Legal

Privacy Policy

Last updated: May 2026  ·  Version 2.0

Compliance scope. This policy addresses obligations under the EU and UK General Data Protection Regulation (GDPR and UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), other U.S. state privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, and Rhode Island), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial equivalents, Canada's Anti-Spam Legislation (CASL), Brazil's Lei Geral de Proteção de Dados (LGPD), and other applicable privacy laws. Where regional rules create additional or different rights, those rights are described in the relevant jurisdiction sections below.

1. About TAKUMI44 and this policy

TAKUMI44 Inc. (“TAKUMI44”, “we”, “our”, or “us”) is a Delaware corporation that operates a multi-tenant Product Experience Infrastructure (PXI) platform: a business-to-business (B2B) software-as-a-service offering that enables manufacturers (OEMs), distributors, resellers, and third-party platforms to create, manage, syndicate, and operate product data across supply-chain networks (the “Service”).

This Privacy Policy governs how we handle personal data in two distinct capacities:

  • As a data controller. For data we collect directly from website visitors, waiting-list registrants, and platform account holders (for example, administrators and billing contacts).
  • As a data processor or sub-processor. For personal data that our tenant organizations (OEMs, distributors, resellers) upload or process through the Service. In that capacity the tenant organization is the data controller and we act on its documented instructions. Tenants should refer to our Data Processing Agreement (DPA), available on request, for processor-specific obligations.

Questions about this policy or your data rights? Email us at privacy@takumi44.com or use the contact page on our website.

2. Key definitions

  • Platform Data. Product catalogs, SKUs, digital assets, and business data uploaded by tenant organizations. Platform Data may contain embedded personal data (for example, sales-rep contact fields).
  • Account Data. Information about individuals who hold user accounts on the Service (name, work email, role, organization).
  • Usage Data. Technical data generated by interactions with the website or Service (logs, telemetry, session data).
  • Tenant or Organization. A business entity (OEM, distributor, reseller, or third-party platform) that subscribes to TAKUMI44.
  • Authorized User or End User. An individual who accesses the Service under a Tenant's subscription.

3. Information we collect

3.1 Information you provide directly

We collect information you provide when you:

  • Join our waiting list (first name, last name, work email, organization name, role, estimated catalog size, optional message).
  • Register or manage an organization account (company name, address, billing contact, VAT/GST/tax ID).
  • Create an end-user account (name, work email, job title, role within the tenant organization).
  • Submit a support request or contact inquiry.
  • Subscribe to newsletters or product updates.
  • Participate in surveys, beta programs, or research sessions.

3.2 Information collected automatically

When you visit our website or use the Service, we automatically collect:

  • Log data. IP address, browser type and version, operating system, referring URL, pages visited, time and date of visits, session duration.
  • Device data. Hardware model, screen resolution, language preferences.
  • Platform telemetry. Features accessed, API calls made, error events, performance metrics (processed in aggregate where possible).
  • Cookie and tracking data. See our Cookie Policy for full details.

3.3 Information from third parties

  • Identity verification providers (for organization onboarding).
  • Payment processors (we receive transaction confirmation and masked card details only; we do not store full card numbers).
  • Integration partners (where you connect third-party systems such as ERP or PIM solutions to the Service).

3.4 Special categories of personal data

We do not intentionally collect special-category or sensitive personal data within the meaning of GDPR Article 9 (such as health data, biometric data, racial or ethnic origin, or political opinions), nor data relating to criminal offenses under GDPR Article 10. No Article 9 or Article 10 legal basis is relied upon, because no such processing is intended. If special-category or criminal-offense data is inadvertently submitted to us, we will delete it without further processing. Please contact us at privacy@takumi44.com if you believe such data has been submitted.

