Privacy Policy

1 Introduction and Scope

Marsh Harbor Deck Co., Ltd. ("Marsh Harbor Deck," "we," "us," or "our") is a technology company incorporated under the laws of Japan, with its principal place of business at 6-10-11 Jingumae, Shibuya-ku, Tokyo 150-0001, Japan. We operate an AI companionship platform accessible at marshharbordeck.com and through our mobile and desktop applications (collectively, the "Service").

This Privacy Policy applies to all users of the Service, regardless of their country of residence. It governs the collection, use, processing, storage, and transfer of personal information we receive from you when you visit our website, create an account, subscribe to a plan, interact with our AI companions, or communicate with our support team.

By using our Service, you acknowledge that you have read and understood this Privacy Policy and consent to the data practices described herein. If you do not agree with any aspect of this Policy, please discontinue use of the Service and contact us at hello@marshharbordeck.com to request deletion of any data we hold about you.

This Policy should be read in conjunction with our Terms of Service, which govern your use of the Service generally. In the event of any conflict between this Policy and the Terms of Service with respect to data privacy, this Policy shall prevail.

2 Information We Collect

We collect several categories of information in connection with your use of the Service. We collect only the information that is necessary to provide, maintain, improve, and secure the Service.

2.1 Personal Information You Provide

• Account registration data: When you create an account, we collect your name, email address, and a hashed version of your password. We never store passwords in plaintext.
• Payment information: When you subscribe to a paid plan, billing information (credit card number, billing address) is collected and processed by our PCI DSS-compliant payment processor, Stripe Inc. Marsh Harbor Deck does not store your full credit card number on our servers.
• Profile information: Any optional information you choose to provide when setting up your profile, such as a display name, avatar, language preference, or age (used solely for age verification and content appropriateness).
• Communications: Records of your correspondence with our customer support team, including email content, support ticket text, and any attachments you provide.

2.2 Conversation and Interaction Data

• Conversation content: Text messages, voice recordings (where applicable), and any media you share during sessions with AI companions. This data is encrypted end-to-end and stored under your account.
• Memory data: Information extracted by our memory systems from your conversations, including preferences, biographical details you share, recurring topics, and relationship context with specific AI characters. This data is stored separately and is directly viewable and deletable by you at any time.
• Interaction metadata: Timestamps of sessions, duration of conversations, characters interacted with, and in-app actions (feature usage, settings changes).

2.3 Usage and Device Data

• Technical data: IP address (truncated to anonymize the last octet), browser type and version, operating system, device type, screen resolution, and referring URL.
• Usage analytics: Pages visited, features used, session duration, error logs, and performance metrics. This data is aggregated and used to improve the Service.
• Cookies and similar technologies: Session cookies, persistent cookies, and local storage items. See Section 6 for full details.

3 How We Use Your Information

We use the information we collect for the following purposes, each of which has a corresponding lawful basis under applicable data protection law:

• Service delivery (Contract): To create and maintain your account, authenticate you, process payments, and provide you with access to the AI companion features you have subscribed to.
• Memory and personalization (Contract + Consent): To power our persistent memory system, enabling AI companions to remember prior conversations, adapt to your preferences, and provide increasingly personalized interactions over time.
• Service improvement (Legitimate Interest): To analyze aggregate, anonymized usage data to identify bugs, improve performance, prioritize feature development, and enhance the overall user experience. We do not use individual conversation content for model training without your explicit opt-in consent.
• Safety and security (Legitimate Interest / Legal Obligation): To detect and prevent fraud, abuse, unauthorized access, and violations of our Terms of Service. To respond to legal requests from competent authorities where required by law.
• Communications (Consent / Contract): To send you transactional emails (account confirmations, password resets, billing receipts) and, where you have opted in, to send you our newsletter and product updates. You may unsubscribe from marketing communications at any time.
• Customer support (Contract): To respond to your questions, resolve disputes, and provide technical assistance.
• Legal compliance (Legal Obligation): To comply with applicable laws, regulations, and court orders, including Japanese law, GDPR, and CCPA.

4 Data Storage and Security

The security of your personal information is of paramount importance to Marsh Harbor Deck. We implement industry-leading technical and organizational measures to protect your data against unauthorized access, disclosure, alteration, and destruction.

4.1 Encryption Standards

All data transmitted between your device and our servers is encrypted using TLS 1.3, the current industry standard for transport layer security. All data stored on our servers — including conversation content, memory data, and account information — is encrypted at rest using 256-bit AES (Advanced Encryption Standard) encryption. Encryption keys are stored separately from data in a dedicated key management service (KMS) with hardware security module (HSM) backing.

