Privacy Policy

Effective / Last Updated: January 1, 2026

IMPACTLAKE Pte. Ltd. and IMPACTLAKE Co. Ltd. (collectively, “we,” “us,” or “our”) respect privacy and handle personal data and related information in accordance with applicable laws, regulations, guidelines, and contractual obligations.

This Privacy Policy applies to our websites, services, products, platforms, inquiries, sales activities, contract administration, recruitment, contractor management, events, support activities, and other business operations.

Certain services, including impactlake Platform, may be subject to service-specific terms, privacy supplements, data processing agreements (DPAs), API terms, acceptable use policies, research or benchmarking addenda, or individual agreements (collectively, “Service-Specific Terms”). This Privacy Policy supplements such Service-Specific Terms. If this Privacy Policy conflicts with any Service-Specific Terms, the Service-Specific Terms will prevail with respect to the relevant service, to the extent permitted by applicable law.

If there is any doubt regarding the role of each group entity, contracting entity, service operator, or data processing entity, the provisions relating to IMPACTLAKE Pte. Ltd. as the primary group service operator shall prevail, unless otherwise specified in an individual agreement or Service-Specific Terms. However, IMPACTLAKE Co. Ltd. also handles personal data appropriately under this Privacy Policy with respect to business activities it conducts in Japan, including customer communications, contract administration, sales activities, onboarding support, and related operations.

1. Responsible Entities

The entities responsible for handling personal data under this Privacy Policy are:

• IMPACTLAKE Pte. Ltd.
  Address: 11 Keng Cheow Street, #04-10, The Riverside Piazza, Singapore 059608
  Representative: Reona Sekino
• IMPACTLAKE Co. Ltd.
  Address: GM Bldg. 5F, 6-11-16 Sotokanda, Chiyoda-ku, Tokyo 101-0021
  Representative: Reona Sekino

Depending on the relevant service, agreement, region, or use case, either or both entities may act as a data controller, joint participant, related company, service provider, processor, or platform operator.

2. Information We Collect

We may collect or process the following categories of information:

1. Name, company, department, title, email address, telephone number, and other contact information
2. Account IDs, login information, authentication information, MFA information, and user identifiers
3. Inquiry, sales, contract, and support communications
4. Contract, billing, payment, quotation, order, and invoicing information
5. Service usage history, operation logs, access logs, device information, cookies, IP addresses, and other technical information
6. Information uploaded, submitted, entered, stored, or shared by customers or users through our services
7. Impact assessment data, logic models, KPIs, reports, analysis results, and information generated in connection with our services
8. Resumes, CVs, skills information, and other temporary personal data collected for recruitment, contractor engagement, or proposal team confirmation
9. Publicly available information, company information, integrated reports, statutory disclosures, website information, and information generated from such sources
10. Other information necessary for providing our services or conducting our business

We generally do not request or collect sensitive personal information, special category data, children’s data, non-anonymized sensitive information, or other information that we prohibit from being submitted. Customers and users must not submit such information to our services or AI/API tools unless expressly permitted by us.

3. Purposes of Use

We use personal data for the following purposes:

1. Providing, operating, maintaining, and improving our services, products, platforms, APIs, and related features
2. User registration, identity verification, account management, authentication, and access control
3. Handling inquiries, document requests, consultations, support, incident response, and notices
4. Sales, contract administration, billing, payment, quotation, order, and transaction management
5. Customer management, proposals, onboarding support, and customer success activities
6. Impact assessment, analysis, report preparation, logic model and KPI design, and data processing
7. Security, fraud prevention, log management, audit, and incident response
8. Service quality improvement, usage analysis, creation of statistical, benchmark, anonymized, or aggregated information
9. Analysis, generation, evaluation, summarization, report creation, and operational efficiency using AI/API tools
10. Recruitment, contractor engagement, proposal team confirmation, and contractor management
11. Compliance with laws, regulations, guidelines, contracts, terms of use, and individual agreements
12. Protection of our rights, dispute resolution, and legal claims
13. Purposes incidental or related to the above

We will not use personal data beyond the scope necessary to achieve the purposes described above, except where permitted by applicable law, with consent, or where the purposes are modified within a reasonably related scope.

