Privacy Policy
Last Updated: April 24, 2026 Effective Date: April 24, 2026
Shinobasa (“we,” “us,” or “our”) respects your privacy as a fundamental right. This Privacy Policy (“Policy”) describes how we collect, use, disclose, and safeguard personal information obtained through our website (shinobasa.com) and applications (including, without limitation, Monny San) (collectively, the “Services”).
We comply with all applicable laws, including the Japanese Act on the Protection of Personal Information (APPI), the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Brazilian General Data Protection Law (LGPD), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Children’s Online Privacy Protection Act (COPPA), and other applicable data protection legislation worldwide.
1. Data Controller
| Item | Detail |
|---|---|
| Business Name | Shinobasa |
| Representative | Shinba Saruta |
| Legal Form | Sole proprietorship (individual business owner) |
| Registered Address | 2F-C, Shibuya Dogenzaka Tokyu Building, 1-10-8 Dogenzaka, Shibuya-ku, Tokyo 150-0043, Japan |
| Contact Email | shinobasajp@gmail.com |
| Phone | Disclosed promptly upon reasonable request |
For any inquiries, data subject rights requests, or other matters related to this Policy (including GDPR Article 13 disclosures), please contact us at the email address above. We will respond within 30 days (GDPR) or without undue delay (other jurisdictions).
2. Categories of Personal Information We Collect
2.1 Information You Provide
- Email address (at account creation)
- Password (stored hashed; never in plain text)
- Display name and profile picture (optional)
- Information you provide when contacting us
- Subscription purchase information (processed by Apple/Google)
2.2 Information Collected Automatically
- Device information (OS version, device model, language, timezone)
- Usage logs (access times, pages viewed, feature interactions)
- IP address (used solely for security auditing and fraud prevention)
- Crash reports (to improve app stability)
- Advertising identifiers (IDFA / AAID) — only when you have granted explicit permission
2.3 User-Generated Content Within the App
In the Monny San app, the following budget and financial data are stored on your device and in our cloud (via Supabase):
- Budget amounts, expenditures, income
- Categories, notes
- Subscription records
- Events and recurring payments
This data is linked to your account and is accessible only by you. Our personnel do not view individual financial records except in response to a legitimate support request.
2.4 Information We Do NOT Collect
- Legal name, postal address, phone number (not required in the Service)
- Bank account numbers or credit card details (handled by Apple/Google; never transmitted to us)
- Precise location (GPS)
- Contacts, photos, or microphone access
3. Purposes and Legal Bases for Processing (GDPR Article 6)
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account creation, authentication | Performance of a contract (Art. 6(1)(b)) |
| Subscription provision, payment processing | Performance of a contract (Art. 6(1)(b)) |
| Customer support | Performance of a contract (Art. 6(1)(b)) |
| Service stability and abuse prevention | Legitimate interests (Art. 6(1)(f)) |
| Analytics and service improvement | Legitimate interests (Art. 6(1)(f)) / Consent (Art. 6(1)(a)) |
| Legal compliance and litigation | Legal obligation (Art. 6(1)(c)) |
| Personalized advertising | Consent (Art. 6(1)(a)) — opt-in only |
You may withdraw consent at any time via the contact provided below or in-app settings.
4. Sharing with Third Parties
We use the following trusted processors. Each has executed a Data Processing Agreement (DPA) with us or provides industry-standard protection.
