GDPR Privacy Policy

Introduction

Zenken Corporation (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy (“Policy”) explains the personal data we collect, how we use it, who we share it with, and the rights you have under the European Union General Data Protection Regulation (EU GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR).

This Policy applies to individuals in the European Economic Area (EEA) and the UK who interact with us. This includes people who visit our websites, use or enquire about our services (whether online or offline), engage in business with us, or whose personal data we process in connection with our websites, services, or business operations (“Services”).

As we are established outside the EEA and the UK, the EU GDPR and the UK GDPR may apply to our processing activities when we offer Services to individuals in those regions or monitor their behaviour.

This Policy applies only to our Services that are directed at, or made available to, individuals in the EEA or the UK. Our other business activities are subject to separate privacy policies.

Who Controls Your Personal Data

Zenken Corporation is the data controller responsible for your personal data.

Our Personal Information Complaints and Inquiries Desk serves as our privacy contact point and handles all matters relating to data protection.

If you have any questions about this Policy or wish to exercise your data protection rights, please contact us using the details below.

EU and UK Representatives

If you are located in the EEA or the UK, you can contact our designated representatives with any questions or requests about how we handle your personal data, either instead of or in addition to contacting us directly.

• EU Representative (Article 27 of the GDPR)

  Enobyte GmbH
  Address:Augustenstr. 49, 80333 Munich, Germany
  Email:eurep-zenken@enobyte.com

• UK Representative (Article 27 of the UK GDPR)

  Enobyte GmbH
  Address:c/o Regus HQ Bloomsbury 4/4a Bloomsbury Square, London, WC1A 2RP, United Kingdom
  Email:ukrep-zenken@enobyte.com

What Data We Collect

We collect the following categories of personal data when you use our Services. For detailed information on each data item, please refer to our Detailed Data Inventory.

1. Contact and Identity Information

   This includes basic personal details such as your name, preferred title, telephone number, postal or residential address, email address, date of birth, nationality, country of residence, and profile photograph.

2. Account and Login Information

   Information used to create or access your account, including account identifiers, and hashed passwords.

3. Service-Specific Information

   Depending on the Services you use, we collect different types of personal data, such as:

   • Japanese Language Education Services
     Educational background, Family, relative, or cohabiting-person information, course registration and enrolment information, Japanese language proficiency, learning progress and coursework. This includes information collected after your arrival in Japan in connection with your studies.
   • Talent-Matching Platform Services
     CV and résumé details, employment history, language proficiency, job preferences, professional certifications, and candidates’ application records, and recruitment outcomes.

4. Immigration and Residency Application Information

   For immigration or residency applications, we may process passport and visa details, residence card information, immigration history, and other documents required for these procedures.

5. Payment Information

   Tokenised credit card details, billing information, payment status, transaction history, and other payment-related data.

6. Website Usage, Analytics, and Marketing Data

   We automatically collect certain technical and usage information when you access our websites or online platforms, such as IP addresses, device and browser information, pages viewed, and access times.

   We also collect information about how you interact with our email communications (e.g. opens and clicks), as well as analytics data derived from our websites or online content, where permitted by law or where you have provided consent.

   Where applicable and subject to your consent, this may include data collected through online advertising technologies, such as Google Ads conversion tracking and remarketing, which allow us to measure advertising effectiveness and show relevant advertisements to users who have previously visited our websites.

   For further details, please see our Detailed Data Inventory and Cookie Policy.

7. Communication and Support Information

   Information you provide when communicating with us, including messages, enquiries, and consultation notes.

8. Social Media Interaction Data

   Information relating to your interactions with our official social media pages, such as usernames, comments, and engagement information.

9. Legal and Compliance Data

   Information required for identity verification, contractual documents, consent records, and records relating to disputes, investigations or regulatory matters.

10. Voluntary Provided Information

    Any additional information you choose to provide to us that is not covered by the categories above.

Special Category Data

We do not intentionally collect special category personal data as defined under Article 9 of the GDPR, such as data relating to race, health, religious or philosophical beliefs, sexual orientation, or biometric data used for identification purposes.