4. Relationship with Platform and Service-Specific Terms

The use of impactlake Platform and certain other services may be governed by their own terms of use, privacy supplements, DPAs, AUPs, API terms, research or benchmarking addenda, and individual agreements.

For certain Platform environments, the user or its organization may act as the controller, and IMPACTLAKE Pte. Ltd. may act as the processor under the applicable DPA. For account management, logs, security, analytics, and related activities, we may act as the responsible entity handling relevant data.

With respect to Platform use, Service-Specific Terms may provide additional or different rules regarding personal data uploads, pseudonymized data, anonymized data, re-identification restrictions, API use, subprocessors, international transfers, deletion and return, audits, and liability limitations. In the event of any conflict, the Service-Specific Terms will prevail for the relevant service to the extent permitted by applicable law.

5. Use of AI/API Services

We may use AI/API services, including OpenAI, Google Gemini, Anthropic Claude, and other providers, for service provision, analysis, assessment, summarization, report generation, and operational efficiency.

When using AI/API services, we review or manage customer consent, contractual or terms-based grounds, training-use settings, prohibited input information, data retention, logs, and allocation of responsibilities, and we implement appropriate safeguards.

We do not intend to input sensitive personal information, non-anonymized sensitive information, API keys, passwords, authentication credentials, information prohibited by customers, or other inappropriate information into AI/API services.

Where customer policy requires, we may use customer-managed API keys, cloud environments, private environments, or individual agreements. In such cases, the allocation of responsibilities, input data, output data, storage location, logs, and deletion upon termination may be separately agreed.

6. Anonymized, Statistical, and Generated Parameter Information

We may use or retain anonymized information, statistical information, aggregated data, analysis results, benchmark information, service improvement parameters, AI output quality evaluation information, and similar information that does not identify individuals or specific customers.

When handling such information, we consider re-identification risk, identification through small sample sizes, contractual or terms-based restrictions, customer agreements, and legal obligations. Where information may identify or infer a specific individual or customer, we will manage it in accordance with the appropriate level of protection for personal data or customer confidential information.

7. Disclosure to Third Parties

We will not disclose personal data to third parties without consent, except in the following cases:

1. Where required by law
2. Where necessary to protect life, body, or property and obtaining consent is difficult
3. Where especially necessary for public health or the sound development of children and obtaining consent is difficult
4. Where cooperation with public authorities is necessary and obtaining consent may interfere with their duties
5. Where we outsource processing within the scope necessary to achieve the relevant purposes
6. In connection with mergers, corporate splits, business transfers, or other business succession
7. Where information is jointly used or shared among related entities and required matters have been disclosed or notified
8. Where otherwise permitted by applicable law

8. Outsourcing

We may outsource certain operations to third-party service providers, including cloud services, hosting, authentication, email delivery, payment processing, CRM, project management, AI/API services, development, maintenance, operations, legal, accounting, and other business services.

Such service providers may include Google Cloud, Firebase, Microsoft 365, SharePoint, GitHub, Stripe, SendGrid, HubSpot, Slack, Asana, AI/API providers, development contractors, and other external providers used by us.

We manage outsourcing arrangements based on risk, including the scope of outsourced work, information handled, access scope, contractual terms, confidentiality, incident notification, subcontracting, and deletion or return upon termination.

9. Joint Use and Related-Company Use

We may jointly use personal data as follows:

Scope of joint users	IMPACTLAKE Pte. Ltd. and IMPACTLAKE Co. Ltd.
Items jointly used	Name, company, department, title, email address, telephone number, inquiries, contract, sales and support information, service usage information, and other information necessary for the purposes of use
Purposes	Service provision, customer support, contract administration, billing, onboarding support, development and operational support, security management, incident response, and business operations
Responsible entity	IMPACTLAKE Pte. Ltd. Address: 11 Keng Cheow Street, #04-10, The Riverside Piazza, Singapore 059608 Representative: Reona Sekino
Collection methods	Web forms, email, contracts, sales activities, service use, customer submissions, public information, and other lawful means

Even where processing is not structured as joint use, one entity may access or process information as a related company, contracting party, service provider, processor, or overseas access entity. In such cases, we manage the information in accordance with applicable laws, contracts, and internal rules.