4. How we use your information

PurposeData usedLegal basis (GDPR / UK GDPR)
Provide and operate the ServiceAccount Data, Usage DataContract performance
Process waiting-list registrationsRegistration DataConsent or legitimate interests
Billing and subscription managementAccount Data, payment confirmationContract performance and legal obligation
Customer support and troubleshootingAccount Data, Usage Data, support messagesContract performance and legitimate interests
Security, fraud prevention, abuse detectionLog Data, Usage DataLegitimate interests and legal obligation
Platform analytics and product improvementAggregated or pseudonymized Usage DataLegitimate interests
Transactional communications (account, security alerts)Account DataContract performance
Direct marketing to individuals in the UK or EEAName, work emailConsent, except where the soft opt-in conditions of UK PECR Reg. 22(3) are satisfied
Direct marketing in CanadaName, work emailExpress or implied consent under CASL
Direct marketing in the U.S. and other regionsName, work emailOpt-out where required (CCPA/CPRA and other state laws)
Legal compliance and regulatory reportingAs required by lawLegal obligation
Enforce our Terms of ServiceAccount Data, Usage DataLegitimate interests and contract performance

5. Multi-tenant data isolation

TAKUMI44 is a multi-tenant platform. Each tenant organization's data, including any personal data embedded within Platform Data, is logically isolated from all other tenants at the application, database, and storage layers. We implement controls including:

  • Tenant-scoped row-level security and access control lists.
  • Per-tenant cryptographic separation, with key management performed using the key management services of our cloud infrastructure provider.
  • Audit logging of cross-tenant administrative access (restricted to authorized personnel only).
  • Network segmentation and least-privilege access policies for internal systems.

Tenant organizations that act as data controllers for personal data they process through the Service may request our DPA by emailing privacy@takumi44.com. The DPA sets out our processor obligations in accordance with GDPR Article 28 and equivalent provisions of other applicable laws.

6. Legal basis for processing

6.1 EEA and United Kingdom (GDPR and UK GDPR)

  • Contract performance (Art. 6(1)(b)). Delivering and managing your Service subscription and account.
  • Legitimate interests (Art. 6(1)(f)). Security monitoring, fraud prevention, product analytics, and B2B marketing to existing customers. We have conducted Legitimate Interests Assessments for each purpose and concluded that our interests are not overridden by your rights and freedoms.
  • Consent (Art. 6(1)(a)). Marketing to prospective customers and non-essential cookies. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)). Tax, accounting, and regulatory requirements.

For direct marketing to individuals in the UK and EEA, our default legal basis is consent, except where the soft opt-in conditions of UK PECR Reg. 22(3) (or equivalent EU Member State implementations of the ePrivacy Directive) are satisfied.

6.2 Canada (PIPEDA and provincial equivalents)

We collect, use, and disclose personal data only with your knowledge and consent (express or implied), except where the law provides otherwise. You may withdraw consent subject to legal or contractual restrictions and reasonable notice. Implied consent is relied upon for B2B contact data where a reasonable person would expect to receive business communications in the context of an existing relationship. CASL governs the sending of commercial electronic messages, and we maintain consent records as required.

6.3 United States (CCPA/CPRA and other state privacy laws)

U.S. state privacy rights are detailed in Section 12 below. We do not sell personal information as that term is defined under the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising in a manner that ignores opt-out rights, and we honor Global Privacy Control (GPC) and similar opt-out preference signals as described in Section 13. We do not use sensitive personal information for purposes beyond those specified in Cal. Civ. Code § 1798.121.

The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, applies to processing of personal data of Texas residents. We honor TDPSA rights and recognize universal opt-out mechanisms required by Texas law, in addition to the California GPC.

6.4 Brazil (LGPD)

For individuals in Brazil, processing is based on the legal hypotheses in Article 7 of the LGPD, including consent, legitimate interest, contract performance, and legal obligation. Brazilian data subjects may exercise rights under Article 18 of the LGPD as described in Section 11.

7. Sharing your information

We do not sell, rent, or trade your personal data to any third party. We may share data only as described below.

7.1 Sub-processors and service providers

We engage trusted third-party service providers who process personal data on our behalf, bound by written data processing agreements. We currently use, or may use in the future, the following categories of service providers:

  • Cloud infrastructure providers (currently Amazon Web Services, U.S. region) for hosting, storage, and compute.
  • AI and machine learning providers (currently OpenAI, Anthropic, and Google) for product data enrichment and related features. See Section 8 for details.
  • Email service providers for transactional and marketing emails.
  • Analytics platforms (such as Google Analytics, where deployed) for aggregated usage analytics.
  • Identity and authentication providers for authentication and single sign-on.
  • Customer support tools for helpdesk and ticketing.
  • Payment processors for subscription billing (we receive only billing contact information and masked card details).
  • Security monitoring providers for intrusion detection and SIEM.

Our current sub-processor list is available on request to privacy@takumi44.com and will be published on our trust page once the platform reaches general availability. We will provide notice of material sub-processor changes to affected tenant organizations in accordance with our DPA.

