Privacy Policy

Effective / Last Updated: January 1, 2026

IMPACTLAKE Pte. Ltd. and IMPACTLAKE Co. Ltd. (collectively, “we,” “us,” or “our”) respect privacy and handle personal data and related information in accordance with applicable laws, regulations, guidelines, and contractual obligations.

This Privacy Policy applies to our websites, services, products, platforms, inquiries, sales activities, contract administration, recruitment, contractor management, events, support activities, and other business operations.

Certain services, including impactlake Platform, may be subject to service-specific terms, privacy supplements, data processing agreements (DPAs), API terms, acceptable use policies, research or benchmarking addenda, or individual agreements (collectively, “Service-Specific Terms”). This Privacy Policy supplements such Service-Specific Terms. If this Privacy Policy conflicts with any Service-Specific Terms, the Service-Specific Terms will prevail with respect to the relevant service, to the extent permitted by applicable law.

If there is any doubt regarding the role of each group entity, contracting entity, service operator, or data processing entity, the provisions relating to IMPACTLAKE Pte. Ltd. as the primary group service operator shall prevail, unless otherwise specified in an individual agreement or Service-Specific Terms. However, IMPACTLAKE Co. Ltd. also handles personal data appropriately under this Privacy Policy with respect to business activities it conducts in Japan, including customer communications, contract administration, sales activities, onboarding support, and related operations.

1. Responsible Entities

The entities responsible for handling personal data under this Privacy Policy are:

IMPACTLAKE Pte. Ltd.
Address: 11 Keng Cheow Street, #04-10, The Riverside Piazza, Singapore 059608
Representative: Reona Sekino

IMPACTLAKE Co. Ltd.
Address: GM Bldg. 5F, 6-11-16 Sotokanda, Chiyoda-ku, Tokyo 101-0021
Representative: Reona Sekino

Depending on the relevant service, agreement, region, or use case, either or both entities may act as a data controller, joint participant, related company, service provider, processor, or platform operator.

2. Information We Collect

We may collect or process the following categories of information:

• Name, company, department, title, email address, telephone number, and other contact information
• Account IDs, login information, authentication information, MFA information, and user identifiers
• Inquiry, sales, contract, and support communications
• Contract, billing, payment, quotation, order, and invoicing information
• Service usage history, operation logs, access logs, device information, cookies, IP addresses, and other technical information
• Information uploaded, submitted, entered, stored, or shared by customers or users through our services
• Impact assessment data, logic models, KPIs, reports, analysis results, and information generated in connection with our services
• Resumes, CVs, skills information, and other temporary personal data collected for recruitment, contractor engagement, or proposal team confirmation
• Publicly available information, company information, integrated reports, statutory disclosures, website information, and information generated from such sources
• Other information necessary for providing our services or conducting our business

We generally do not request or collect sensitive personal information, special category data, children’s data, non-anonymized sensitive information, or other information that we prohibit from being submitted. Customers and users must not submit such information to our services or AI/API tools unless expressly permitted by us.

3. Purposes of Use

We use personal data for the following purposes:

• Providing, operating, maintaining, and improving our services, products, platforms, APIs, and related features
• User registration, identity verification, account management, authentication, and access control
• Handling inquiries, document requests, consultations, support, incident response, and notices
• Sales, contract administration, billing, payment, quotation, order, and transaction management
• Customer management, proposals, onboarding support, and customer success activities
• Impact assessment, analysis, report preparation, logic model and KPI design, and data processing
• Security, fraud prevention, log management, audit, and incident response
• Service quality improvement, usage analysis, creation of statistical, benchmark, anonymized, or aggregated information
• Analysis, generation, evaluation, summarization, report creation, and operational efficiency using AI/API tools
• Recruitment, contractor engagement, proposal team confirmation, and contractor management
• Compliance with laws, regulations, guidelines, contracts, terms of use, and individual agreements
• Protection of our rights, dispute resolution, and legal claims
• Purposes incidental or related to the above

We will not use personal data beyond the scope necessary to achieve the purposes described above, except where permitted by applicable law, with consent, or where the purposes are modified within a reasonably related scope.