Where information that could be considered special category personal data is incidentally included in documents provided by applicants (for example, as part of official application materials), we process such data only to the extent necessary for the relevant application, in accordance with applicable law and appropriate safeguards.

How We Collect Personal Data

We collect personal data in different ways depending on how you use our Services. The main methods are described below. For details of the specific types of data we collect, please refer to our Detailed Data Inventory.

1. Information You Provide to Us Directly

   We collect the personal data that you choose to provide when you interact with us. This includes information submitted when you:

   • Complete enquiry or contact forms on our websites
   • Request information about our Japanese language education, talent-matching platform, or overseas marketing support services
   • Create an account or log in to our platforms
   • Submit admission applications for our Japanese language school
   • Submit documents for visa or immigration procedures
   • Submit attendance records, assignments, or coursework
   • Register for classes or consultation sessions
   • Register for our talent-matching platform
   • Respond to surveys, questionnaires, or feedback forms
   • Communicate with us by email, telephone, or online meetings

   Certain personal data is required for us to provide our Services. Where this is the case, the relevant forms will indicate which information is mandatory. If you choose not to provide such data, we may be unable to deliver the Services you have requested.

2. Information Collected Automatically

   When you visit our websites or use our Services, we automatically collect certain technical and usage information. This is carried out through tools such as cookies, server logs, and similar technologies used either by us or by trusted third-party providers who help us operate and improve our Services.

   These technologies involve storing or accessing information on your device. We use them only with your consent, unless they are strictly necessary to provide the Service you have requested.
   The types of information we collect include:

   • Details about your device and browser
   • Your IP address
   • Pages you view and actions you take on our websites
   • Dates, times, and duration of your visits
   • Referrer URLs (the website you visited before ours)

   For more details on the purposes of processing, our lawful bases, retention periods, and how to manage your preferences, please see our Detailed Data Inventory and Cookie Policy.

3. Information We Receive from Third Parties

   We may receive personal data about you from trusted third parties who support the provision, operation, or promotion of our Services.

   In particular, in connection with our Japanese language education services, we may receive personal data from advertising and recruitment agencies that assist with promotion and learner recruitment.

   For our other Services, we generally collect personal data directly from you.

   We may also receive personal data from the following third parties across our Services, where applicable:

   • Service providers that support our websites, IT systems, analytics tools, customer management platforms, or payment processing
   • Publicly available sources, registers, or databases, where permitted by law

   Where we receive your personal data from third-party sources, we process only the categories of personal data necessary for the purposes described in this Policy. These may include identification details, contact information, education or employment information, application documents, billing information, or other information relevant to the Services you use.

   These third parties share personal data with us only where permitted by applicable law. Where required, they will obtain your consent or other appropriate authorisation before sharing such data with us.

Lawful Basis We Rely On

Under the EU and UK GDPR, we must have a valid legal reason (“lawful basis”) before we process your personal data.

We rely on different lawful bases depending on how and why we process your information. For detailed information on the lawful basis applicable to each category of data, please refer to our Detailed Data Inventory.

1. Consent

   We rely on your consent when processing is not strictly necessary for the provision of our Services - for the use of optional analytics or other non-essential technologies. You may withdraw your consent at any time.

   This includes the use of advertising and marketing cookies, such as Google Ads conversion tracking and remarketing technologies, which are used only where you have provided your explicit consent.

2. Performance of a Contract

   We use this lawful basis where processing your personal data is necessary to provide the Services you have requested. This includes creating your account, delivering classes, arranging consultations, processing applications, or issuing invoices.

3. Legal Obligations

   In some circumstances, we must process your personal data to comply with legal requirements. Examples include immigration procedures, financial record-keeping obligations, and responding to lawful requests from authorities.

4. Legitimate Interests

   We process certain personal data because doing so helps us operate, protect, and improve our Services - for example, monitoring service performance, maintaining security, preventing misuse, or improving communication.

   Where we rely on this lawful basis, we always assess and balance our interests against your rights and freedoms.

5. Vital Interests

   In very rare situations, we may process personal data where it is necessary to protect someone’s life or physical safety.

6. Public Interest / Official Authority

   This lawful basis applies only where processing is carried out under a legal mandate or in the performance of a public task. We do not typically rely on this basis for our Services.

