Privacy

Privacy Policy

Last updated: 26 May 2026

Last updated: 28 May 2026

Japan Resort Estate is operated by Aurant Technologies ("we", "us", the "controller"). This notice tells you what personal data we process, the legal grounds for processing, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, Japan's Act on the Protection of Personal Information (APPI), and equivalent Asia-Pacific privacy laws.

1. Controller & contact

Controller
Aurant Technologies (株式会社オーラント・テクノロジーズ)
Registered address
Iiyama, Nagano, Japan (full address disclosed in our statutory broker disclosure)
Privacy contact
privacy@washitsu-lab.com
EU representative (Article 27)
Not required at this scale; we voluntarily respond to enquiries from EEA / UK residents through the privacy address above.

2. Personal data we process

  • Identifying data: name, email, phone, country of residence (provided via the inquiry form)
  • Inquiry content and the property/region identifier you were viewing
  • Technical data: IP address, user-agent string (used only for anti-abuse and request logs)
  • Strictly necessary cookies (CSRF token, language preference). We do not use marketing, advertising, or analytics cookies.

3. Purposes and legal bases (Art. 6 GDPR)

(a) Respond to inquiries and prepare property due-diligence materials
Legal basis: pre-contractual steps at your request (Art. 6(1)(b) GDPR). Without these details we cannot reply.
(b) Comply with Japanese real-estate and AML obligations
Legal basis: legal obligation (Art. 6(1)(c) GDPR) under the Real Estate Brokerage Act (宅地建物取引業法) and the Act on Prevention of Transfer of Criminal Proceeds (犯罪収益移転防止法).
(c) Anti-abuse, security, and request logging
Legal basis: our legitimate interest in protecting the site and recipients of our service (Art. 6(1)(f) GDPR). Balanced against your interests: technical data is purged within 30 days.
(d) Editorial follow-up newsletter (only if you opted in)
Legal basis: consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time via the unsubscribe link in every email.

4. Recipients & processors

We use a minimal set of vetted processors. Each is bound by a Data Processing Agreement (DPA).

  • Hetzner Online GmbH (Germany / EU) — primary hosting infrastructure
  • Resend, Inc. — transactional email delivery (only your email + the reply content)
  • Google LLC (Workspace) — internal mailbox where our team reads your enquiry; access restricted to authorised staff under domain-bound SSO
  • Licensed Japanese notaries / 司法書士 and tax advisors — only for the specific transaction you instruct, under their own professional confidentiality

We do not sell, rent, or trade your personal data.

5. International transfers

Your data is primarily stored in Germany (Hetzner Nuremberg) and processed in Japan by our staff. Transfers between the EEA / UK and Japan rely on the European Commission's Japan adequacy decision (23 January 2019, renewed 2023), which recognises Japan as providing an essentially equivalent level of data protection. Transfers to Resend (United States) rely on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.

6. Retention

  • Inquiry content: 24 months from receipt, then anonymised (not deleted, to preserve the 5-year brokerage ledger required under Japanese law)
  • Technical data (IP / user-agent): 30 days, then masked
  • AML / audit logs: 7 years (犯収法 record-keeping requirement)
  • Newsletter consent: until you unsubscribe, then 12 months of suppression-list retention to honour your opt-out

7. Your rights

Under the GDPR / UK GDPR / APPI you have the right to:

  • Access — request a copy of the data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure ("right to be forgotten") — delete data, except where statutory retention applies (see §6)
  • Restriction of processing — limit how we use the data while a dispute is resolved
  • Data portability — receive structured, machine-readable export of data you provided
  • Objection — object to processing based on legitimate interests (Art. 6(1)(f))
  • Withdraw consent — at any time, where processing is based on consent

Send any request to privacy@washitsu-lab.com. We respond within 30 days (extendable by a further 60 days for complex requests, with notice).

8. Complaints

You may lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. For Japan, the Personal Information Protection Commission (個人情報保護委員会, ppc.go.jp) is the supervisory authority. We would appreciate the opportunity to address your concerns first.

9. Automated decision-making

We do not make decisions about you using solely automated processing, including profiling, that produces legal or similarly significant effects.

10. Children

Our service targets adults considering a property investment. We do not knowingly collect personal data from children under 16. If you believe we hold such data, please contact us and we will delete it.

11. Security

TLS in transit, encryption at rest, role-based access, audit logs, and least-privilege staff access. We notify you and the relevant supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in a risk to your rights.

12. Updates to this notice

We may update this notice. Material changes will be notified by email (if we have your address) and posted on this page with the "Last updated" date above.