Privacy Policy
Established: May 24, 2026 / Last revised: July 2, 2026 / Provided by: KANOPY Inc.
ROUNDIE (the "Service") deeply respects our users' privacy. This Policy explains what information we collect and how we use and protect it.
01Basic Policy
KANOPY Inc. (the "Company") believes that handling users' personal information appropriately in providing the golf community service "ROUNDIE" (the "Service") is part of our social responsibility.
The Company complies with the Act on the Protection of Personal Information of Japan (the "APPI") and other applicable laws, regulations, and guidelines, and handles personal information in accordance with this Privacy Policy (this "Policy").
02Information We Collect
The Company collects the following information in order to provide the Service.
2.1 Information provided by users
| Category | Items |
|---|---|
| Required | Email address, ROUNDIE ID (username/handle), password (for email sign-up; stored in encrypted form). If you sign up via Apple or Google account linking, the name, email address, and identifier received from that account |
| Optional | Prefecture (area), year you started playing golf, bio, avatar image |
| Posted content | Round scores, photos, videos, comments, reaction (heart) history, competition participation history, and names/users entered as playing partners (to be entered with the consent of the partner concerned) |
| Payment information | Subscription status via the App Store / Google Play (the Company does not collect or retain payment card information) |
2.2 Information collected automatically
- IP address, device type, OS version, and app version
- Access logs, dates and times of use, and feature usage
- Crash reports and error logs (to improve app quality)
- Identifiers obtained through cookies and similar technologies (see Article 6 for details)
2.3 Information we do not collect
The Company does not collect the following information.
- Continuous location data (we do not continuously collect GPS data in the background)
- Unauthorized access to your contacts, address book, calendar, or photo library (accessed only when necessary for posting and only with your explicit permission)
- Microphone access (the Service does not provide any audio recording features)
03Purposes of Use
The Company uses the personal information it collects for the following purposes.
- Providing, operating, and maintaining the Service
- User authentication, account management, and identity verification
- Providing subscriptions and managing billing
- User support and responding to inquiries
- Analysis for improving the Service, developing new features, and enhancing quality
- Preventing fraudulent use and investigating and responding to violations of the Terms of Service
- Notifying users of Service announcements, maintenance information, and important changes
- Informing users, with their consent, of new features, campaigns, and the like
- Creating, using, and publishing statistically processed information that cannot identify individuals
- Other purposes incidental to the above
If the Company uses personal information beyond the purposes above, it will obtain the user's prior consent.
04Provision to Third Parties
The Company will not provide personal information to third parties without the user's consent, except in any of the following cases.
- When required by law (formal requests from courts, police, or other public authorities)
- When necessary to protect a person's life, body, or property and it is difficult to obtain the user's consent
- When particularly necessary to improve public health or promote the sound development of children
- When it is necessary to cooperate with a national government agency or the like in executing affairs prescribed by law
- When personal information is transferred in connection with a business succession (merger, corporate split, business transfer, etc.) (in which case users will be notified in advance)
05Outsourcing
In providing the Service, the Company may outsource part of its operations to trusted third parties (service providers). Service providers are contractually required to handle personal information appropriately and are supervised by the Company.
The principal service providers are as follows.
| Provider | Role | Location |
|---|---|---|
| Supabase Inc. | Database, authentication infrastructure, and storage | Tokyo (ap-northeast-1 region) |
| Cloudflare, Inc. | Website delivery and security | United States |
| Apple Inc. | iOS app distribution and App Store payments | United States |
| Google LLC | Android app distribution and Google Play payments | United States |
| RevenueCat, Inc. | In-app purchase and subscription state management (processing of purchase status and entitlements; the user UUID is sent as app_user_id) | United States |
| Functional Software, Inc. (Sentry) | Crash reporting and error analysis | United States |
| Expo (650 Industries, Inc.) | App delivery (OTA updates) and push notification delivery | United States |
| Google LLC (Google Analytics) | Statistical analysis of site usage (GA4 measurement ID: G-T8YSVSPZ7E) | United States |
| Microsoft Corporation (Clarity) | Session analysis for UX improvement (Clarity project ID: w8acp9qnxk) | United States |
Service providers handle personal information in accordance with their contracts with the Company and with their own privacy policies.
06Cookies and Tracking Technologies
The Service uses cookies and similar technologies (local storage, device identifiers, etc.) to analyze usage, improve the user experience, and maintain authentication state, among other purposes.
6.1 Purposes of use
- Keeping you logged in
- Saving user preferences (language, display mode, etc.)
