Privacy Notice regarding Sanrio Digital ID
1. About This Notice
This notice provides information regarding the processing of your personal data.
It explains the legal basis on which we process personal data that you provide to us or that we obtain from other sources.
Please read this notice carefully and ensure that you fully understand its contents.
2. About Us
For the purposes of data protection laws, Sanrio Company, Ltd. (“we,” “us,” or “our”) is the controller of your personal data.
We are committed to respecting your privacy and protecting your personal information.
Our contact details are as follows:
Head Office: 1-11-1 Osaki, Shinagawa-ku, Tokyo 141-8603, Japan
Telephone: +81-3-3779-8163
3. Definitions
For the purposes of this notice:
(a) “Personal Data” means any data or information relating to you that can identify you directly or indirectly, as well as any other data or information defined as “personal data,” “personal information,” or similar terms under applicable data protection laws.
Personal data includes your contact details, other identifying information, and photographs.
(b) “Processing” means any operation or activity performed on your personal data, such as collection, storage, use, transfer, or deletion.
4. How We Collect Personal Data and What We Collect
We may process personal data about you that we collect through forms or other input fields on our websites.
Such personal data generally includes your email address, account details, login information, password, language settings, region, and your access history on services linked with the Sanrio Digital ID.
When you browse our website, we may automatically collect, store, and use technical information about your device and your interaction with our website, including cookies and browsing history.
For more information on our use of cookies and how to disable them, please refer to our Cookie Policy.
5. Purpose and Legal Basis for Processing Personal Data
We use the personal data we hold about you for the following purposes:
To provide the Sanrio Digital ID service.
To improve the quality of our services.
To analyze user interests and access history, and to send direct marketing materials relating to our services based on such analysis.
To manage and integrate information collected from you.
To respond to your inquiries, requests, and other communications.
To manage or transfer assets or liabilities (e.g., in cases of acquisition, disposal, or merger).
To protect our company, our customers, and third parties from fraud or negligence, and to safeguard our business interests.
To submit applications, reports, or notifications to governmental or public authorities and other third parties as required or deemed necessary by applicable laws.
The legal bases for processing your personal data are as follows:
When we have obtained your consent, pursuant to Article 6(1)(a) of the GDPR.
When the processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into such a contract, pursuant to Article 6(1)(b) of the GDPR.
When the processing is necessary for compliance with a legal obligation, pursuant to Article 6(1)(c) of the GDPR.
When the processing is necessary for the purposes of legitimate interests pursued by us or a third party, pursuant to Article 6(1)(f) of the GDPR.
We do not process “sensitive data” (such as data revealing racial or ethnic origin, religion, physical or mental health, political opinions, sexual life, actual or alleged criminal offenses, or genetic or biometric data).
6. Disclosure of Personal Data to Recipients
We may share your personal data in the following circumstances:
(a) Internal use: With employees of our company who have the authority and a legitimate need to access the data.
(b) Service providers: With third-party service providers that perform certain services for us, such as IT services.
(c) Legal procedures and security: We may disclose personal data to legal or governmental authorities as required by law.
We may also disclose your data to third parties when necessary to protect the health and safety of you or others, to enforce our legal rights, or to comply with applicable laws in connection with claims, disputes, or legal proceedings.
(d) Business transfers: Your personal data may be disclosed or transferred as part of business transactions such as mergers, acquisitions, corporate reorganizations, divestitures, joint ventures, financing, or the sale of company assets.
Personal data may also be disclosed in cases of insolvency, bankruptcy, or receivership.
We may jointly use your personal data within the Sanrio Group, in accordance with the Act on the Protection of Personal Information of Japan (Act No. 57 of 2003), as follows:
Shared entities:
Sanrio Company, Ltd. / Sanrio Entertainment Co., Ltd. / Sanrio Enterprise Co., Ltd. / Kokoro Co., Ltd. / Sanrio Music Publishing Co., Ltd.-
Purpose of joint use:
To provide the Sanrio Digital ID service.
To send direct marketing materials.
To respond to customer inquiries and requests.
To manage or transfer assets or liabilities (e.g., in the event of acquisition, disposal, or merger).
To protect our company, customers, and third parties from fraud and negligence and safeguard our business interests.
To comply with legal obligations and submit required filings or reports.
Personal data subject to joint use:
Region, email address, account information, login details, password, language settings, and access history within services linked to the Sanrio Digital ID.Entity responsible for data management:
Please refer to our corporate website for our address and representative details.
We may also provide your personal data to the following types of third parties:
Affiliated companies: Other entities within the Sanrio Group.
Employees: Those who are authorized and require access to fulfill their duties.
Service providers: Including IT service providers (such as data servers, cloud, AI, and digital wallet providers), data analytics services, and advertising or email distribution providers.
Linked services: Operators of services connected to the Sanrio Digital ID.
7. Transfer of Personal Data Outside the EEA and the UK
Personal data of data subjects residing within the EEA and/or the UK may be transferred to and stored by third parties located outside these regions.