4. Relationship with Platform and Service-Specific Terms

The use of impactlake Platform and certain other services may be governed by their own terms of use, privacy supplements, DPAs, AUPs, API terms, research or benchmarking addenda, and individual agreements.

For certain Platform environments, the user or its organization may act as the controller, and IMPACTLAKE Pte. Ltd. may act as the processor under the applicable DPA. For account management, logs, security, analytics, and related activities, we may act as the responsible entity handling relevant data.

With respect to Platform use, Service-Specific Terms may provide additional or different rules regarding personal data uploads, pseudonymized data, anonymized data, re-identification restrictions, API use, subprocessors, international transfers, deletion and return, audits, and liability limitations. In the event of any conflict, the Service-Specific Terms will prevail for the relevant service to the extent permitted by applicable law.

5. Use of AI/API Services

We may use AI/API services, including OpenAI, Google Gemini, Anthropic Claude, and other providers, for service provision, analysis, assessment, summarization, report generation, and operational efficiency.

When using AI/API services, we review or manage customer consent, contractual or terms-based grounds, training-use settings, prohibited input information, data retention, logs, and allocation of responsibilities, and we implement appropriate safeguards.

We do not intend to input sensitive personal information, non-anonymized sensitive information, API keys, passwords, authentication credentials, information prohibited by customers, or other inappropriate information into AI/API services.

Where customer policy requires, we may use customer-managed API keys, cloud environments, private environments, or individual agreements. In such cases, the allocation of responsibilities, input data, output data, storage location, logs, and deletion upon termination may be separately agreed.

6. Anonymized, Statistical, and Generated Parameter Information

We may use or retain anonymized information, statistical information, aggregated data, analysis results, benchmark information, service improvement parameters, AI output quality evaluation information, and similar information that does not identify individuals or specific customers.

When handling such information, we consider re-identification risk, identification through small sample sizes, contractual or terms-based restrictions, customer agreements, and legal obligations. Where information may identify or infer a specific individual or customer, we will manage it in accordance with the appropriate level of protection for personal data or customer confidential information.

7. Disclosure to Third Parties

We will not disclose personal data to third parties without consent, except in the following cases:

• Where required by law
• Where necessary to protect life, body, or property and obtaining consent is difficult
• Where especially necessary for public health or the sound development of children and obtaining consent is difficult
• Where cooperation with public authorities is necessary and obtaining consent may interfere with their duties
• Where we outsource processing within the scope necessary to achieve the relevant purposes
• In connection with mergers, corporate splits, business transfers, or other business succession
• Where information is jointly used or shared among related entities and required matters have been disclosed or notified
• Where otherwise permitted by applicable law

8. Outsourcing

We may outsource certain operations to third-party service providers, including cloud services, hosting, authentication, email delivery, payment processing, CRM, project management, AI/API services, development, maintenance, operations, legal, accounting, and other business services.

Such service providers may include Google Cloud, Firebase, Microsoft 365, SharePoint, GitHub, Stripe, SendGrid, HubSpot, Slack, Asana, AI/API providers, development contractors, and other external providers used by us.

We manage outsourcing arrangements based on risk, including the scope of outsourced work, information handled, access scope, contractual terms, confidentiality, incident notification, subcontracting, and deletion or return upon termination.

9. Joint Use and Related-Company Use

We may jointly use personal data as follows:

• Scope of joint users: IMPACTLAKE Pte. Ltd. and IMPACTLAKE Co. Ltd.
• Items jointly used: Name, company, department, title, email address, telephone number, inquiries, contract, sales and support information, service usage information, and other information necessary for the purposes of use
• Purposes: Service provision, customer support, contract administration, billing, onboarding support, development and operational support, security management, incident response, and business operations
• Responsible entities: IMPACTLAKE Pte. Ltd. (11 Keng Cheow Street, #04-10, The Riverside Piazza, Singapore 059608) and IMPACTLAKE Co. Ltd. (6-11-16 Sotokanda, GM Building 5F, Chiyoda-ku, Tokyo 101-0021, Japan); Representative of both entities: Reona Sekino
• Contact for requests and complaints regarding jointly used personal information: privacy@impactlake.com
• Collection methods: Web forms, email, contracts, sales activities, service use, customer submissions, public information, and other lawful means

Even where processing is not structured as joint use, one entity may access or process information as a related company, contracting party, service provider, processor, or overseas access entity. In such cases, we manage the information in accordance with applicable laws, contracts, and internal rules.

