＜Business operator＞

TERRADA ART ASSIST Co., Ltd.

＜Name of business operator representative＞

Daisuke Tanaka

＜Business operator address＞

2-6-10 Higashi-Shinagawa, Shinagawa-ku, Tokyo 140-0002

＜Name or title, department, and contact of personal information manager＞

Chief Privacy Officer: Yoshiaki Kimura
Address: 2-6-10 Higashi-Shinagawa, Shinagawa-ku, Tokyo 140-0002
Tel: +81(0)3-6433-3120
E-mail：privacy_policy@terrada-art-assist.co.jp

1. Personal Information Acquisition and Use

We acquire and use personal information within the scope necessary for business purposes and by legitimate, fair means.(Excluding individual numbers and specific personal information in section 7 below.)

2. Use Purposes of Personal Information

We use the personal information acquired from insurance companies in the course of insurance solicitation business entrusted to us by the insurance companies within the scope necessary to perform the relevant services (see section 7 below for individual numbers and specific personal information).
We conduct business with several insurance companies, and may use the acquired personal information to propose products and services of insurance companies with which we do business.
The specific purposes of our use of personal information are listed below; we do not use personal information for any other purposes.
If personal information required to achieve these use purposes is not provided, it may not be possible to properly provide the relevant services, and the use purposes may not be achieved.

Provision of non-life insurance, life insurance, and incidental and related services that we handle

Changes made to the use purposes listed above will be made within a scope that is reasonably deemed appropriately relevant to the above. If changes are made, we will announce the content of said changes to the individuals concerned, generally by written notice (including electronic or magnetic records; the same applies hereinafter) or by posting the information on our company website (https://www.terrada- art-assist.co.jp/), etc.
The use purposes of insurance companies to which we outsource insurance services are listed on the respective insurance companies’ websites (see below).

＜Non-life insurance companies＞

Mitsui Sumitomo Insurance Co., Ltd. (https://www.ms-ins.com)

Tokio Marine & Nichido Fire Insurance Co., Ltd. (https://www.tokiomarine-nichido.co.jp)

AIG General Insurance Company, Ltd. (https://www.aig.co.jp/sonpo)

＜Life insurance companies＞

Mitsui Sumitomo Aioi Life Insurance Co., Ltd. (https://www.msa-life.co.jp)

3. Security Control Measures for Personal Data

We take adequate security control measures to prevent leakage, loss or damage to the personal information we handle (including personal information and specific personal information in section 7 below) as well as preparing and implementing rules for secure management of personal data. In addition, we take appropriate measures to ensure such rules are kept accurate and up to date as required in order to achieve the use purposes of personal data, and promptly take appropriate corrective measures in the unlikely event of a problem.
We have separately established internal rules regarding security control measures for personal data, the specific details of which are primarily as follows. For inquiries regarding security control measures, please contact the complaints and consultation counter listed in section 11 below.

1. Establishment of basic policies
   In order to ensure appropriate handling of personal data, we have formulated basic policies for “Compliance with Relevant Laws, Regulations, Guidelines, Etc.,” “Matters Related to Security Control Measures,” and “Points of Contact for Inquiry and Complaint Processing,” which we will review as necessary.
2. Establishment of rules for secure management of personal data
   We have established rules for handling methods, responsible personnel, personnel in charge and relevant duties, etc., related to each stage of handling personal data, including acquisition, use, storage, provision, deletion and disposal, which we will review as necessary.
3. Organizational security control measures
   
   • Establish personnel responsible for personal data management
   • Establish security control measures in rules of employment, etc.
   • Operate in accordance with the rules for secure management of personal data
   • Establish steps for confirming the handling status of personal data
   • Establish and implement systems for inspecting and auditing the handling status of personal data
   • Establish systems for responding to incidents such as leakage
4. Personal security control measures
   
   • Conclude personal data nondisclosure agreements with employees
   • Clarify the roles and responsibilities of employees
   • Thorough dissemination, education and training on security control measures for employees
   • Check employee compliance with management procedures for personal data
5. Physical security control measures
   
