briefroom

Sign up or Sign in

or

We'll create an account for you if you don't have one yet.

briefroom Privacy Policy

Talent Cloud, Inc. (the "Company") sets forth the following handling of users' personal information in the service "briefroom" (the "Service") operated by the Company.

Note: In the event of any conflict between the Japanese and English versions of this Policy, the Japanese version shall prevail.


Article 1 (Application)

This Privacy Policy (the "Policy") prescribes the handling of personal information in the Service and applies to all Users using the Service. This Policy, together with the Terms of Service prescribed by the Company, constitutes part of the agreement between the Company and Users regarding the use of the Service.

Article 2 (Personal Information Collected)

In providing the Service, the Company collects the following information.

Category Items Collected Method of Collection
Account Information Email address, display name, authentication ID User registration, email authentication (Magic Link), Google OAuth authentication
Guest Information Email address, room name At the time of a guest upload
Usage Logs IP address, user agent, request path, request timestamp, referrer Automatically collected when the Service is used
Uploaded Content HTML, images, ZIP, and other files voluntarily transmitted by the User Upon upload
Share/View Logs Access history of Shared Links, viewer IP (hashed), access timestamps Upon viewing a Shared Link
Comment Information Comment body, target selector, screenshots, poster identification information Upon comment posting
Consent Information Date and time of consent to Terms of Service and Privacy Policy, hashed IP at consent, user agent, version consented to Upon submission of the consent checkbox screen
Payment-Related Information Tokens from the payment processor (Stripe Japan), business operator information necessary for invoice issuance Upon contracting for a paid plan

Credit card information itself is not stored on the Company's servers at all and is safely processed by Stripe Japan.

Article 3 (Purpose of Use)

The Company uses the personal information it collects for the following purposes:

  1. Provision, operation, and improvement of the Service
  2. User authentication and account management
  3. Storage and delivery of User Content
  4. Provision of commenting features and AI integration features
  5. Detection of and response to unauthorized use, security incidents, cost anomalies, and other material events
  6. Virus/malware scanning and phishing URL inspection of uploaded content
  7. Anti-abuse measures including rate limiting and Turnstile
  8. Sending of important notifications by email (Terms revisions, security warnings, delivery completion notifications, etc.), and, based on the User's consent, optional delivery of useful service-related information (feature announcements, tips, feature updates, partner offers, etc.). Such optional delivery may be discontinued (opt-out) by the User at any time via the opt-out link in the email body or the settings screen.
  9. Billing, invoice issuance, and tax handling (Qualified Invoice System)
  10. Creation of statistical data and analysis for service improvement
  11. Compliance with laws, contracts, and other legal obligations
  12. Responding to inquiries and providing support

Article 4 (Provision to Third Parties and to Third Parties in Foreign Countries)

4-1. Principle of Provision to Third Parties

Except as permitted by law, the Company shall not provide the collected personal information to third parties without first obtaining the User's consent.

4-2. Provision to Service Subcontractors

The Company entrusts the handling of personal information to the subcontractors listed in the table in the following subsection, to the extent necessary for the operation of the Service. These subcontractors are contractually obligated to implement security control measures equivalent to those of the Company with respect to the protection of personal information.

4-3. Provision to Third Parties Located in Foreign Countries (Article 28 of the Act on the Protection of Personal Information)

The Service uses servers or services provided by the following third parties located in foreign countries, and a portion of Users' personal information is provided to these parties. By using the Service, Users are deemed to have consented to the following cross-border transfers under Article 28 of the Act on the Protection of Personal Information (APPI).

Provider Primary Location Scope of Information Provided Purpose of Use Information on the Personal Information Protection System of the Relevant Country
Cloudflare, Inc. United States IP addresses at delivery, request headers, body of User Content Content delivery via CDN, edge worker execution, object storage on Cloudflare R2, token-resolution cache on Cloudflare KV Refer to the Personal Information Protection Commission's "Provision to Third Parties Located in Foreign Countries" materials. As the US is not an adequacy-decision country, this consent is obtained
Vercel Inc. United States (with delivery edge primarily at the Tokyo region hnd1) Metadata of application requests (IP, UA, request path), server logs Hosting of the Next.js application and edge delivery Same as above
Functional Software, Inc. (Sentry) United States Stack traces at error occurrence, request URLs, sanitized HTTP context (a personal-information filter is applied; email addresses are in principle not sent) Error monitoring and incident response Same as above
Resend, Inc. United States and Europe User email address, email body Sending of email authentication (Magic Link), comment notifications, deletion completion notifications, and other transactional/operational notifications US and EU. EU is an adequacy-decision region
Supabase Inc. (infrastructure on AWS Tokyo region) United States (operator location); data stored in Japan (AWS ap-northeast-1 Tokyo) Account information, usage logs, comment information, consent information Database (PostgreSQL), authentication platform (Supabase Auth), storage The data itself is stored in Japan. Supabase as a corporation is incorporated in Delaware, US
Google LLC (Google Cloud Web Risk API) United States URLs linked from within HTML uploaded by Users (file contents and personal information are not transmitted) Lookup against malware, social engineering, and unwanted software sites Refer to Google Cloud's privacy and security documentation
Upstash, Inc. (data in Tokyo region ap-northeast-1) United States (operator location); data stored in Japan Hashed values of IP addresses and user IDs at request time, request timestamps Storage of rate-limit counters The data itself is stored in Japan. Upstash as a corporation is incorporated in Delaware, US
Better Stack s.r.o. Czech Republic (EU) External-monitoring requests against the Service, response times, uptime logs Monitoring of service uptime and incident detection EU is an adequacy-decision region

Users consent to the above cross-border transfers by checking the checkbox on the consent screen displayed at the start of use of the Service. Users who do not wish to consent cannot use the Service.

