Privacy Policy — Global
← Home- Region:
- Global
- Version:
- 1.0.0
- Updated:
- 2026-06-12
- Effective:
- 2026-06-12
Privacy Policy
Choco Next Year For Sure (Representative: Haruta Watanabe) (hereinafter referred to as “we,” “us,” or “our”) establishes this Privacy Policy (hereinafter referred to as this “Policy”) regarding the handling of personal data and personal information of users who use the application “PrivCook” and related websites, content, features, and other services provided by us (hereinafter collectively referred to as the “Service”) from the European Union, Iceland, Liechtenstein, Norway, or the United States.
For users located in the European Union, Iceland, Liechtenstein, or Norway (hereinafter collectively referred to as the “EU/EEA”), this Policy applies to the processing of personal data as defined in Article 4(1) of the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter referred to as the “GDPR”).
For users located in the United States, this Policy also serves as a U.S. State Privacy Notice, including a California Notice at Collection, to the extent applicable under U.S. federal or state privacy laws.
Data Controller / Business Operator
For the purposes of the GDPR, we act as the controller of personal data processed under this Policy.
For the purposes of applicable U.S. state privacy laws, we determine the purposes and means of processing personal information to the extent such laws apply to us.
Operator: Choco Next Year For Sure Representative: Haruta Watanabe
Address: Aoyama Marutake Building 6F 3-1-36 Minami-Aoyama, Minato-ku, Tokyo 107-0062 Japan
Contact: [email protected]
Users to Whom This Policy Applies
This Policy applies to users who use the Service from the EU/EEA or the United States.
If a user uses the Service from outside the EU/EEA or the United States, our general Privacy Policy may apply in addition to or instead of this Policy, depending on the applicable laws and circumstances.
Personal Data and Personal Information We Collect
We may collect the following personal data or personal information from users in connection with the Service.
1. Identification Information
- Identifiers generated using cookies or similar technologies
- App instance IDs
- Firebase Installation ID
- Crashlytics installation UUID
- RevenueCat app user ID
- Device identifiers
- Other identifiers generated by the OS, app, SDKs, or external services
2. Device and Technical Information
- Device type
- Device model
- OS type and version
- App version
- Browser information
- Network information
- IP address
- Region or approximate location information
- Language and region settings
- SDK type and version
- Information regarding the user’s usage environment
3. Usage Information
- App startup time
- Usage date and time
- Screen transitions
- In-app events
- Operation history
- Feature usage status
- Input history
- Viewed pages
- Referrers
- Other information related to behavior on the Service
4. Crash, Error, and Defect Information
- Crash occurrence date and time
- Stack traces
- App status at the time of crash or error
- Device status
- OS information
- Device model
- App version
- Operation logs immediately before a crash
- Error information
- Non-fatal error information
- Other technical information necessary to investigate crashes, errors, and defects
5. Purchase and Subscription Information
- Purchase history
- Subscription status
- Product ID
- Transaction ID
- Purchase date and time
- Expiration date
- Receipt information
- StoreKit 2 transaction information
- Google Play purchase tokens
- Eligibility to use paid features
- Store used for purchase
- Payment status
- Information necessary to confirm, restore, manage, or cancel purchases and subscriptions
We do not directly collect users’ credit card numbers or other detailed payment method information for in-app purchases processed through Apple App Store, Google Play, or other stores.
6. Inquiry, Survey, Feedback, and Form Information
- Name
- Email address
- Inquiry content
- Survey responses
- Feedback content
- Defect report content
- Content entered into forms
- Submission date and time
- Attached files if a file upload function is used
- Google Account-related information if the user is logged in to a Google Account
- Other information submitted by the user through Google Forms or other inquiry methods
7. Website Access and Security Information
- IP address
- Request date and time
- Destination URL
- Browser information
- Device information
- OS information
- Network information
- Cookies
- Access logs
- Information necessary to detect unauthorized access, attacks, or other security incidents
8. User-Provided Content
To the extent transmitted to us through the Service, inquiry forms, feedback forms, or support communications, we may process information voluntarily provided by users, including recipe-related information, cooking records, notes, tags, settings information, and other user-entered content.