   • Manage areas in which personal data is handled
   • Prevent theft of devices and electronic media, etc.
   • Prevent leakage when carrying electronic media, etc.
   • Delete personal data and dispose of devices, electronic media, etc.
6. Technical security control measures
   
   • Identify and certify users of personal data
   • Establish management categories for personal data and control access thereto
   • Manage access rights to personal data
   • Take measures to prevent leakage and damage to personal data
   • Record and analyze access to personal data
   • Record and analyze operational status of information systems that handle personal data
   • Monitor and audit information systems that handle personal data
7. Supervision of entrusted parties
   When entrusting the handling of personal data, we select persons who properly handle personal data, and to ensure that security control measures are implemented by the entrusted parties, we have established and regularly review rules for handling outsourcing of personal data.
8. Understanding external environments
   We have implemented security control measures based on good understanding of the systems related to protection of personal information in countries that handle personal data.

4. Provision of Personal Data to Third Parties and Receipt from Third Parties

1. We do not provide personal data to third parties without the principal’s prior consent except in the following cases (see section 7 below for individual numbers and specific personal information).
   1. When provided under applicable laws and ordinances;
   2. When required for the protection of human life, body or property, and it is difficult to obtain a principal’s consent;
   3. When particularly required for the improvement of public health or the promotion of the sound development of children, and it is difficult to obtain a principal’s consent;
   4. When required to furnish cooperation for the performance of duties, as set forth in applicable laws and ordinances, by central government institutions, local governments, or parties commissioned by them, and there is a possibility that obtaining a principal’s consent would interfere with the performance of the said duties;
   5. When a third party is an academic research institution, etc., and it is necessary for the third party to handle personal data for academic research purposes (including cases where part of the purpose of handling said personal information is for academic research purposes, but excluding cases where there is a risk of unreasonable infringement on the rights and interests of the data subjects).
2. When we provide personal data to a third party or acquire personal data from a third party (including when personally referable information is acquired as personal data), we record and store the names of the recipients and providers, and other matters prescribed by law, in addition to confirming the provision and acquisition background, etc.

5. Providing Personally Referable Information to Third Parties

1. When it is anticipated that a third party will acquire personally referable information as personal data, we shall not provide said information without first confirming that the third party concerned has acquired the consent of the principals concerned to acquire said information, except in cases stipulated by law.
2. When we provide personally referable information to a third party based on the confirmation of the preceding paragraph, we confirm and record matters concerning such provision (when, to whom and what kind of personally referable information was provided, how did the third party obtain the consent of the principals, etc.), except in cases stipulated by law.

6. Handling of Sensitive Information

In principle, we do not acquire, use or provide special care-required personal information (concerning race, creed, social status, medical history, previous conviction/disposition, criminal victimization, etc.) or sensitive information (personal information concerning the membership of labor unions, family origin, registered domicile, medical or health care records, or sexual activities) to third parties, except in the following cases.

1. When required under applicable laws and ordinances, etc.;
2. When required for the protection of human life, body or property;
3. When particularly required for the improvement of public health or the promotion of the sound development of children;
4. When required to furnish cooperation for the performance of duties, as set forth in applicable laws and ordinances, by central government institutions, local governments, or parties commissioned by them;
5. When acquisition, use and provision to third parties of sensitive information on employee affiliation with or membership in political and religious groups or labor unions within the scope required for receipts of insurance premium affairs, etc.;
6. When acquiring, using and providing sensitive information to third parties only as necessary for the administration of insurance money payments in conjunction with inheritance procedures, etc.;
7. When acquisition, use and provision to third parties of sensitive information is necessary for the appropriate operations of insurance services within the scope required for said operations and with the consent of the principal.

7. Handling of Individual Numbers and Specific Personal Information

We do not acquire or use individual numbers and specific personal information for any purpose other than those explicitly and restrictively enumerated by law. We do not provide individual numbers or specific personal information to third parties except in circumstances explicitly and restrictively enumerated in the My Number Act.