- Statistical analysis and improvement of Service usage
- Crash reporting and error analysis
6.2 Use of third-party tools
The Service uses industry-standard analytics tools such as the following to analyze usage and improve quality. These tools do not collect information that directly identifies individuals and provide the Company only with statistically processed information.
- Google Analytics 4 (measurement ID:
G-T8YSVSPZ7E) — statistical analysis of page views, visitor counts, referrers, etc. - Microsoft Clarity (project ID:
w8acp9qnxk) — UX improvement through session replay and heatmaps - Sentry — crash reporting and error analysis
- The standard analytics features of each OS (iOS / Android)
Of these, Google Analytics, Microsoft Clarity, and cookies and similar technologies are used only on the Company's websites (such as roundie.app) and are not used inside the iOS / Android apps. Data collection within the apps is limited to crash analysis (Sentry) and the Company's own usage analysis; we never collect the advertising identifier (IDFA) or perform cross-app tracking.
For details on how these third-party tools are handled, please also see the Cookie Policy.
6.3 Opting out
You can restrict cookies and tracking features through your browser settings or your OS privacy settings. Note, however, that doing so may make some features of the Service unavailable.
07Cross-Border Transfers of Personal Information
Among the service providers listed in Article 5, Supabase — the Service's primary user database, authentication infrastructure, and storage — operates in the Tokyo (ap-northeast-1) region, and core data such as sign-ups, round records, and competitions is processed and stored on servers located in Japan. Meanwhile, service providers such as Cloudflare (delivery and security), Apple (App Store), Google (Play Store / GA4), RevenueCat (billing and subscription state management), Expo (app delivery and push notifications), and Microsoft (Clarity) are based primarily in the United States, and data relating to delivery, payments, and analytics may be processed and stored on servers overseas, including in the United States.
In accordance with the APPI and other applicable laws, the Company verifies the personal information protection regimes of destination countries and the security measures taken by recipients, and maintains an appropriate level of protection. Detailed information on destination countries is available upon request.
08Retention Periods
The Company retains personal information only for the period necessary to achieve the purposes of use. Specific retention periods are as follows.
| Category of information | Retention period |
|---|---|
| Account information | Until the user deletes their account |
| Posted content | Until the user deletes the post or the relevant data |
| Access logs | In principle, 12 months from collection |
| Crash reports | In principle, 6 months from collection |
| Payment-related records | The period required by law (e.g., 7 years under tax law) |
Accounts that have not used the Service for an extended period (24 months or more since the last login) may be deleted after prior notice to the user.
09Users' Rights
Users have the following rights with respect to their own personal information held by the Company.
9.1 Requests for disclosure, correction, suspension of use, and deletion
- Disclosure request: the right to request disclosure of the user's own personal information held by the Company
- Correction, addition, and deletion request: the right to request correction and the like where the content of personal information is inaccurate
- Suspension of use and erasure request: the right to request suspension of use or erasure of personal information
- Request to stop third-party provision: the right to request that provision to third parties be stopped
9.2 Account deletion
Users can delete their own account at any time from the account settings screen in the Service. Upon deletion, all posted content, reactions, competition participation history, and other data tied to the account will be deleted. Please note that deleted accounts cannot be restored.
9.3 Data export
A feature for exporting the data you have registered and posted in JSON or CSV format is currently under development. We will announce its availability in this Policy when it launches. Until then, if you send a request to the contact listed at the end of this Policy, we will verify your identity and disclose the data we hold within a reasonable period.
9.4 How to make a request
To exercise any of the rights above, or for inquiries about the handling of personal information, please contact us at the address listed at the end of this Policy. We will respond within a reasonable period after verifying your identity.
10Security Measures
The Company takes appropriate measures, including the following, to prevent the leakage, loss, or damage of personal information and to otherwise manage personal information securely.
- Organizational measures: appointment of a personal information protection manager, establishment of internal rules, and regular training
- Technical measures: encrypted storage of passwords, TLS encryption of communications, minimization of access privileges, and detection of unauthorized access
- Physical measures: physical security of server facilities (via the facilities of our service providers)
- Personnel measures: confidentiality obligations for employees and information management including after separation from employment
11Use by Children
The Service may not be used by anyone under the age of 13. The Company does not knowingly collect personal information from children under 13.
If you are between 13 and 17 years of age, you must obtain the consent of a parent or legal guardian before using the Service. We recommend that parents and guardians check their child's use of the Service from time to time.