Special Categories of Personal Data and Sensitive Personal Information
The Service is not intended to collect special categories of personal data under Article 9 of the GDPR, such as health data, biometric data, genetic data, religious beliefs, political opinions, or similar sensitive information.
The Service is also not intended to collect sensitive personal information under applicable U.S. state privacy laws, such as precise geolocation, government identification numbers, financial account access credentials, biometric information, racial or ethnic origin, religious or philosophical beliefs, union membership, health diagnosis, sexual orientation, citizenship or immigration status, or similar sensitive information.
Users should not submit such information unless it is necessary for an inquiry or support request.
If a user voluntarily provides information that may include special categories of personal data or sensitive personal information, such as allergy, health, dietary restriction, or similar information, we will process such information only to the extent necessary for the purpose for which it was provided, and only where permitted under applicable law, including where the user has given explicit consent or where another applicable legal basis exists.
We do not use or disclose sensitive personal information for the purpose of inferring characteristics about users, except as permitted by applicable law.
Purposes and Legal Bases of Processing for EU/EEA Users
We process users’ personal data for the following purposes and on the following legal bases.
| Purpose of Processing | Categories of Personal Data | Legal Basis under the GDPR |
|---|---|---|
| To provide the Service | Identification information, device and technical information, usage information, user-provided content | Performance of a contract, Article 6(1)(b) |
| To provide paid features, in-app purchases, subscriptions, one-time purchase products, and purchase restoration | Purchase and subscription information, identification information, device and technical information | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f); legal obligation, Article 6(1)(c), where applicable |
| To confirm purchase status and prevent unauthorized use | Purchase and subscription information, identification information, device and technical information | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f) |
| To respond to inquiries, feedback, surveys, and defect reports | Inquiry, survey, feedback, and form information; user-provided content | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f); consent, Article 6(1)(a), where applicable |
| To analyze usage of the Service and improve features, quality, display, and usability | Usage information, device and technical information, identification information | Consent, Article 6(1)(a), where required; legitimate interests, Article 6(1)(f), where applicable |
| To detect, investigate, and fix crashes, defects, errors, and other technical issues | Crash, error, and defect information; device and technical information; identification information | Consent, Article 6(1)(a), where required; legitimate interests, Article 6(1)(f), where applicable |
| To provide Firebase-related functions and maintain app quality, stability, and safety | Identification information, device and technical information, session information, quality indicators | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f) |
| To deliver the website, improve display speed, and ensure security | Website access and security information | Legitimate interests, Article 6(1)(f) |
| To prevent, investigate, and respond to unauthorized use, fraud, security incidents, and violations of our terms | Identification information, device and technical information, usage information, website access and security information, purchase information | Legitimate interests, Article 6(1)(f); legal obligation, Article 6(1)(c), where applicable |
| To comply with applicable laws, regulations, legal requests, or obligations | Relevant personal data necessary for compliance | Legal obligation, Article 6(1)(c) |
| To announce or notify users of changes to, discontinuance of, termination of, or cancellation of the Service | Identification information, contact information, purchase and subscription information | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f) |
| To provide, maintain, protect, and improve the Service | Identification information, device and technical information, usage information, crash information, purchase information, inquiry information | Performance of a contract, Article 6(1)(b); legitimate interests, Article 6(1)(f); consent, Article 6(1)(a), where applicable |
Purposes of Processing for U.S. Users
We collect, use, retain, disclose, and otherwise process personal information of users in the United States for the following purposes.