Voice data, where applicable, is encrypted end-to-end during transmission and stored in encrypted form. Marsh Harbor Deck employees cannot access the plaintext content of your voice recordings without your explicit permission.

4.2 Infrastructure Security

Our infrastructure is hosted in ISO 27001-certified data centers located in Japan and the European Union. We maintain SOC 2 Type II certification, which is independently audited annually. Our security practices include role-based access control (RBAC), comprehensive audit logging, regular penetration testing by independent security firms, automated vulnerability scanning, and a formal incident response plan.

4.3 Japanese Data Protection Law

As a Japanese corporation, Marsh Harbor Deck operates in full compliance with the Act on the Protection of Personal Information (APPI) of Japan, including the 2022 amendments that strengthened data subject rights and introduced mandatory breach notification requirements. Our data processing practices have been reviewed and approved by our Japanese legal counsel, and we maintain a registered Personal Information Protection Manager as required by law.

4.4 Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authorities without undue delay, and in any event within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and applicable Japanese law.

5 Sharing Your Information

We share your information only in the following limited circumstances:

• Service providers: We engage carefully vetted third-party vendors who process data on our behalf — including cloud infrastructure providers, payment processors, and customer support software. All such vendors are bound by data processing agreements (DPAs) that restrict their use of your data to the specific services they provide to us and require them to maintain security standards equivalent to or exceeding our own.
• Legal requirements: We may disclose personal information if required to do so by law, regulation, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Marsh Harbor Deck, our users, or the public. We will notify affected users of such disclosures where legally permitted to do so.
• Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website at least 30 days before your data becomes subject to a materially different privacy policy.
• With your consent: We may share your information for any other purpose with your explicit prior consent. We will clearly describe the purpose and recipient before requesting such consent.

6 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate the Service, remember your preferences, and understand how you use our platform. You have meaningful control over these technologies.

6.1 Types of Cookies We Use

• Strictly necessary cookies: Required for the Service to function. These include session authentication cookies and security tokens. These cannot be disabled without breaking core functionality.
• Functional cookies: Remember your preferences, such as language selection, theme settings, and whether you have dismissed onboarding prompts. Stored for up to 12 months.
• Analytics cookies: Collect anonymized data about how users navigate the Service, which features are used, and where errors occur. We use this to improve the Service. You may opt out of analytics cookies without affecting your use of the Service.
• Performance cookies: Help us measure page load times and identify technical issues. These are strictly operational and do not contain personal information.

We do not use advertising cookies, retargeting pixels, or any tracking technology designed to build profiles for commercial advertising purposes. You can manage cookie preferences at any time through the Cookie Settings link in the footer of our website.

7 Your Rights and Choices

Depending on your country of residence, you have a range of rights regarding your personal information. Marsh Harbor Deck honors these rights for all users globally, not merely those in jurisdictions that legally require it.

7.1 Rights Under GDPR (EU/EEA Residents)

• Right of access: You may request a copy of all personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure ("Right to be Forgotten"): You may request deletion of your personal data. We will comply unless we are required to retain it by law.
• Right to restriction of processing: You may request that we limit how we use your data while a dispute is resolved.
• Right to data portability: You may request your data in a structured, machine-readable format (JSON or CSV) for transfer to another service.
• Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making: We do not make decisions with significant legal effects based solely on automated processing without human review.

7.2 Rights Under CCPA (California Residents)

• Right to know what personal information is collected, used, shared, or sold.
• Right to delete personal information (subject to certain exceptions).
• Right to opt out of the sale of personal information (Marsh Harbor Deck does not sell personal information).
• Right to non-discrimination for exercising your CCPA rights.

To exercise any of these rights, please contact us at hello@marshharbordeck.com with the subject line "Privacy Rights Request." We will respond within 30 days (or within 45 days where legally permitted). You may also access, export, and delete most data directly from your account settings under the "Privacy & Data" section.

8 Children's Privacy

Marsh Harbor Deck's Service is intended solely for individuals who are 18 years of age or older. We do not knowingly collect, use, or store personal information from individuals under the age of 18.

During the registration process, users are required to confirm that they are 18 or older. We use a combination of self-certification, payment card verification (which itself requires cardholder age verification), and, in certain jurisdictions, additional age verification mechanisms to enforce this requirement.

If we become aware that we have inadvertently collected personal information from a person under the age of 18, we will take immediate steps to delete that information from our systems and terminate the associated account. If you believe we may have collected data from a minor, please contact us immediately at hello@marshharbordeck.com.