When transferring such personal data outside the EEA and/or the UK, we ensure that:
(a) The destination country has been recognized by the European Commission or the UK Government as providing an adequate level of data protection; or
(b) The recipient has entered into Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Government with us.
You may contact us (using the contact details provided in Section 2) to obtain further information about the safeguards applied to such transfers, including copies of the SCCs or binding corporate rules, where applicable.
8. Retention Periods
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, except where a longer retention period is required by law.
Cookie retention periods are described in our Cookie Policy.
Specific retention periods for personal data collected for the Charaforio service are as follows (unless extended by legal requirements):
Account registration data (email address, login details, password, region, language settings): up to 2 years after withdrawal from the Sanrio Digital ID service.
Access history in services linked to Sanrio Digital ID: up to 2 years after withdrawal.
Pseudonymized data stored for analytics purposes: up to less than 6 years after withdrawal.
9. Your Rights
You have several legal rights concerning your personal data, which may vary depending on your location and applicable data protection laws. Typically, these include:
The right to obtain information about the processing of your personal data and access to it.
The right to request correction of inaccurate or incomplete data.
The right to request deletion of your data in certain circumstances (e.g., when data is no longer needed, when you withdraw consent, or when processing is unlawful).
The right to request restriction of processing in specific situations (e.g., when accuracy is contested or processing is unlawful).
The right to object to the processing of your personal data.
The right to data portability, where applicable, allowing you to receive your data in a structured, commonly used, and machine-readable format.
The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.
You may exercise these rights by contacting us (see Section 2) or our EU/UK representatives below.
If you believe your rights have been violated, you also have the right to lodge a complaint with a supervisory authority.
EU Representative:
Name: DataRep
Email: datarequest@datarep.com
Web form: www.datarep.com/data-request
UK Representative:
Name: DataRep
Email: datarequest@datarep.com
Web form: www.datarep.com/data-request
California Residents (CCPA Supplement)
Last Updated: August 7, 2024
If you are a “consumer” as defined under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, “CCPA”), this supplement applies to you.
1. Collection, Use, and Disclosure of Personal Data
A. Categories, Sources, and Purposes
The types of personal data we have collected during the past 12 months include:
Identifiers: Email address, cookies, etc.
Other information: Language settings, browsing and network activity data.
Location data: Region, etc.
Sensitive personal information: Account credentials, passwords, and login details.
We collect these categories for the business and commercial purposes described in Section 5 of this notice.
Sources include:
Directly from you.
Automatically from your activity on our website and linked Sanrio Digital ID services.
Retention periods are as stated in Section 8 of this notice.
B. Disclosure of Personal Data
(1) Sharing for Cross-Context Behavioral Advertising
We may share personal data with third parties for cross-context behavioral advertising purposes.
The table below outlines the types of data shared and the third parties involved within the past 12 months:
| Type of Personal Data | Third Parties Shared With |
|---|---|
| Identifiers | Advertising networks |
| Internet or network activity | Advertising networks |
(2) Disclosure for Business Purposes
We may disclose personal data for business purposes to the following categories of third parties:
| Type of Personal Data | Third Parties Shared With |
|---|---|
| Identifiers | Service providers (e.g., server or platform management providers) |
| Internet or network activity | Service providers (same as above) |
| Location data | Service providers |
| Sensitive personal information | Service providers |
2. Your Rights and Requests (CCPA)
As a California consumer, you have the following rights regarding your personal data:
Access: Request disclosure of specific information collected, used, or shared in the past 12 months (twice per year).
Deletion: Request that we delete personal data collected from you.
Correction: Request correction of inaccurate personal data.
Opt-Out: Opt out of sharing your personal data for cross-context behavioral advertising.
To submit a request, please contact us via one of the following methods:
Call: +1-(202) 804-2960
Submit a Data Subject Access Request Form (online form)
Mail: 1-11-1 Osaki, Shinagawa-ku, Tokyo 141-8603, Japan
You can also contact us through the same form to stop the sharing of your personal data.
We honor Global Privacy Control (GPC) signals as an opt-out mechanism for cross-context behavioral advertising.
If you use GPC, your browser will be recognized as opted-out when visiting our website.
For more information about setting up GPC, please visit https://globalprivacycontrol.org/.
To protect your privacy and security, we verify your identity before responding to requests.
If you authorize an agent to submit a request on your behalf, we may require proof of authorization.
We will not discriminate against you for exercising your CCPA rights.
We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA.
3. Changes to This Supplement
We may revise this supplement from time to time.
The “Last Updated” date at the top of this page indicates the most recent revision.
Revisions become effective upon posting.
We encourage you to bookmark this page and review it periodically to stay informed.
4. Contact Us
If you have any questions or concerns about this supplement or our privacy practices, please contact us at:
+1-(202) 804-2960 or sanrio-kojinhogo@sanrio.co.jp