- To provide the Service
- To operate, maintain, and improve the Service
- To provide paid features, in-app purchases, subscriptions, one-time purchase products, and purchase restoration
- To confirm purchase status and prevent unauthorized use
- To respond to inquiries, surveys, feedback, defect reports, and support requests
- To analyze usage of the Service and improve features, quality, display, and usability
- To detect, investigate, and fix crashes, defects, errors, and other technical issues
- To provide Firebase-related functions and maintain app quality, stability, and safety
- To deliver the website, improve display speed, and ensure security
- To prevent, investigate, and respond to fraud, unauthorized use, abuse, security incidents, and violations of our terms
- To comply with applicable laws, regulations, legal requests, or obligations
- To protect our rights, users’ rights, and third-party rights
- To provide, maintain, protect, and improve the Service
California Notice at Collection
This section applies to California residents to the extent the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), applies to us.
We may collect the following categories of personal information.
| Category of Personal Information | Examples | Purposes of Collection and Use | Categories of Third Parties to Whom We May Disclose |
|---|---|---|---|
| Identifiers | Name, email address, IP address, app instance ID, Firebase Installation ID, Crashlytics installation UUID, RevenueCat app user ID, device identifiers | To provide the Service, manage accounts or identifiers, respond to inquiries, provide paid features, restore purchases, prevent fraud, and improve the Service | Google, RevenueCat, Apple, Google Play-related providers, Cloudflare, payment and platform providers, professional advisors, public authorities where required |
| Customer records information | Contact information, purchase-related information, inquiry-related information | To process inquiries, manage purchases, provide support, and comply with legal obligations | Google, RevenueCat, Apple, Google Play-related providers, payment and platform providers, professional advisors, public authorities where required |
| Commercial information | Purchase history, subscription status, product ID, transaction ID, receipt information, purchase tokens, eligibility to use paid features | To provide in-app purchases, subscriptions, paid features, purchase restoration, fraud prevention, and support | RevenueCat, Apple, Google, payment and platform providers |
| Internet or other electronic network activity information | Usage history, screen transitions, in-app events, operation history, viewed pages, referrers, cookies, access logs | To analyze usage, improve the Service, detect errors, ensure security, and prevent unauthorized use | Google, Firebase-related services, Cloudflare |
| Geolocation information | Region or approximate location derived from IP address or device/network information | To provide, secure, analyze, and improve the Service | Google, Cloudflare, other service providers where necessary |
| Audio, electronic, visual, or similar information | Attached files, images, documents, or other materials submitted by the user through forms or support communications | To respond to inquiries, feedback, defect reports, and support requests | Google Forms / Google Workspace, professional advisors, public authorities where required |
| Inferences | Basic service usage patterns or feature usage status derived from usage information | To improve the Service, analyze functionality, and maintain service quality | Google and analytics-related service providers |
| Sensitive personal information | Information voluntarily submitted by the user that may include allergy, health, dietary restriction, or similar information | To respond to the user’s inquiry or support request, only to the extent necessary and permitted by law | Service providers or authorities only where necessary and permitted by law |
We retain each category of personal information only for as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.
Sources of Personal Information
We may collect personal information from the following sources.
- Users directly
- Users’ devices, browsers, apps, or operating systems
- Apple App Store, Google Play, and other stores or platform providers
- RevenueCat
- Firebase, Google Analytics, Firebase Crashlytics, Google Forms, Google Workspace, and other Google services
- Cloudflare
- Payment service providers, platform providers, and other external service providers
- Public authorities, regulators, courts, or other parties where required or permitted by law
Disclosure of Personal Information
We may disclose personal information to the following categories of recipients for the purposes described in this Policy.
| Recipient Category | Purpose |
|---|---|
| Google LLC and its affiliates | Google Analytics, Google Analytics for Firebase, Google Analytics 4, Firebase, Firebase Crashlytics, Google Forms, Google Workspace, and related services |
| RevenueCat, Inc. | In-app purchase and subscription management, purchase verification, purchase restoration, usage eligibility management, and fraud prevention |
| Apple Inc. and its affiliates | App distribution, in-app purchases, subscriptions, billing, refund handling, and related App Store services |
| Google LLC and its affiliates | App distribution, in-app purchases, subscriptions, billing, refund handling, and related Google Play services |
| Cloudflare, Inc. | Website delivery, CDN, DNS, security, DDoS protection, access control, and log management |
| Payment service providers, stores, and platform providers | Payment processing, billing, refund handling, purchase confirmation, and subscription management |
| Professional advisors | Legal, accounting, tax, audit, or other professional advice, where necessary |
| Public authorities, courts, regulators, or law enforcement agencies | Compliance with laws, regulations, legal procedures, or enforceable governmental requests |
We do not sell users’ personal information for monetary consideration.