   Please see our Detailed Data Inventory for more information on our lawful basis.

International Data Transfers

In order to provide our Services, we transfer personal data to Japan and the United States.

1. Transfers to Japan

   Japan is recognised by the European Commission and the UK Secretary of State as providing an adequate level of protection for personal data within the meaning of Article 45 of the EU and UK GDPR. Accordingly, transfers of personal data from the EEA or the UK to Japan do not require additional safeguards.

2. Transfers to the United States

   Where we transfer personal data to service providers in the United States, we rely on one of the following safeguards:

   • EU–US Data Privacy Framework (DPF)
     We transfer personal data to U.S. service providers that participate in the DPF, which has been recognised by the European Commission as providing an adequate level of protection for participating organisations within the meaning of Article 45 of the EU GDPR.
   • Standard Contractual Clauses (SCCs)
     For U.S. service providers that do not participate in the DPF, we use the European Commission’s SCCs, supplemented by the UK International Data Transfer Addendum where the UK GDPR applies (Article 46(2)(c) of the GDPR).

   You may request a copy of the relevant safeguards, or obtain more information, by contacting us at: privacy@zenken.co.jp

   The European Commission’s SCCs are available at:
   https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

How Long We Keep Your Personal Data

We keep your personal data only for as long as necessary for the purposes described in this Policy. We apply retention rules to ensure that personal data is not kept in an identifiable form for longer than required.

Retention Periods by Purpose

1. Providing Our Services and Fulfilling Contracts

   Personal data relating to our talent-matching platform services is generally retained for up to seven (7) years after the completion of the relevant recruitment process, in order to comply with legal obligations and to protect our legal rights.

   Personal data relating to our Japanese language education services is generally retained for up to two (2) years after the completion of the relevant course or programme, unless a longer retention period is required by law or is otherwise justified.

   In other cases, personal data is retained until the relevant service or business relationship has ended, or until the data is no longer necessary for the purpose for which it was collected. Where appropriate, we may retain certain data for a limited period thereafter to comply with legal obligations or to protect our legal rights.

   Further details on retention periods applicable to specific categories of personal data are set out in our Detailed Data Inventory.

2. Meeting Our Legal Obligations

   Where personal data must be retained to comply with applicable laws (such as tax, accounting, or regulatory requirements), we retain such data for the full period required by law.

3. Website Usage, Analytics, and Other Consent-Based Processing

   Where we process personal data based on your consent (for example, analytics or marketing cookies), we retain such data until you withdraw your consent or until the relevant processing purpose has been fulfilled, whichever occurs first.

   Retention periods for specific web technologies and consent records vary depending on the tool or service used and are described in more detail in our Cookie Policy and Detailed Data Inventory.

Your Rights

If you are located in the EEA or the UK, you have several rights regarding your personal data under the EU and UK GDPR. For more detailed information, please see Your Rights under the EU and UK GDPR.

1. Right of Access

   You can ask us whether we process your personal data and request a copy of the data we hold about you.

2. Right to Rectification

   If any personal data we hold about you is inaccurate or incomplete, you can ask us to correct or update it.

3. Right to Erasure (“Right to be Forgotten”)

   You can ask us to delete your personal data in certain circumstances, for example where the data is no longer necessary for the purposes for which it was collected.

4. Right to Restrict Processing

   You can ask us to limit how we use your personal data in specific situations - for example, while we are reviewing an objection or accuracy challenge.

5. Right to Data Portability

   You can request the personal data you have provided to us in a structured, commonly used, and machine-readable format. You can also ask us to transfer this data directly to another organisation where technically feasible.

6. Right to Object

   You can object at any time to processing based on our legitimate interests. We will stop processing your data unless we can demonstrate compelling legitimate grounds that override your rights and freedoms.

7. Right to Object to Direct Marketing

   You can object at any time to the use of your personal data for direct marketing. If you do so, we will immediately stop sending you marketing communications.

8. Right to Withdraw Consent

   Where we rely on your consent to process your personal data, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn.