10. International Transfers and Overseas Access

We may disclose personal data to, or allow access from, foreign entities including IMPACTLAKE Pte. Ltd., overseas cloud service providers, SaaS providers, AI/API providers, subprocessors, professional advisors, and other third parties located outside Japan.

In such cases, we will rely on consent, contractual safeguards, standard contractual clauses or other appropriate safeguards, or other grounds permitted by applicable law, and will provide information and implement safeguards as required.

Where required by law, we will provide information regarding the destination country, the personal data protection system of that country, and the safeguards implemented by the recipient upon request.

11. Cookies, Web Analytics, and External Transmission

We use cookies, similar technologies, logs, and telemetry on our websites and services for authentication, session management, security, usage analysis, and service improvement.

For the analysis and improvement of usage, we use Google Analytics (provider: Google LLC, USA). As a result, cookie identifiers, IP addresses, browsing information, device information, and similar data are transmitted to Google LLC.

• Recipient: Google LLC (USA)
• Information transmitted: cookie identifiers, IP address, pages viewed, referrer, device/browser information, etc.
• Purpose: measurement and analysis of website usage, and service improvement

We do not use any feature that links cookies with Google for advertising purposes (such as Google Signals). You can disable this through your browser cookie settings or the Google opt-out add-on (https://tools.google.com/dlpage/gaoptout). Where consent is required by law, we will obtain consent through appropriate means.

In addition, we use HubSpot (provided by HubSpot, Inc., United States) for our inquiry-response chat function and for access analysis. Through this, cookies, IP address, browsing information, and the content you enter into the chat are transmitted to HubSpot and are recorded and managed in accordance with HubSpot’s privacy policy.

• Recipient: HubSpot, Inc. (United States)
• Information transmitted: cookie identifiers, IP address, browsing/operation information, content entered in the chat, etc.
• Purpose of use: responding to inquiries and chat, recording for quality assurance, and measuring/analyzing access status
• HubSpot Privacy Policy: https://legal.hubspot.com/privacy-policy

12. Security Measures

We implement security measures to prevent leakage, loss, damage, unauthorized access, alteration, and misuse of personal data and customer confidential information, including:

• Information security and personal data protection policies and rules
• Information asset and personal data inventories, SaaS/cloud/vendor inventories, and risk assessments
• Least-privilege access control, access granting, removal, and periodic review
• MFA, authentication management, password, API key, and secrets management
• Encryption in transit and at rest, logging, audit, and vulnerability management
• Vendor management, contracts, NDAs, incident reporting, and subcontractor management
• Education for officers, employees, and relevant contractors
• Incident response, improvement management, and recurrence prevention
• Remote work, BYOD, and personal mobile device management
• Controls for AI/API use, including prohibited input information, training-use restrictions, customer consent, and allocation of responsibilities

13. Retention and Deletion

We retain personal data only for the period necessary to achieve the relevant purposes, comply with legal or contractual obligations, or satisfy legitimate business needs.

When personal data is no longer necessary, we delete, anonymize, or cease using it through appropriate methods. However, we may retain information where necessary for backups, audits, legal retention, dispute resolution, or contractual obligations.

Resumes, CVs, and similar temporary personal data are generally deleted promptly after the relevant recruitment, contractor engagement, or proposal team confirmation purpose has been achieved. Where collected through our systems, automated deletion is the default approach, and management is based on deletion specifications, exception handling, and necessary records rather than excessive file-by-file inventory.

