimate interests (e.g., fraud prevention, network security, service improvement), balanced against your rights and freedoms.

17.3. Special category data: We do not intentionally process special categories of Personal Data (Art. 9 GDPR). If you voluntarily disclose such data through content you post, we rely on your explicit consent (Art. 9(2)(a)).

17.4. Your rights: You have the right to (a) access your Personal Data; (b) rectify inaccurate data; (c) request erasure ("right to be forgotten"); (d) restrict processing; (e) data portability in a structured, machine-readable format; (f) object to processing based on legitimate interests or direct marketing; (g) withdraw consent at any time, without affecting the lawfulness of prior processing. To exercise these rights, contact crom@crom.info. We will respond within one month (extendable by two further months for complex requests, per Art. 12(3) GDPR).

17.5. Automated decision-making: We do not engage in automated decision-making that produces legal or similarly significant effects on you (Art. 22 GDPR). Recommendation and ranking algorithms used within the Service do not fall under Art. 22.

17.6. International transfers: Your Personal Data may be transferred to and processed in Japan and other countries outside the EEA/UK where our service providers operate (e.g., the United States). Japan is recognized by the European Commission as providing an adequate level of data protection (adequacy decision of 23 January 2019). For transfers to jurisdictions not covered by an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards such as supplementary measures (encryption, pseudonymization).

17.7. Retention: We retain Personal Data only for as long as necessary for the purposes described in Section 5, or as required by law. Account information is retained for the duration of your account plus a reasonable post-termination period for audit and legal-hold purposes (typically up to 5 years).

17.8. Right to lodge a complaint: You may lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu/about-edpb/board/members_en. UK residents can contact the Information Commissioner's Office (ICO) at ico.org.uk.

17.9. EU / UK Representative: Where legally required under Art. 27 GDPR, we will appoint a representative in the EU and UK. The contact details of such representative, if appointed, will be published on this page.

17.10. Cookies and tracking (ePrivacy): We obtain your prior consent before setting non-essential cookies or similar technologies on your device, in accordance with the ePrivacy Directive (2002/58/EC) and national implementing laws (e.g., CNIL guidelines in France, TDDDG in Germany, PECR in the UK). You can withdraw consent at any time via the in-app cookie preferences.

18. Additional Rights for California Residents (CCPA / CPRA)

This section applies in addition to the clauses above if you are a California resident, pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA").

18.1. Categories of Personal Information collected (Cal. Civ. Code §1798.140(v)): identifiers (account ID, email, IP address); customer records (name, phone); commercial information (purchase history); internet activity (browsing, interaction with content); geolocation (approximate, from IP); inferences (preferences); audio/visual (profile images, posted media). We do not knowingly collect biometric or precise geolocation data.

18.2. Sources: directly from you (registration, posts, settings), automatically via your device (logs, cookies), and from service providers (payment processors, analytics providers).

18.3. Business and commercial purposes: as described in Section 5 of this Policy, including providing the Service, security, fraud prevention, analytics, and product improvement.

18.4. Sale or sharing of Personal Information: We do not sell your Personal Information for monetary consideration, and we do not share it for cross-context behavioral advertising as defined under the CPRA. We do not knowingly sell or share the Personal Information of consumers under 16 years of age.

18.5. Sensitive Personal Information: We collect limited sensitive Personal Information (such as account login credentials) solely for the purposes permitted under §1798.121(a), namely to provide the Service and prevent fraud, and do not use it to infer characteristics about you.

18.6. Your California privacy rights: (a) Right to Know what Personal Information we collect, use, disclose, and sell/share; (b) Right to Delete your Personal Information, subject to exceptions; (c) Right to Correct inaccurate Personal Information; (d) Right to Opt-Out of the sale/sharing of Personal Information; (e) Right to Limit Use of Sensitive Personal Information; (f) Right to Non-Discrimination for exercising any of these rights.

18.7. How to exercise your rights: Send a verifiable consumer request to crom@crom.info with the subject "CCPA Request". We will verify your identity using information you provide and the data we already hold. We respond within 45 days, extendable once by an additional 45 days.

18.8. Authorized agents: You may designate an authorized agent to submit requests on your behalf, by providing the agent with written permission and verifying your own identity directly with us.

18.9. Shine the Light (Cal. Civ. Code §1798.83): California residents may request a list of third parties to which we disclosed Personal Information for those third parties' direct marketing purposes in the prior calendar year. Since we do not disclose Personal Information for third-party direct marketing, no such list exists.

18.10. "Do Not Sell or Share My Personal Information": Although we do not currently sell or share Personal Information, you may submit an opt-out request at crom@crom.info. We also honor valid Global Privacy Control (GPC) signals sent by your browser as a request to opt out.