   In particular, where we rely on your consent for the use of cookies or similar technologies (including advertising and marketing cookies such as Google Ads technologies), you can withdraw or change your consent at any time through the “Cookie settings”, which can be accessed via the icon displayed in the corner of our website.

   Further information about the cookies we use, their purposes, and applicable retention periods is available in our Cookie Policy, which is accessible at any time via the footer of our website.

9. How to Exercise Your Rights

   You can exercise any of these rights by contacting us at: privacy@zenken.co.jp
   We may need to verify your identity before responding. We normally respond within one month, in accordance with the EU and UK GDPR.

10. Right to Lodge a Complaint

    If you have concerns about how we handle your personal data, you can raise a complaint with your local Data Protection Authority.

    A list of EU supervisory authorities is available at:
    https://edpb.europa.eu/about-edpb/board/members_en

    UK residents may contact the Information Commissioner’s Office (ICO): https://ico.org.uk

Who We May Share Your Personal Data With

We do not sell or rent your personal data to any third parties. However, in the course of providing our Services, we may share your personal data with trusted recipients under strict confidentiality and data protection safeguards.

We share personal data only where it is lawful to do so and where it is necessary for the purposes described in this Policy.

1. Service Providers and Processors

   We may share your personal data with carefully selected third-party service providers who support our operations. These may include:

   • IT, website hosting, CRM systems, and cloud infrastructure providers (e.g., WordPress.com (U.S.), Cookiebot (Denmark), Amazon Web Services (U.S.))
   • Analytics and advertising partners who help us understand service usage and the effectiveness of our marketing, including tools for website analytics, conversion tracking, and remarketing (e.g., Google Analytics (U.S.), Microsoft Clarity (U.S.), and Google Ads (U.S.)). Advertising and marketing technologies are used only where you have provided consent.
   • Payment processors and accounting firms involved in invoicing and compliance (e.g., Flywire (U.S.))
   • Translation, educational, legal, and recruitment support providers who assist in service delivery
   • Customer support, email delivery, and communication tool providers

   These service providers process personal data only on our instructions and are bound by contractual obligations that meet the requirements of Article 28 of the GDPR.

2. Business Partners and Clients (Talent-matching Platform Services)

   For our talent-matching platform services, we may share limited candidate information (such as CV details, qualifications, and employment history) with client companies in technology-related fields for the purpose of introducing potential candidates.

   Our role is limited to providing an introduction. We do not act as an employment agency or recruitment intermediary and do not participate in or influence any recruitment, selection, or employment decisions.

   Once candidate information is shared, the relevant client company or partner organisation acts as an independent data controller and determines the purposes and means of processing for its own recruitment or employment-related activities.

   This processing is based on our legitimate interests (Article 6(1)(f) of the GDPR) and is limited to what is strictly necessary. You have the right to object to this processing at any time. Please see the “Your Rights” section of this Policy for further details.

3. Legal and Regulatory Requirements

   We may disclose personal data where necessary to comply with laws, regulations, court orders, or other legal processes. This also includes responding to lawful requests from public authorities, law-enforcement bodies, or regulatory agencies.

   When authorities request data for a specific investigation, they are generally not regarded as “recipients” under the EU and UK GDPR.

4. Establishing, Exercising, or Defending Legal Claims

   We may share personal data where required to establish, exercise, or defend legal claims on behalf of ourselves or a third party.

5. Protecting Rights and Interests

   We may disclose personal data where necessary to protect our rights, privacy, safety, or property, or those of our users, customers, or partners. This may include preventing fraud or reporting suspected criminal activity or threats to public safety to the relevant authorities.

   The processing activities described in “Establishing, Exercising, or Defending Legal Claims” and “Protecting Rights and Interests” are carried out on the basis of our legitimate interests.

   You have the right to object to these processing activities at any time where your objection is based on reasons relating to your particular circumstances. For more information, please see the “Your Rights” section of this Policy.

6. Business Transfers

   We may disclose or transfer your personal data as part of a business transaction, such as a merger, acquisition, reorganisation, or sale of assets. We rely on our legitimate interests (Article 6(1)(f) of the GDPR) to ensure the continuity and strategic management of our business. This type of processing is something you can reasonably expect based on your relationship with us.