We do not currently use external transmission tools for advertising delivery purposes.
We do not knowingly sell or share personal information for cross-context behavioral advertising or targeted advertising as those terms are defined under applicable U.S. state privacy laws.
If any processing is deemed to constitute a “sale,” “sharing,” or processing for “targeted advertising” under applicable U.S. state privacy laws, users may opt out by contacting us at the email address stated in this Policy or by using any opt-out mechanism made available within the Service or on our website.
U.S. State Privacy Rights
Depending on the state in which the user resides and subject to the conditions and limitations under applicable law, users in the United States may have the following rights.
- Right to know or confirm whether we process personal information
- Right to access personal information
- Right to obtain a copy of personal information in a portable format
- Right to correct inaccurate personal information
- Right to delete personal information
- Right to opt out of the sale of personal information
- Right to opt out of sharing personal information for cross-context behavioral advertising
- Right to opt out of targeted advertising
- Right to opt out of certain profiling or automated decision-making
- Right to limit the use or disclosure of sensitive personal information, where applicable
- Right to withdraw consent, where applicable
- Right not to be discriminated against for exercising privacy rights
- Right to appeal a denial of a privacy rights request, where applicable
To exercise these rights, users may contact us at the email address stated in this Policy.
We may request information necessary to verify the identity of the user before responding to a request.
Where applicable law permits an authorized agent to submit a request on behalf of a user, we may request proof of authorization and may also require the user to verify their identity directly with us.
California Privacy Rights
California residents may have the following rights under the CCPA, subject to applicable limitations.
- Right to know what personal information we collect, use, disclose, sell, or share
- Right to access personal information
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of personal information
- Right to limit the use and disclosure of sensitive personal information, where applicable
- Right not to receive discriminatory treatment for exercising CCPA rights
We do not sell users’ personal information for monetary consideration.
We do not knowingly share users’ personal information for cross-context behavioral advertising.
We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA.
California residents may exercise their rights by contacting us at the email address stated in this Policy.
Nevada Privacy Rights
Nevada residents may have the right to request that we not sell certain covered information as defined under Nevada law.
We do not currently sell covered information as defined under Nevada law.
Nevada residents may submit an opt-out request by contacting us at the email address stated in this Policy.
Appeals
Where applicable U.S. state privacy laws provide a right to appeal our decision regarding a privacy rights request, users may appeal by contacting us at the email address stated in this Policy and including “Privacy Appeal” in the subject line.
If we deny an appeal, users may have the right to contact the attorney general or other privacy authority in their state of residence.
Global Privacy Control and Universal Opt-Out Mechanisms
To the extent required by applicable law, we will recognize and process opt-out preference signals, including Global Privacy Control or other universal opt-out mechanisms, where such signals are technically supported and legally required.
Because we do not currently use external transmission tools for advertising delivery purposes and do not knowingly sell or share personal information for cross-context behavioral advertising, such signals may not change the user’s experience in the Service.
Children’s Privacy
The Service is not directed to children under the age of 13.
We do not knowingly collect personal information from children under 13 without verifiable parental consent.
If a minor uses the Service, the minor must obtain the consent of a parent or legal guardian.
If we become aware that we have collected personal information from a child without required parental or guardian consent, we will take appropriate measures in accordance with applicable laws and regulations.
We do not knowingly sell or share personal information of users under 16 years of age.
Consent and Withdrawal of Consent
Where we process personal data or personal information based on the user’s consent, the user may withdraw such consent at any time.
Users may withdraw consent or stop certain processing by using the settings provided within the app, by using browser settings, or by contacting us at the email address stated in this Policy.
Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Opt-Out
We provide a mechanism that allows users to stop the collection of information by Google Analytics for Firebase / Google Analytics 4 and Firebase Crashlytics through settings within the app.
If a user opts out, we will stop transmitting the relevant analytics information and crash information after such setting is applied.
However, information that has already been transmitted before the opt-out may be handled in accordance with the specifications and retention periods of each external service.
Information necessary for providing in-app purchases, subscriptions, paid features, purchase status confirmation, and purchase restoration may continue to be processed to the extent necessary to provide the paid features of the Service. If such processing is stopped, paid features, purchase status confirmation, purchase restoration, and other related functions may become unavailable.
With respect to the use of cookies on the website, users may disable cookies through their browser settings. However, if cookies are disabled, some functions of the Service may not operate properly.
Automated Decision-Making and Profiling
We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning the user or similarly significantly affect the user.
We also do not currently conduct profiling in furtherance of decisions that produce legal or similarly significant effects concerning users.
International Transfers
We are located in Japan. Users’ personal data and personal information may be transferred to and processed in Japan.
Japan has received an adequacy decision from the European Commission, which allows personal data to be transferred from the EU to Japan on the basis that Japan ensures an adequate level of protection for personal data.
Users’ personal data or personal information may also be transferred to countries or regions outside the EU/EEA and Japan, including the United States, through our use of external service providers such as Google, RevenueCat, Apple, and Cloudflare.
Where personal data is transferred from the EU/EEA to a country or region that has not received an adequacy decision from the European Commission, we will rely on appropriate safeguards under the GDPR, such as standard contractual clauses, an adequacy mechanism, or other lawful transfer mechanisms, where required.
Users may contact us if they wish to receive information regarding the safeguards applied to international transfers.
Retention Period
We retain users’ personal data and personal information only for as long as necessary to fulfill the purposes for which it was collected and processed, unless a longer retention period is required or permitted by applicable laws and regulations.
Specific retention periods are determined by taking into account the following factors.
- The purposes for collecting and processing the personal data or personal information
- The nature and sensitivity of the personal data or personal information
- The need to retain the personal data or personal information for legal, accounting, tax, security, fraud prevention, dispute resolution, or business reasons
- The retention periods and settings of external services used in connection with the Service
- The need to provide, maintain, protect, and improve the Service
When personal data or personal information is no longer necessary, we will delete, anonymize, or otherwise appropriately handle it in accordance with applicable laws and regulations.
Security Measures
We implement reasonable technical and organizational measures to protect users’ personal data and personal information from unauthorized access, leakage, loss, destruction, alteration, misuse, and other risks.
However, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
EU/EEA User Rights
Subject to the conditions and limitations under the GDPR, users in the EU/EEA have the following rights regarding their personal data.
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent
- Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects
- Right to lodge a complaint with a supervisory authority
If a user wishes to exercise any of these rights, the user may contact us at the email address stated in this Policy.
We may request information necessary to verify the identity of the user before responding to a request.
If a user is dissatisfied with our processing of personal data, the user may lodge a complaint with the data protection supervisory authority in the user’s country of residence, place of work, or place of the alleged infringement.
Relationship with Other Policies
Our general Privacy Policy and External Transmission Policy may also apply to the handling of users’ information in connection with the Service.
If there is any conflict between this Policy and our general Privacy Policy with respect to the processing of personal data or personal information of users in the EU/EEA or the United States, this Policy shall prevail to the extent of such conflict.
Changes to This Policy
We may amend this Policy as necessary.
When we amend this Policy, we will notify or inform users of the effective date and content of the amended Policy by displaying it within the Service, posting it on our website, or by any other appropriate method.
Contact Information
If you have any questions regarding this Policy or wish to exercise your rights under applicable privacy laws, please contact us at the following email address.
Privacy Contact: Choco Next Year For Sure Representative: Haruta Watanabe
Address: Aoyama Marutake Building 6F 3-1-36 Minami-Aoyama, Minato-ku, Tokyo 107-0062 Japan
Email: [email protected]
Established on June 12, 2026