7.2 Within your organization's tenant network

Within the Service, your profile data (name, role, organization) is visible to other authorized users within your tenant organization and to connected partner organizations (for example, your distributor can see the manufacturer contact who shared a catalog) strictly as required to deliver the Service's collaboration features. You control which organizations you connect with.

7.3 Legal and regulatory disclosure

We may disclose personal data when required by law, court order, subpoena, or government authority, or where we reasonably believe disclosure is necessary to protect our rights, prevent fraud, or protect the safety of any person. Where legally permitted, we will notify you before disclosing.

7.4 Business transfers

In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of the transaction. We will notify affected users and, where required by law, seek consent or provide opt-out rights before any such transfer.

8. Artificial intelligence and machine learning processing

The Service includes AI-powered features for product data enrichment, classification, content generation, and related tasks. To deliver these features, we route Tenant Content (including Platform Data such as product names, descriptions, attributes, and SEO content) to a multi-provider orchestration layer that may use different AI providers for different tasks. The providers currently in use are OpenAI, Anthropic, and Google, and we may add or substitute providers from time to time.

Contractual posture. We use the corporate API tiers of each AI provider, which are governed by terms providing that customer inputs and outputs are not used to train the providers' models and are subject to short or zero retention windows. We do not separately store AI inputs and outputs beyond what is necessary to deliver the Service to you, except as part of standard system logs and audit trails.

Tenant Content sent to AI providers. OEM-supplied product information for enrichment, including product names, descriptions, attributes, taxonomy data, and SEO content. We do not intentionally send to AI providers any personal data beyond what is incidentally embedded in product data, and tenants are advised not to upload sensitive personal data through these flows.

Outputs and verification. AI outputs may be inaccurate or incomplete. Tenants and Authorized Users are responsible for reviewing AI-generated content before publication or distribution. Section 13 of our Terms of Service contains additional warranty disclaimers and use restrictions related to AI features, including a prohibition on using outputs to develop competing AI systems.

EU AI Act. Where the EU Artificial Intelligence Act applies, TAKUMI44 will comply with applicable transparency and risk-classification obligations. Additional disclosures will be made in our Terms of Service and an AI Addendum as the Act's obligations come into force.

9. International data transfers

TAKUMI44 Inc. is incorporated in Delaware, U.S.A., and operates infrastructure primarily on Amazon Web Services in the U.S. region. Your data may be transferred to and processed in countries with different data protection standards than your home country. We ensure all international transfers are protected by appropriate safeguards:

  • EEA and UK to third countries. EU Standard Contractual Clauses (SCCs, 2021 version) and the UK International Data Transfer Agreement (IDTA) or UK Addendum, as applicable, supplemented by transfer impact assessments where required.
  • Canada. Contractual protections equivalent to PIPEDA Schedule 1 principles.
  • Brazil. LGPD Article 33 mechanisms, including contractual clauses.
  • Data residency options. Enterprise tenants may request EU or Canadian data residency for Platform Data. Contact us for details.

Copies of relevant transfer mechanisms (SCCs, IDTA) are available on request by emailing privacy@takumi44.com.

10. Data retention

Data categoryRetention periodBasis
Waiting list registrationsUntil unsubscribed, or 24 months from registration, whichever is earlierConsent
Active account dataDuration of subscription plus 90 days post-termination (for export)Contract
Billing and invoice records7 yearsLegal obligation (tax law)
Support tickets3 years from closureLegitimate interests
Security logs (access, audit)12 months rollingLegal obligation and legitimate interests
Marketing consent records5 years from last interaction or until withdrawnLegal obligation (GDPR and CASL accountability)
Platform Data (tenant uploads)Deleted within 90 days of tenant account closure unless legally required otherwiseContract and DPA
Anonymized or aggregated analyticsIndefinitely (no personal data)Legitimate interests

Upon account termination, tenant organizations may export their Platform Data during the 90-day wind-down period. After this period, data is securely deleted from production systems and backups on a rolling schedule.

11. Security

We implement a layered security program aligned with industry standards (referencing ISO/IEC 27001 and SOC 2 Type II practices). Controls include:

  • Encryption in transit (TLS 1.2 or higher) and at rest (AES-256) for personal data and Platform Data.
  • Multi-factor authentication enforced for all platform administrators.
  • Role-based access control with least-privilege principles.
  • Periodic penetration testing and vulnerability assessments by independent third parties.
  • 24/7 security monitoring, intrusion detection, and incident response procedures.
  • Employee security training and background checks for personnel with data access.
  • Vendor security assessments for sub-processors.

