EEA and UK Resident’s Rights

1. GDPR privacy statement

The protection of your personal data is of great importance to MEDIROM MOTHER Labs Inc. (“Company,” “We,” “us,” “our”). We process the personal data of customers, including candidates, the visitors to our website and the contact persons of our client companies in the UK or the European Economic Area (“EEA”), to whom those regulations apply (referred to as “you” throughout this privacy policy) in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”) and the GDPR incorporated into UK law by the European Union (Withdrawal) Act 2018 (the “UK GDPR”; the GDPR and UK GDPR are collectively the “GDPR”).

This Privacy policy will be read and construed in conjunction with the other provisions of our privacy policy. For purposes of this subsection, the terms used herein which are defined under the GDPR will have the same meaning ascribed to them under the GDPR.

2. Controller

The Company will be the controller for the processing of the personal data, whose contact details are as follows.

MEDIROM MOTHER Labs Inc.

16F Tradepia Odaiba, 2-3-1 Daiba, Minato-ku, Tokyo 135-0091

E-mail: privacy.mml@medirom.co.jp

3. Purposes and legal basis of processing

We process your personal data for the purposes and on the legal bases described below.

Legitimate interests:

We rely on our legitimate interests or the legitimate interests of a third party where they are not outweighed by your interests or fundamental rights and freedoms (“legitimate interests”).

  • To make a positive contribution to people’s health.
  • To enhance and improve diet and/or exercise habits.
  • To help people have a comfortable sleeping lifestyle.
  • To provide, update, maintain and protect our products, services, websites and business.
  • To develop and provide search, learning and productivity tools and additional features.
  • To investigate and help prevent security issues and abuse.
  • To aggregate or de-identify information.
  • To share information with others including law enforcement and to respond to legal requests.

    • Compliance with legal obligations:

    We obtain and process your personal data when we comply with a legal obligation including, to access, preserve or disclose certain information if there is a valid legal request from a regulator, law enforcement, or others. For example:

  • To prevent fraud
  • To ensure public safety
  • To enforce our rights and those of others

    • Necessary for the performance of a contract:

    We obtain and process your personal data for the following purposes because it is necessary to do so in order to perform contractual obligations to provide services to you.

  • To establish your online account
  • To validate your access to our website, services or products
  • To process your online purchase orders
  • To provide customer services
  • To send you administrative or transactional communications

    • Consent:

    We obtain and process your personal data for the following purposes if we have obtained your express consent in advance.

  • To place cookies or similar technologies on your device.

    • You have the right to withdraw your consent at any time in the manner communicated to you by us when seeking your consent. Your withdrawal of consent will not affect the legality of processing conducted based on your consent before its withdrawal.

    4. Personal data to be collected

    We may collect and process the following types of personal data about you for the purposes described in “Purposes and legal basis of processing.”

    (1)Name

    (2)Username and password

    (3)Telephone number

    (4)Email address

    (5)IP address, information of browser and OS, cookie information, history information of website access

    (6)Gender, height, weight

    (7)Heart Rate

    (8)Sleep (score, length, depth/shallowness, efficiency, regularity)

    (9)Number of steps taken

    (10)Activity (time, frequency, calories burned)

    (11)Body surface temperature

    (12)Contents of the inquiries on websites

    5. Disclosure to third parties

    We may disclose your personal data to the following recipients or categories of recipients for them to use the data on their own behalf and under their own control to the extent necessary for the purpose of processing:

  • Our parent company, MEDIROM Healthcare Technologies Inc. (“MEDIROM Group”)
  • Our affiliates within MEDIROM Group
  • Other related healthcare companies
  • Accountants, lawyers and other professional advisers
  • Providers of the services related to the service, including Internet providers, data storage, maintenance, and payment service.

    • 6. Transfer to third countries outside the EEA and UK

    Your personal data may be transferred to third countries outside the European Economic Area and UK with or without an adequate decision by the European Commission. In the case of any transfer of personal data to a country that does not have an adequate level of data protection in light of the standards under the GDPR, we will ensure such transfer will be made through the Standard Contractual Clauses adopted in accordance with the GDPR.

    7. Retention period of personal data

    We will retain your personal data for so long as necessary to fulfill the purposes for which we obtain and process your personal data. Specific retention periods are decided based on the following considerations: the purpose for obtaining and processing the personal data; the nature of the personal data; and the necessity of retaining the personal date for legal or business reasons.

    8. Your rights

    You have the following rights regarding personal data obtained and processed by us.

  • Information regarding your data processing: You have the right to obtain from us all the requisite information regarding our data processing activities that concern you.
  • Access to personal data: You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain related information.
  • Rectification or erasure of personal data: You have the right to obtain from us the rectification of inaccurate personal data concerning you without undue delay, and to complete any incomplete personal data. You also have the right to obtain from us the erasure of personal data concerning you without undue delay, when certain legal conditions apply.
  • Restriction on processing of personal data: You have the right to obtain from us the restriction of processing of personal data, when certain legal conditions apply.
  • Object to processing of personal data: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, when certain legal conditions apply.
  • Data portability of personal data: You have the right to receive your personal data in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without our interference, when certain conditions apply.
  • Not to be subject to automated decision-making: You have the right not to be subject to automated decision-making (including profiling) based on the processing of your personal data, insofar as this produces legal or similar effects on you, when certain conditions apply.

    • 9. Biometric data and health-related data

    GDPR defines certain personal data as “special categories of personal data” such as personal data regarding your biometric data for the purposes of uniquely identifying a person or data concerning your health (“health-related data”).

    “Biometric data” includes a retina or iris scan, fingerprint, voiceprint, or scan of the hand or face geometry or other physiological traits. “Health-related data” means personal data related to the physical or mental health of a natural person.

    We will not collect your biometric data or health-related data without asking for your express consent in advance. If you decide to share your biometric data or health-related data, we will process your biometric data or health-related data solely to perform the specific services you have requested and to improve the performance and/or accuracy of such services.

    10. Lodging a complaint with a supervisory authority

    You have the right to lodge a complaint on the processing of their personal information with the data protection authority having jurisdiction over your residence.

    (1)EEA residents: Please contact your national supervisory authority, details of which can be found on the European Data Protection Board’s website (https://edpb.europa.eu/about-edpb/board/members_en).

    (2)UK residents: Please contact the Information Commissioner’s Office (https://ico.org.uk/). However, we would appreciate your notifying to us prior to contacting your supervisory authority, so that we may have the opportunity to respond to your complaint.

    11. No obligation to provide your personal data

    You have no obligation to provide your personal data to us either under applicable law or a contract. Once you make an order for our services or goods, we may require your personal data based on the contract with you, in which case your failure to provide personal data we require may prevent us from providing you with the service or goods you purchase.

    12. Sources of personal data

    We obtain your personal data directly from you (with respect to both online and offline interactions you may have with us or our service providers including from the devices you use to access our websites, mobile applications, and online services) or indirectly through third parties such as those stated below.

  • third parties, including third parties to which you have previously provided your information such as Internet browser and social media (e.g., Facebook, Instagram, or X (previously “Twitter”))

    • 13. Automated decision-making and profiling

    We do not process your personal data with automated decision-making and profiling.