| Processor | Role | Location | Transfer Safeguard |
|---|---|---|---|
| Supabase Inc. | Authentication, database, file storage | United States | SCCs |
| RevenueCat, Inc. | Subscription management | United States | SCCs |
| Apple Inc. | iOS app distribution, in-app purchases | United States | SCCs |
| Google LLC | Android app distribution, in-app purchases, AdMob | United States | SCCs |
| Cloudflare, Inc. | CDN, hosting, DDoS protection | United States | SCCs |
| Google Analytics 4 | Anonymized usage statistics | United States | SCCs |
We do not sell, rent, or disclose personal information to any other third party, except:
- With your explicit consent
- To comply with legal obligations (court orders, legitimate law enforcement requests)
- To protect our rights or the safety of users or the public
- In connection with a business transfer (merger, acquisition) where the successor provides equivalent protection
5. International Data Transfers
We are based in Japan, but some processors are located in the United States. When data of EU/UK residents is transferred outside their jurisdiction, we apply the following safeguards:
- EU Standard Contractual Clauses (SCCs)
- Japan has received an Adequacy Decision from the European Commission (2019), so EU → Japan transfers require no additional safeguards
- U.S. processors are bound by SCCs or equivalent contractual terms
To request more information about transfers, contact us at the email above.
6. Data Retention
| Category | Retention Period |
|---|---|
| Account data | Until account deletion + up to 30 days in backups |
| User-generated financial data (Monny San) | Until account deletion + up to 30 days |
| Support correspondence | 3 years after resolution |
| Billing and transaction records | As required by law (Japan: 7 years) |
| Access and security logs | Up to 90 days |
| After deletion request | Promptly erased, except where legal retention obligations apply |
7. Your Rights
Regardless of your region, you have the following rights. To exercise any right, email shinobasajp@gmail.com with the subject line “Data Rights Request.”
7.1 Universal Rights
- Right of Access — obtain a copy of your personal information
- Right to Rectification — correct inaccurate or incomplete data
- Right to Erasure / “Right to be Forgotten” — request deletion
- Right to Restrict Processing
- Right to Data Portability — receive a structured, machine-readable copy
- Right to Object — to processing based on legitimate interests
- Right to Withdraw Consent — where processing is based on consent
- Rights related to Automated Decision-Making — including profiling
7.2 EU/UK Residents (GDPR/UK GDPR)
You additionally have the right to lodge a complaint with your national supervisory authority.
7.3 California Residents (CCPA/CPRA)
- Right to know what categories of personal information are collected, and for what purpose
- Right to opt out of “sale” or “sharing” of personal information (we do not sell)
- Right to limit use of Sensitive Personal Information
- Right to non-discrimination
7.4 Brazilian Residents (LGPD)
You additionally have the right to confirmation of processing, anonymization, blocking, and deletion. Supervisory authority: ANPD.
7.5 Mexican Residents (LFPDPPP)
You have ARCO rights (Access, Rectification, Cancellation, Opposition). Complaints may be filed with INAI.
7.6 Argentine Residents (Ley 25.326)
You have rights to access, rectify, update, and delete personal data. Supervisory authority: AAIP.
7.7 Chilean Residents (Ley 19.628)
You have rights to information, rectification, and cancellation. Supervisory authority: Consejo para la Transparencia.
7.8 Colombian Residents (Ley 1581 of 2012)
You have rights to information, rectification, update, deletion, and withdrawal. Supervisory authority: SIC (Superintendencia de Industria y Comercio).
7.9 Canadian Residents (PIPEDA)
You have rights to access, correct, and withdraw consent. Supervisory authority: OPC (Office of the Privacy Commissioner of Canada).
7.10 Japanese Residents (APPI)
You additionally have the right to disclosure of third-party sharing records and the right to request cessation or deletion of use. Supervisory authority: PPC.
Process:
- Email shinobasajp@gmail.com
- We may request verification through your registered email or in-app authentication
- Response within 30 days (GDPR) or without undue delay (Japan)
- Extension possible up to 60 days for complex requests (with notice)
- Requests are free of charge, except for manifestly excessive or repetitive requests
8. Security Measures
We maintain the following technical and organizational measures to protect personal information:
- Encryption in transit (TLS 1.3 or higher)
- Password hashing (bcrypt / SHA-256 with salt)
- Multi-factor authentication for database access
- Least-privilege access control
- Regular vulnerability scanning and patching
- Separation of production and development environments
- 72-hour breach notification to supervisory authorities (GDPR Art. 33)
In the event of a data breach, we will promptly notify affected users and relevant authorities as required by law.