11.1 Personal data breach notification

In the event of a personal data breach, our notification obligations depend on our role:

  • Where TAKUMI44 acts as a processor (in respect of tenant Platform Data), we will notify the affected tenant organization without undue delay and in any event within 72 hours of becoming aware, in accordance with GDPR Article 33(2) and the corresponding provisions of our DPA. We will provide sufficient information for the tenant to fulfill its own notification obligations to individuals and supervisory authorities.
  • Where TAKUMI44 acts as a controller (for example, regarding Account Data of waiting-list registrants), we will notify the relevant supervisory authority within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms (GDPR Article 33), and will notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34), in each case subject to applicable law.

12. Your privacy rights

12.1 Rights for all users

  • Access. Obtain a copy of the personal data we hold about you.
  • Correction. Rectify inaccurate or incomplete data.
  • Deletion. Request erasure where there is no overriding legal basis to retain it.
  • Data portability. Receive your data in a structured, machine-readable format.
  • Withdraw consent. At any time where processing is based on consent, without affecting prior lawful processing.
  • Unsubscribe. Opt out of marketing communications at any time via the unsubscribe link in any email or by contacting us.

12.2 EEA and UK residents (GDPR and UK GDPR)

  • Object. To processing based on legitimate interests, or to direct marketing (an absolute right for marketing).
  • Restriction. Request that processing be limited in certain circumstances.
  • Automated decision-making. Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently make such decisions solely by automated means.
  • Lodge a complaint. With your local supervisory authority (for example, the ICO in the UK at ico.org.uk, or your EU Member State data protection authority).

12.3 U.S. state privacy rights

Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, and other U.S. states with comprehensive privacy laws have the rights described below, subject to the specific requirements and exceptions of each state's law.

  • Right to know or access. Categories and specific pieces of personal information collected, sources, business or commercial purposes, and categories of recipients.
  • Right to delete. Subject to statutory exceptions.
  • Right to correct. Inaccurate personal information.
  • Right to data portability. Receive personal information in a portable format where technically feasible.
  • Right to opt out. Of sale of personal information, sharing for cross-context behavioral advertising, and certain forms of profiling. We do not sell personal information. If sharing for cross-context behavioral advertising occurs in the future, we will provide a clear opt-out mechanism.
  • Right to limit use. Of sensitive personal information (California). We do not use sensitive personal information beyond purposes permitted by Cal. Civ. Code § 1798.121.
  • Right to non-discrimination. We will not discriminate against you for exercising your privacy rights.
  • Authorized agents. You may designate an authorized agent to make requests on your behalf.
  • Appeal rights. Where required (for example, Virginia, Colorado, Connecticut), you may appeal a refusal to take action on your request.

Minors (CCPA/CPRA). We do not have actual knowledge that we sell or share personal information of consumers under the age of 16.

12.3.1 California Consumer Privacy Act (CCPA/CPRA) categorical disclosures

In the 12 months preceding the date of this Privacy Policy, we have collected the following categories of personal information described in Cal. Civ. Code § 1798.140(v):

CCPA categoryExamplesSourcesBusiness purposesRecipientsRetention
A. IdentifiersName, email, IP address, account IDDirectly from you; automatic collectionProvide and operate the Service; security; communicationsService providers; sub-processorsPer Section 10
B. Customer records (Cal. Civ. Code § 1798.80(e))Billing contact, address, tax IDDirectly from youBilling; legal compliancePayment processors; tax authorities7 years (billing); duration of subscription plus 90 days (other)
C. Protected classificationsNot collectedNot applicableNot applicableNot applicableNot applicable
D. Commercial informationSubscription history, transaction recordsAutomatic collection; payment processorsBilling; analyticsService providers; payment processorsPer Section 10
E. Biometric informationNot collectedNot applicableNot applicableNot applicableNot applicable
F. Internet or network activityLog data, telemetry, cookie dataAutomatic collectionService operation; security; analyticsService providers; analytics platformsPer Section 10
G. Geolocation (general)Approximate location from IP addressAutomatic collectionSecurity; localizationService providers12 months (logs)
H. Sensory dataNot collectedNot applicableNot applicableNot applicableNot applicable
I. Professional or employment informationJob title, role, organizationDirectly from youService operation; B2B communicationsService providers; connected tenant partnersDuration of subscription plus 90 days
J. Education informationNot collectedNot applicableNot applicableNot applicableNot applicable
K. InferencesPseudonymized usage profiles for product analyticsDerived from other categoriesProduct improvementService providersPer Section 10
L. Sensitive personal informationNot collectedNot applicableNot applicableNot applicableNot applicable

We do not sell personal information and do not share personal information for cross-context behavioral advertising in a manner that ignores opt-out rights.