8. Handling of Pseudonymously Processed Information

1. Creation of pseudonymously processed information
   When creating pseudonymously processed information (information relating to an individual that can be obtained from processing personal information, by taking measures stipulated in laws and regulations so as to make it impossible to identify a specific individual), we observe the following requirements:
   • Information shall be processed appropriately in accordance with standards stipulated in laws and regulations.
   • Security control measures shall be taken in accordance with standards stipulated in laws and regulations so as to prevent leakage of deleted information and information relating to processing methods.
2. Purpose of use of pseudonymously processed information
   If we have made a change to the purpose of use of pseudonymously processed information, we will define, to the extent possible, the purpose of use after such change and publish the same while specifying that it relates to the pseudonymously processed information concerned.

9. Acquisition, Use and Provision of Information Linked to Identifiers Such as Cookies

A cookie is information in text format that is sent from a website and stored in the web browser when the website is viewed. A web beacon is a mechanism that transmits information when a customer, etc. views a page or email by embedding a small image in a web page or email. This website uses cookies, web beacons, or similar technologies (hereinafter referred to as “Cookies, etc.”) to store and use customer information.
We use Google Analytics, provided by Google Inc., as a service for statistically collecting and analyzing identifiers stored in Cookies, etc. See the website below for more information about collection and handling of data with Google Analytics cookies and the privacy policies of the Google services.
You can also opt out of Google Analytics cookies by installing the Google Analytics Opt-out Browser Add-on.

10. Disclosure, Correction and Suspension of Use, etc. of Retained Personal Data under the Personal Information Protection Act

Requests under the Personal Information Protection Act for the disclosure (including disclosure of confirmation and records), correction, or suspension of the use, etc. (notice or disclosure of use purposes, revisions, additions and deletions of content, suspension of use, erasure, or suspension of provision to third parties) of retained personal data (including personal information and specific personal information in section 7 above) will be directed to the insurance company that owns the data. Personal information obtained for this purpose shall be handled only within the scope necessary for complying with requests for disclosure, etc. (notice or disclosure of use purposes, revisions, additions and deletions of content, suspension of use, erasure, or suspension of provision to third parties).

11. Inquiries

Inquiries can be directed to the complaints and consultation counter listed below. Inquiries regarding insurance accidents can also be directed to the accident consultation service counter of the insurance company specified in your insurance policy, in addition to the complaints and consultation counter listed below. We will respond to your inquiries after confirming that the inquirer is the insured or policyholder of the inquired policy.

＜Agency name＞

TERRADA ART ASSIST Co., Ltd.

＜Agency address＞

A-1-2F Tokyodanchisoko Heiwajimasoko, 3-6-1 Heiwajima, Ota-ku, Tokyo 143-0006

＜Business operator＞

TERRADA ART ASSIST Co., Ltd.

＜Name of business operator representative＞

Daisuke Tanaka

＜Business operator address＞

2-6-10 Higashi-Shinagawa, Shinagawa-ku, Tokyo 140-0002

＜Name or title, department, and contact of personal information manager＞

Chief Privacy Officer: Yoshiaki Kimura
Address: 2-6-10 Higashi-Shinagawa, Shinagawa-ku, Tokyo 140-0002
Tel: +81(0)3-6450-0917
Hours: 10:00 AM – 5:30 PM, excluding weekends, public holidays and the New Year period
E-mail：privacy_policy@terrada-art-assist.co.jp

＜Counter for complaints and consultations (inquiries) related to the handling of retained personal data (questions regarding security control measures and complaint processing)＞

TERRADA ART ASSIST Co., Ltd. Personal Information Complaints and Consultation Counter
E-mail：privacy_policy@terrada-art-assist.co.jp
Hours: 11:00 AM – 3:00 PM, excluding weekends, public holidays and the New Year period
※ If you do not wish to receive information about new products or services from us via email or direct mail, please contact us at the above.