4-4. Exceptions

Notwithstanding the above, the Company may provide personal information to third parties without the consent of the principal in the following cases:

  1. When required by law
  2. When necessary to protect the life, body, or property of a person and it is difficult to obtain the consent of the principal
  3. When particularly necessary for the improvement of public health or the promotion of the sound development of children, and it is difficult to obtain the consent of the principal
  4. When it is necessary to cooperate with a national agency, local government, or person entrusted thereby in performing duties prescribed by law

Article 5 (Cookies and Access Logs)

  1. The Service uses cookies and similar technologies for maintaining user authentication, preserving settings, and detecting unauthorized use.
  2. Access logs include IP addresses, user agents, referrers, request paths, and request timestamps, and are used for unauthorized-use detection, statistical analysis, and troubleshooting.
  3. Users can disable cookies in their browser settings, but doing so may render some features of the Service unavailable.

Article 6 (Publishing Configuration of Shared Links)

  1. User Content uploaded by Users is published in accordance with the publishing configuration of the Shared Links created by the User. Publishing options include expiration dates, password protection, and invitation-only access (email authentication via Magic Link).
  2. Published Shared Links are accessible to third parties who know the URL. They are not subject to indexing by search engines (an X-Robots-Tag: noindex is attached).
  3. Shared Links issued by Users who have registered an account may be invalidated or deleted at any time by such Users.

Article 7 (Requests for Disclosure, Correction, or Deletion of Personal Information)

  1. Users may, by methods prescribed by the Company, request disclosure, correction, addition, deletion, suspension of use, erasure, or suspension of provision to third parties of their personal information held by the Company.
  2. Upon receiving a request from a User, the Company will, after verifying the identity of the User, respond promptly within a reasonable scope.
  3. Please direct disclosure requests and similar matters to the contact information at the end of this Policy.
  4. No fee is charged for disclosure and similar requests. However, actual costs may be borne by the User in certain cases, such as when disclosure by written document is requested.

Article 8 (Security Control Measures)

The Company takes the following measures for the prevention of leakage, loss, or damage of Users' personal information and for other purposes of security control:

  1. Organizational Security Control Measures: Establishment of a person responsible for the handling of personal information, and clarification of personnel handling personal information and the scope of handling
  2. Human Security Control Measures: Training of personnel regarding the handling of personal information and execution of confidentiality agreements
  3. Physical Security Control Measures: Access control to data centers (Supabase AWS Tokyo, Cloudflare, Vercel) and equipment-theft countermeasures
  4. Technical Security Control Measures:
    • TLS encryption of communications
    • Encryption at the database (Supabase PostgreSQL)
    • Attachment of Content Security Policy (CSP), Cross-Origin-Opener-Policy (COOP), and Cross-Origin-Embedder-Policy (COEP) at delivery
    • Magic byte inspection at upload, SVG sanitization, and URL inspection by Google Cloud Web Risk API
    • Anti-abuse via Cloudflare Turnstile
    • Suppression of excessive access via rate limiting (Upstash Redis)
    • Error monitoring and personal-information filtering by Sentry
    • Physical separation of the delivery domain (*.user-content.briefroom.net) to block cookie-leakage risks
  5. Supervision of External Subcontractors: Selection criteria for subcontractors, contractual obligations, and periodic review

Article 9 (Retention Period of Personal Information)

Category Retention Period
Account Information Promptly deleted after account deletion
Guest Information (no account registered) Before email verification: automatically deleted within 24 hours of upload (provisional URL issuance) / After email verification, without account registration: automatically deleted 7 days after email verification
Uploaded Content Physically deleted on a separately defined deletion cycle (within 30 days) after the expiration of the Shared Link
Access Logs, Usage Logs Up to one year from collection (for unauthorized-use investigations)
Consent Information, Audit Logs Seven years (considering the statute of limitations for civil litigation)
Payment-Related Information The retention period prescribed by law (such as the Electronic Books Maintenance Act)

Article 10 (Revision of this Policy)

  1. The Company may revise this Policy as necessary.
  2. The revised Policy shall take effect from the time it is posted on the Service.
  3. In the case of material revisions (changes to collected items, expansion of the purpose of use, addition of cross-border transfer recipients, etc.), the Company shall notify Users by email to their registered email addresses and, if necessary, request re-consent.

Article 11 (Complaints and Inquiries)

For complaints or inquiries regarding this Policy or the handling of personal information, please contact:

  • Business Operator: Talent Cloud, Inc.
  • Address: 171 Ochicho, Midori-ku, Chiba-shi, Chiba 267-0055, Japan
  • Personal Information Protection Manager: Representative Director Takemi Terashi
  • Contact: support@briefroom.net

Users who are not satisfied with the Company's response may file a complaint with the Personal Information Protection Commission (https://www.ppc.go.jp/).


Enacted: 2026-07-06 Last Revised: 2026-07-06

Last modified: 2026-07-06

Version: 1.0.0