   Where such a transfer occurs, we will ensure that the third-party recipient is contractually required to apply appropriate technical and organisational measures to protect your personal data, in accordance with this Policy and applicable data protection laws.

   Regarding international data transfers, we currently transfer personal data only to Japan and the United States. If we transfer personal data to additional countries in the future, we will ensure that appropriate safeguards are in place before doing so.

   Because this processing is based on legitimate interests, you have the right to object at any time on grounds relating to your particular circumstances. For more information, please refer to the “Your Rights” section of this Policy.

How We Protect Your Personal Data

We implement a range of technical and organisational measures to protect your personal data from unauthorised access, loss, misuse, alteration, or disclosure. These measures include, among others:

• Access controls and authentication
• Encryption of data in transit (e.g., HTTPS, VPN)
• Anti-virus protection and firewalls
• System and access logging
• Regular backups and secure system management
• Restricting access to personal data on a need-to-know basis
• Staff training on data protection and confidentiality

We also require our service providers to maintain appropriate security measures in accordance with Article 32 of the GDPR. While no method of transmission or storage is entirely secure, we continually review and improve our security practices to maintain a high level of protection.

In the event of a personal data breach, we have procedures in place to assess the risk to individuals and to notify the relevant supervisory authorities and affected individuals where required, in accordance with Articles 33 and 34 of the GDPR.

Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, we assess whether a Data Protection Impact Assessment (DPIA) is required and carry out such an assessment where applicable, in accordance with Article 35 of the GDPR.

If you have any questions about how we protect your personal data, please contact us at:

Social Media Use and Joint Controllership

We operate official pages on social media platforms such as Facebook, Instagram, X (formerly Twitter), and YouTube for informational and promotional purposes.

When you view or interact with our social media pages (for example, by viewing posts, liking content, or posting comments), personal data such as your username, profile information, and interaction content may be processed.

In relation to the operation of our social media pages, we and the relevant platform providers may act as joint controllers within the meaning of Article 26 of the GDPR, in particular with respect to aggregated usage statistics (such as page or post insights) provided by the platforms.

The relevant platform providers are primarily responsible for processing personal data through their platforms, including the use of cookies and analytics tools, in accordance with their own privacy policies. We are responsible for managing our social media presence and responding to publicly visible comments.

The essential elements of any joint controllership arrangements are made available by the relevant platform providers through their own privacy notices or information pages.

You may exercise your data protection rights by contacting either us or the relevant platform provider. Requests relating to data processed by the platform provider should generally be directed to that provider.

Children’s Data

Our Services are intended for adults and are not aimed at children under the age of 16 in line with the requirements of the EU and UK GDPR.

We do not knowingly collect or process personal data from children under the age of 16, and if we become aware that such data has been collected without appropriate consent, we will delete it promptly.

Links to Other Websites

Our websites may contain links to third-party websites, social media platforms, or external services. Please be aware that we are not responsible for the privacy practices or content of these external websites.

We encourage you to review the privacy notices of any external website you visit before providing your personal data.

Automated Decision-Making and Profiling

We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you, as defined under Article 22 of the GDPR.

However, we may engage in limited forms of profiling for advertising and marketing purposes, such as showing advertisements to users who have previously visited our websites through tools like Google Ads remarketing. This profiling may involve, for example, the use of information about pages visited on our websites or cookie identifiers or similar online identifiers. This profiling does not produce legal effects concerning you or similarly significantly affect you.

If we ever introduce automated decision-making that produces legal effects concerning you or similarly significantly affects you, we will inform you in advance and explain:

• The purpose of the processing,
• The underlying logic involved, and
• The potential consequences for you,

as required by the EU and UK GDPR.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our business operations, legal requirements, or data protection practices.

When we make substantive or material changes (for example, changes to processing purposes, new categories of recipients, or updates to your data subject rights), we will notify you in advance through a prominent notice such as pop-up notification. The “Last Updated” date at the top of this Policy will always show when the latest changes were made.

If we intend to process your personal data for a purpose other than the one for which it was originally collected, we will provide you with information about that new purpose and any relevant additional information before carrying out that further processing, as required by the EU and UK GDPR.