14. Requests for Disclosure, etc.

With respect to the retained personal data we hold, the individual may, in accordance with applicable law, request notification of the purpose of use, disclosure, correction, addition, deletion, suspension of use, erasure, suspension of provision to third parties, disclosure of third-party provision records, and the like.

To make a request, please contact the desk below. After verifying identity, we respond within a reasonable scope in accordance with applicable law. A fee of 1,000 yen per request applies to requests for disclosure or for notification of the purpose of use (to be paid by the method we designate; transfer fees are borne by the requester). Requests for correction, addition, deletion, suspension of use, or suspension of provision to third parties are free of charge.

15. Inquiries and Complaints

For questions, complaints, consultations, or requests for disclosure regarding the handling of personal data, please contact:

IMPACTLAKE Pte. Ltd. / IMPACTLAKE Co. Ltd. Privacy Inquiry Desk
Email: privacy@impactlake.com

For Platform-specific legal notices, notice-and-takedown requests, API matters, DPA matters, or notices under Platform terms, the contact specified in the relevant Platform terms may also apply.

16. Accredited Personal Information Protection Organization

If we become a covered business operator of an accredited personal information protection organization, we will publish the organization’s name and complaint resolution contact details in this section.

17. Changes

We may update this Privacy Policy due to changes in laws, services, business operations, security requirements, or other reasons. In the case of material changes, we will notify users by publication on our website or by other appropriate means.

18. Language

If there is any discrepancy between the Japanese and English versions of this Privacy Policy, the English version will prevail, unless otherwise specified in an individual agreement or Service-Specific Terms. However, where Service-Specific Terms for impactlake Platform or other services specify that the English version is the authoritative version, the language and priority provisions of those Service-Specific Terms will apply to the use of the relevant service, to the extent permitted by applicable law.

Matters to Be Publicly Announced Concerning Retained Personal Data

In accordance with the Act on the Protection of Personal Information, we publish the following matters concerning the retained personal data we hold.

(1) Business Operator Name, Address, and Representative
IMPACTLAKE Co. Ltd. / GM Bldg. 5F, 6-11-16 Sotokanda, Chiyoda-ku, Tokyo 101-0021, Japan / Representative Director: Reona Sekino

(2) Personal Information Protection Manager
Personal Information Protection Manager (held by the Representative Director) / Contact: Privacy Desk below

(3) Purposes of Use of Retained Personal Data

• Contact persons of customers and business partners: conclusion and performance of contracts, provision of services, implementation support and support, billing and payment, and business communications
• Service user information (account information and usage records): provision of services, identity verification, quality improvement, support, and important notices
• Inquiry and document-request information: responding to inquiries, sending materials, and providing related information
• Job applicant information: recruitment screening and related communications
• Employee information: employment management, payroll and social insurance procedures, and business communications

(4) Security Control Measures for Retained Personal Data
As described in Section 12 of this Policy. In particular, our production servers are located in Japan, and for external services used in our operations (located in Singapore, the United States, etc.), we ascertain the location of servers and the relevant national systems and use them after confirming appropriate security control measures (understanding of the external environment).

(5) Procedures for Requests for Disclosure, etc.

• Where to apply: the Privacy Desk below
• Method: a prescribed “Request Form for Disclosure, etc.” is available (requests not using the form are also accepted)
• Identity verification: identity is verified, in principle, by presentation of documents. Where a copy is submitted, it is kept to the minimum necessary and promptly discarded after verification. For requests by a representative, a power of attorney and the representative’s identity documents are also verified.
• Fee: 1,000 yen per request for disclosure or for notification of the purpose of use (paid by the method we designate; transfer fees borne by the requester). Requests for correction, addition, deletion, suspension of use, or suspension of provision to third parties are free of charge.
• Response: we respond without delay, in writing or by an electronic method designated by the individual.

(6) Contact for Complaints and Consultations
IMPACTLAKE Co. Ltd., Privacy Desk (Email: privacy@impactlake.com)

(7) Accredited Personal Information Protection Organization
We are not a covered business operator of an accredited personal information protection organization.