Privacy Policy
Last updated: April 29, 2026
Gathring Inc. ("we," "us," or "our"), the operator of EC Lens (the "Service"), is committed to protecting your personal data. We comply with Japan's Act on the Protection of Personal Information (APPI), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
1. Definitions
"Personal data" means any information relating to an identified or identifiable natural person, including but not limited to name, address, email address, IP address, and online identifiers.
2. Personal Data We Collect
(a) Account information
- Email address
- Password (stored only as a bcrypt hash; we never store your password in plain text)
- Display name (optional)
- Language preference (ja / en)
(b) Usage data automatically collected
- Access timestamp, User Agent, and IP address (for security and fraud prevention)
- Session cookies (with HttpOnly, Secure, and SameSite attributes)
- Feature usage logs (credit consumption history, analysis execution history)
(c) Analysis target data
- URLs of the EC sites you ask us to analyze
- Publicly available data of those sites (HTML, meta tags, structured data, etc.)
- Usage data retrieved via Google Analytics 4, Google Search Console, and Microsoft Clarity
- Product data (titles, descriptions, image URLs, etc.) retrieved via the Shopify, BASE, or Wix APIs
(d) Payment data
- Payment processing is handled by Stripe, Inc. (United States). Credit card information is collected directly by Stripe.
- We do not store credit card numbers, expiration dates, or security codes.
- We retain only the Stripe Customer ID, billing history (amount, currency, date), and the plan and credits you purchased.
3. Legal Basis for Processing (GDPR Art. 6)
We process your personal data on the following legal bases:
- Contract performance: Account creation, authentication, providing analytics features, billing.
- Legitimate interests: Service improvement, fraud prevention, security monitoring.
- Consent: Marketing communications (which you may withdraw at any time), optional analytics cookies.
- Legal obligation: Tax record retention, responding to lawful requests from authorities.
4. Purposes of Use
- Providing the Service (authentication, analytics features, credit management)
- Billing (payment processing via Stripe, issuing receipts)
- Generating AI analysis reports (sending analysis input to Anthropic, PBC and OpenAI OpCo, LLC APIs)
- Improving service quality and developing new features
- Sending important notices and policy update notifications
- Responding to inquiries
- Investigating and preventing misuse and policy violations
- Complying with legal obligations
5. Third-Party Processors and International Data Transfers
We use the following third-party processors. By using the Service, you acknowledge that your personal data may be transferred to and processed in jurisdictions outside Japan and the European Economic Area (EEA), including the United States.
| Processor | Location | Purpose |
|---|---|---|
| Stripe, Inc. | United States | Credit card payment processing |
| Anthropic, PBC | United States | AI analysis (LLM API for analysis report generation) |
| OpenAI OpCo, LLC | United States | AI analysis (GPT-series API for analysis report generation) |
| Google LLC | United States | Web analytics (Google Analytics 4); GA4 / Search Console data retrieval |
| Microsoft Corporation | United States | Web analytics (Microsoft Clarity); Clarity data retrieval |
| Hosting Provider (ConoHa VPS, Japan) | Japan | Server hosting and content delivery |
For transfers from the EEA / UK, we rely on Standard Contractual Clauses (SCCs) and supplementary measures where applicable. Each processor maintains compliance with major data protection frameworks (GDPR, CCPA, APPI). Their privacy policies are available at:
- Stripe, Inc.: https://stripe.com/privacy
- Anthropic, PBC: https://www.anthropic.com/legal/privacy
- OpenAI OpCo, LLC: https://openai.com/policies/privacy-policy
- Google LLC: https://policies.google.com/privacy
- Microsoft Corporation: https://privacy.microsoft.com/privacystatement
6. Cookies and Similar Technologies
(a) Strictly necessary cookies
- Session management (login state)
- Security (CSRF tokens, etc.)
- Language preference
- These cannot be disabled because they are essential to the Service.
(b) Analytics cookies
- Google Analytics 4: Anonymous usage analysis
- Microsoft Clarity: Anonymous behavioral analysis
You may disable cookies through your browser settings, but some features of the Service may become unavailable.
7. Security Measures
We implement the following security measures to prevent leakage, loss, or damage of personal data:
- Encryption in transit (HTTPS / TLS 1.2 or higher)
- Password storage using bcrypt hashing
- Authentication cookies with HttpOnly, Secure, and SameSite attributes
- Encryption at rest for analysis target data
- Least-privilege access controls
- Intrusion detection and access log monitoring
- Employee training and supervision
8. Your Rights
Depending on the jurisdiction in which you reside, you may have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): Request deletion of your personal data.
- Right to restrict processing: Request that we stop processing your data in certain situations.
- Right to data portability: Receive your personal data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent: Withdraw consent for processing based on consent at any time.
- Right to lodge a complaint: File a complaint with your local data protection authority.
To exercise these rights, please contact us using the information in Section 10. We will respond within 30 days, subject to identity verification. Some data may be retained where required by applicable law (e.g., tax records).
9. Data Retention
- Account information: Retained while your account is active, plus 6 months (backup retention)
- Billing records: 7 years (per Japanese tax law)
- Analysis target data: Last 12 months (older data automatically deleted)
- Access logs: 90 days
10. Contact
Gathring Inc. — Data Protection Inquiries
- Address: 1-22-11 Ginza, Chuo-ku, Tokyo 104-0061, Japan
- Phone: +81-3-5539-9811
- Email: [email protected]
- Business hours: Weekdays 10:00–18:00 JST (excluding weekends and Japanese national holidays)
For users in the EEA / UK who are not satisfied with our response, you may also contact your local data protection authority.
11. Changes to This Policy
We may update this Privacy Policy in response to changes in laws or our business. We will notify you of material changes via the Service or by email. The updated policy takes effect when posted on our website.
Revision History
- Effective Date: April 29, 2026
- Last Updated: April 29, 2026