8.1 Allocation of Responsibility with Data Processors
As the data controller, we carefully select the data processors listed in Section 4 (Supabase, Cloudflare, Apple, Google, etc.) based on industry-standard certifications (SOC2, ISO 27001, etc.) and appropriate data processing agreements.
In accordance with GDPR Article 82, the APPI, and other applicable laws, the controller and each processor are responsible for their own areas of obligation. Specifically:
- Matters within our direct control (in-app design, access control configuration, notification operations) — we are responsible
- Matters within the processor’s infrastructure or service (their own vulnerabilities or faults) — the processor bears primary responsibility, though we remain the first point of contact for affected users
- Unforeseeable third-party unauthorized access or cyberattacks — we exercise all reasonable care, but our liability is reasonably limited when attacks exceed the current state of the art in security technology
In all cases, we commit to prompt notification of affected users, containment of harm, authority reporting, and root-cause investigation.
8.2 Incident Response
- Notification to supervisory authorities within 72 hours (GDPR Art. 33)
- Notification to affected data subjects without undue delay for high-risk incidents (GDPR Art. 34)
- Reporting to Japan’s Personal Information Protection Commission and affected users (APPI)
- Rapid scoping of the affected data and cessation requests to prevent further misuse
9. Cookies and Similar Technologies
Our website (shinobasa.com) uses the following cookies:
| Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, language preference | Session / up to 1 year |
| Analytics | Anonymized usage statistics (GA4) | Up to 2 years (consent-based) |
| Advertising | Not used | — |
For EU/UK/California residents, non-essential cookies are set only with prior opt-in consent (or clearly available opt-out). Preferences can be updated anytime via the site banner.
10. Children’s Privacy (COPPA and similar)
The Services are not intended for children under 13 (or the age defined by applicable law, generally 16 in EU member states). We do not knowingly collect personal information from such children.
If you are a parent and believe your child has provided information to us, please contact shinobasajp@gmail.com. We will delete it promptly.
11. iOS App Tracking Transparency (ATT)
On iOS 14.5 and later, the Monny San app will request your explicit permission before tracking you across other apps and websites. Basic Service functions remain fully available if you decline.
12. Advertising
The free tier of Monny San may display ads via Google AdMob.
- Ads may be personalized based on general interests; for EU/UK/California residents, personalized advertising is served only with prior opt-in consent
- The Premium tier displays no ads
- You can reset or opt out of advertising identifiers in your device OS settings
For AdMob privacy details, see Google’s Privacy Policy.
13. Automated Decision-Making and Profiling
We do not make automated decisions that produce legal or similarly significant effects on users. Any analytics for service improvement is performed on anonymized, aggregated data and does not profile individuals.
14. Where to File Complaints
If you are unhappy with how we handle your data, please first contact shinobasajp@gmail.com. If unresolved, you may file a complaint with:
- Japan: Personal Information Protection Commission (PPC) — https://www.ppc.go.jp/
- EU: Your national Data Protection Authority — https://edpb.europa.eu/about-edpb/board/members_en
- UK: Information Commissioner’s Office (ICO) — https://ico.org.uk/
- California: California Privacy Protection Agency
- Brazil: National Data Protection Authority (ANPD)
15. Changes to This Policy
We may revise this Policy due to legal changes or service updates. For material changes we will provide advance notice via:
- Prominent notice on the website (at least 30 days in advance)
- Email to registered users (for material changes)
- In-app notice (Monny San users)
Changes become effective on the specified effective date. Continued use of the Services after that date constitutes acceptance of the revised Policy.
16. Contact
For questions, rights requests, or other inquiries:
Shinobasa Representative: Shinba Saruta Email: shinobasajp@gmail.com Address: 2F-C, Shibuya Dogenzaka Tokyu Building, 1-10-8 Dogenzaka, Shibuya-ku, Tokyo 150-0043, Japan
In the event of any discrepancy between the Japanese version and this translation, the Japanese version shall prevail.