12.4 Canadian residents (PIPEDA and CASL)

  • Access your personal information and challenge its accuracy.
  • Withdraw consent for collection, use, or disclosure subject to legal and contractual restrictions.
  • File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
  • Unsubscribe from commercial electronic messages at any time. All marketing emails include an unsubscribe mechanism, as required by CASL.

12.5 Brazilian residents (LGPD)

  • Confirm the existence of processing and access your data (Art. 18 I and II).
  • Anonymize, block, or delete unnecessary or unlawfully processed data (Art. 18 IV).
  • Data portability (Art. 18 V).
  • Information about third parties with whom we have shared your data (Art. 18 VII).
  • Oppose processing where it is not compliant with the LGPD (Art. 18 IX).
  • File a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

12.6 How to submit a rights request and verification

To exercise any of the rights above, email us at privacy@takumi44.com or use our contact page. We aim to respond within 30 days, or within any shorter statutory deadline. Some laws permit an extension where requests are complex or numerous, in which case we will notify you and explain the reason.

Verification. Before fulfilling a request, we must verify your identity. For account holders, we will typically verify by reference to authenticated account access. For non-account holders (for example, waiting-list registrants who later request deletion), we will request information sufficient to match against our records, such as the email address and organization name used at registration. We will not require more information than necessary to verify the request, and we will not use verification information for any other purpose.

Requests are free of charge unless manifestly unfounded or excessive.

12.7 Note for end users of tenant organizations

If your personal data is processed by a tenant organization that uses TAKUMI44 as its platform, you should direct your rights requests to that tenant organization (the data controller). We will support tenant organizations in responding to requests where we act as processor.

13. Global Privacy Control and opt-out preference signals

We honor the Global Privacy Control (GPC) and similar opt-out preference signals where required by applicable law. When your browser transmits a GPC or equivalent signal, we treat it as an opt-out from any sharing of personal information for cross-context behavioral advertising under the CCPA/CPRA and from comparable practices under other U.S. state laws (such as the TDPSA) where applicable.

14. EU and UK Article 27 representatives

TAKUMI44 has appointed [Representative TBD] as its representative in the European Union under Article 27 GDPR, and [Representative TBD] as its representative in the United Kingdom under Article 27 UK GDPR. Contact details are available on request from privacy@takumi44.com and will be published on this page once appointment is finalized.

15. Data Protection Officer

We have voluntarily designated a contact for data protection inquiries. DPO inquiries may be directed to dpo@takumi44.com. Where required by applicable law to formally appoint a DPO under GDPR Article 37 or equivalent provisions, we will do so and update this section.

16. Children's privacy

TAKUMI44 is a B2B platform intended for use only by business professionals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us at privacy@takumi44.com and we will delete it promptly.

17. Cookies and tracking technologies

We use cookies and similar tracking technologies on our website. You can manage your preferences using our cookie consent tool. For full details of the cookies we use, their purposes, and how to control them, please read our Cookie Policy.

18. Changes to this policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other operational reasons. We will:

  • Update the “Last updated” date and version number at the top of this page.
  • Notify active account holders of material changes by email or in-platform notification at least 30 days before the changes take effect.
  • Where renewed consent is required, obtain fresh consent before processing.

Continued use of the Service after the effective date of a non-material change constitutes acceptance. We encourage you to review this policy periodically.

19. Contact us

For questions, concerns, or data rights requests related to this Privacy Policy:

  • Email: privacy@takumi44.com
  • DPO inquiries: dpo@takumi44.com
  • Legal entity: TAKUMI44 Inc., a Delaware corporation
  • Web form: Contact page on our website

For EU and UK users, you also have the right to lodge a complaint with your local data protection supervisory authority at any time.