10. International Transfers and Overseas Access

We may disclose personal data to, or allow access from, foreign entities including IMPACTLAKE Pte. Ltd., overseas cloud service providers, SaaS providers, AI/API providers, subprocessors, professional advisors, and other third parties located outside Japan.

In such cases, we will rely on consent, contractual safeguards, standard contractual clauses or other appropriate safeguards, or other grounds permitted by applicable law, and will provide information and implement safeguards as required.

Where required by law, we will provide information regarding the destination country, the personal data protection system of that country, and the safeguards implemented by the recipient upon request.

11. Security Measures

We implement security measures to prevent leakage, loss, damage, unauthorized access, alteration, and misuse of personal data and customer confidential information, including:

1. Information security and personal data protection policies and rules
2. Information asset and personal data inventories, SaaS/cloud/vendor inventories, and risk assessments
3. Least-privilege access control, access granting, removal, and periodic review
4. MFA, authentication management, password, API key, and secrets management
5. Encryption in transit and at rest, logging, audit, and vulnerability management
6. Vendor management, contracts, NDAs, incident reporting, and subcontractor management
7. Education for officers, employees, and relevant contractors
8. Incident response, improvement management, and recurrence prevention
9. Remote work, BYOD, and personal mobile device management
10. Controls for AI/API use, including prohibited input information, training-use restrictions, customer consent, and allocation of responsibilities

12. Retention and Deletion

We retain personal data only for the period necessary to achieve the relevant purposes, comply with legal or contractual obligations, or satisfy legitimate business needs.

When personal data is no longer necessary, we delete, anonymize, or cease using it through appropriate methods. However, we may retain information where necessary for backups, audits, legal retention, dispute resolution, or contractual obligations.

Resumes, CVs, and similar temporary personal data are generally deleted promptly after the relevant recruitment, contractor engagement, or proposal team confirmation purpose has been achieved. Where collected through our systems, automated deletion is the default approach, and management is based on deletion specifications, exception handling, and necessary records rather than excessive file-by-file inventory.

13. Cookies and Similar Technologies

We may use cookies, similar technologies, logs, and telemetry for authentication, session management, security, usage analysis, and service improvement.

Where consent is required by law, we will obtain consent through appropriate means.

14. Data Subject Requests

Individuals may request notification of purposes of use, disclosure, correction, addition, deletion, suspension of use, erasure, suspension of third-party provision, disclosure of third-party provision records, or other rights with respect to retained personal data, in accordance with applicable law.

Please contact the privacy inquiry desk below. We will verify the identity of the requester and respond within a reasonable scope in accordance with applicable law. Fees may apply depending on the nature of the request.

15. Inquiries and Complaints

For questions, complaints, consultations, or data subject requests regarding the handling of personal data, please contact:

IMPACTLAKE Pte. Ltd. / IMPACTLAKE Co. Ltd.
Privacy Inquiry Desk
Email: privacy@impactlake.com

For Platform-specific legal notices, notice-and-takedown requests, API matters, DPA matters, or notices under Platform terms, the contact specified in the relevant Platform terms may also apply.

16. Accredited Personal Information Protection Organization

If we become a covered business operator of an accredited personal information protection organization, we will publish the organization’s name and complaint resolution contact details in this section.

17. Changes

We may update this Privacy Policy due to changes in laws, services, business operations, security requirements, or other reasons. In the case of material changes, we will notify users by publication on our website or by other appropriate means.

18. Language

If there is any discrepancy between the Japanese and English versions of this Privacy Policy, the Japanese version will prevail, unless otherwise specified in an individual agreement or Service-Specific Terms.

However, where Service-Specific Terms for impactlake Platform or other services specify that the English version is the authoritative version, the language and priority provisions of those Service-Specific Terms will apply to the use of the relevant service, to the extent permitted by applicable law.