If you reside in the EU, under Article 8 of the GDPR the consent of a parent or legal guardian is required for children under 16 (member states may lower this age to 13). The Company confirms consent from users in the applicable age range when they use the Service and responds without delay to deletion requests from parents or guardians.
If we discover that we have collected personal information from a child under 13, we will delete it promptly. If you believe a child's personal information has been registered, or if you wish, as a parent or guardian, to request its deletion, please contact our inquiry desk.
12Additional Information for Overseas Users
The Service also supports the EN and KO languages and may be used by users residing overseas, including in the EU, the United States, and South Korea. The following describes the Company's compliance with the principal data protection laws of each region.
12.1 EU users (GDPR)
- Legal bases: GDPR Art. 6(1)(a) consent / Art. 6(1)(b) performance of a contract / Art. 6(1)(f) legitimate interests
- Data subject rights: right of access (Art. 15), right to rectification (Art. 16), right to erasure / right to be forgotten (Art. 17), right to restriction of processing (Art. 18), right to data portability (Art. 20), and right to object (Art. 21)
- Deadline for responding to erasure requests: within 30 days of receipt (GDPR Art. 12(3))
- Data Protection Officer (DPO) contact: roundie@kanopy-inc.com
- Transfers outside the EU: the Supabase Tokyo (ap-northeast-1) region is the primary processing location (for transfers outside the EU, adequacy decisions and Standard Contractual Clauses (SCC) are applied as necessary)
- Complaints to supervisory authorities: you may lodge a complaint with the data protection supervisory authority of your country of residence (e.g., the Irish DPC, the German BfDI)
12.2 California (US) users (CCPA / CPRA)
- Data subject rights: the right to request disclosure of information collected and used, the right to request deletion, the right to request correction, and the right to opt out of the sale or sharing of data
- Sale and sharing of data: the Company does not sell or share personal information with third parties for monetary or other valuable consideration
- Contact: roundie@kanopy-inc.com
- Supervisory authority: California Privacy Protection Agency (CPPA)
12.3 South Korean users (개인정보 보호법 / Personal Information Protection Act)
- Personal information processing policy: governed by the provisions of this Policy
- 개인정보 보호책임자 (Personal Information Protection Officer): Kazushige Shiba, Representative Director, KANOPY Inc.
- Contact: roundie@kanopy-inc.com
- Supervisory authority: 개인정보보호위원회 (Personal Information Protection Commission, PIPC) — https://www.pipc.go.kr/
13Where to File Complaints
Complaints, opinions, and inquiries regarding this Policy or the handling of personal information are accepted at the following contact point (the contact point under Article 40 of the APPI).
| Contact point | KANOPY Inc., Personal Information Protection Desk |
|---|---|
| Email address | roundie@kanopy-inc.com |
| Hours | Weekdays 10:00–18:00 JST (excluding weekends and public holidays) |
| Response deadline | Within 14 days of receipt (if a reasonable investigation is required, we will notify you to that effect within 14 days and respond as promptly as possible) |
If the Company is unable to resolve your complaint, or if you are dissatisfied with our response, you may consult the Personal Information Protection Commission of Japan.
| Authority | Personal Information Protection Commission (Japan) |
|---|---|
| Website | https://www.ppc.go.jp/ |
| APPI consultation line | +81-3-6457-9849 (hours: weekdays 9:30–17:30 JST) |
14Revisions to This Policy and Contact
14.1 Revisions to this Policy
The Company may revise this Policy in response to changes in laws and regulations, changes to the Service, or as otherwise necessary. In the case of material revisions, we will notify users before the effective date via the Service's app, the website, email, or other means.
14.2 Contact and personal information protection manager
| Business name | KANOPY Inc. (株式会社KANOPY) |
|---|---|
| Location | Tokyo, Japan |
| Representative | Kazushige Shiba |
| Personal information protection manager | Kazushige Shiba, Representative Director |
| Contact | roundie@kanopy-inc.com |
Revision History
- Established (first version)
- Added GDPR Article 8 compliance to Article 11 (Use by Children). Added new Article 12 (Additional Information for Overseas Users: GDPR / CCPA / PIPA) and Article 13 (Where to File Complaints: response under Article 40 of the APPI).
- Added RevenueCat and Expo to the list of service providers. Aligned the information collected (optional items) with the implementation (limited to prefecture, year you started golf, bio, and avatar). Explicitly listed playing-partner information under posted content. Clarified that the data export feature is "under development."
- Added Sentry to the list of service providers. Clarified information received via social login (Apple / Google). Unified reaction naming and visibility option names with the app.