Parents and guardians who have concerns about their child's potential use of the Service are encouraged to contact us. We take the protection of minors extremely seriously and will cooperate fully with parental requests.

9 International Data Transfers

Marsh Harbor Deck is headquartered in Tokyo, Japan, and our primary data processing occurs within Japan and the European Union. If you access our Service from outside these regions, your personal information may be transferred to, stored in, and processed in Japan or the EU.

For transfers of personal data from the European Economic Area (EEA) to Japan, we rely on the European Commission's adequacy decision for Japan (adopted in January 2019), which confirms that Japan provides an adequate level of data protection. For transfers to other countries, we use Standard Contractual Clauses (SCCs) as approved by the European Commission.

For transfers of data from the United Kingdom, we rely on the UK-Japan Digital Economy Agreement and applicable UK GDPR transfer mechanisms. For users in California and other US states, transfers are governed by our compliance with CCPA and applicable state privacy laws.

Regardless of where your data is transferred, we apply the same privacy standards described in this Policy. All international transfers are subject to binding legal agreements that require recipient parties to protect your data in accordance with these standards.

10 Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements.

Retention periods by data category:

• Account data: Retained for the duration of your account plus 90 days following account deletion (to allow for reactivation requests and to complete any outstanding transactions).
• Conversation content: Retained indefinitely while your account is active, to power the memory system. Deleted within 30 days of account deletion or upon explicit deletion request.
• Memory data: Retained while your account is active. You may delete individual memory entries or all memory data at any time from your account settings.
• Payment records: Retained for 7 years after the last transaction, as required by Japanese accounting law (Act on Special Measures Concerning Taxation) and international financial regulations.
• Support communications: Retained for 3 years following resolution of the support request.
• Analytics data: Retained in anonymized, aggregated form for up to 5 years. Individual-level analytics data is deleted within 12 months of collection.
• Log data: Security and access logs are retained for 12 months and then permanently deleted.

11 Third-Party Services

Marsh Harbor Deck integrates with a small number of carefully selected third-party services to operate the platform. Each of these providers has been evaluated for their data security and privacy practices, and all are bound by Data Processing Agreements.

• Stripe, Inc.: Payment processing. Stripe processes payment card data under PCI DSS Level 1 compliance. Marsh Harbor Deck does not receive or store your full card number. Please review Stripe's privacy policy at stripe.com/privacy.
• Amazon Web Services (AWS): Cloud infrastructure and data storage in our Tokyo and Frankfurt regions. AWS processes data under our Data Processing Agreement in compliance with GDPR and Japanese APPI requirements.
• Google Analytics (anonymized): Aggregated website analytics with IP anonymization enabled, no advertising integration, and data processing limited to our contracted purposes. You may opt out via the Google Analytics opt-out browser extension.
• Zendesk: Customer support ticket management. Support communications are stored in Zendesk's EU-hosted environment under our DPA.

The Marsh Harbor Deck Service may contain links to third-party websites or services that are not operated by us. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform.

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this Policy and, where the changes are material, take additional steps to notify you.

For material changes — those that significantly affect how we use your personal information or your rights with respect to that information — we will:

• Send an email notification to the address associated with your account at least 30 days before the change takes effect.
• Display a prominent notice on the Marsh Harbor Deck website and within the application for at least 30 days before and after the change takes effect.
• Require you to affirmatively acknowledge the updated Policy before continuing to use the Service, where the change requires renewed consent.

Your continued use of the Service after any non-material update to this Policy will constitute your acceptance of the updated terms. If you do not agree with an updated Policy, you may close your account and request deletion of your data at any time.

We maintain an archive of previous versions of this Privacy Policy on our website. You may contact us at any time to request a copy of a previous version.

13 Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us. We are committed to resolving privacy inquiries promptly and transparently.

• General privacy inquiries: hello@marshharbordeck.com
• Data rights requests: hello@marshharbordeck.com (subject line: "Privacy Rights Request")
• Data breach notifications: hello@marshharbordeck.com (subject line: "Security Concern")
• Postal address: Marsh Harbor Deck Co., Ltd., Attn: Privacy Team, 6-10-11 Jingumae, Shibuya-ku, Tokyo 150-0001, Japan

If you are an EU/EEA resident and are not satisfied with our response to a privacy inquiry, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu. For Japanese data protection matters, you may contact the Personal Information Protection Commission (PPC) at ppc.go.jp.

We are committed to working cooperatively with supervisory authorities and to complying with any advice or direction given by such authorities in relation to data that is processed outside of applicable legislation.