Skip to main content
Matsuri

Privacy Policy

Matsuri — Cultural Experience Booking Platform

Last Updated: April 3, 2026

Jon&Coo Inc. ("we", "us", or "the Company") respects the privacy of users ("you") of the Matsuri platform ("the Service"). This Privacy Policy explains how we collect, use, share, and protect your personal information in accordance with Japan's Act on the Protection of Personal Information (APPI), the EU General Data Protection Regulation (GDPR), and other applicable laws.

1. Data Controller

Company: Jon&Coo Inc.
Address: Shinjuku Park Tower 30F, 3-7-1 Nishi-Shinjuku, Shinjuku-ku, Tokyo 160-0023, Japan
Email: office@jonandcoo.org
Phone: +81-80-5060-5588 (Weekdays 9:00–18:00 JST)

2. Scope

This Policy applies to all services provided through the Matsuri platform (website matsuri.group and mobile application), including cultural experience bookings, event participation, tour applications, merchandise purchases, subscriptions, and community features.

3. Information We Collect

3.1 Information You Provide

  • Account Information: Name, email address, phone number, password (stored as hash), profile image
  • Identity Verification: Date of birth, gender, address, nationality (for experience/tour eligibility)
  • Booking Information: Number of participants, preferred dates, special requests, allergy/health information (optional)
  • Payment Information: Payment method selection, billing address (sensitive card data is not stored on our servers)
  • Communications: Inquiries, reviews, survey responses

3.2 Information Collected Automatically

  • Technical Data: IP address, browser type/version, operating system, device information, screen resolution
  • Usage Data: Access timestamps, pages viewed, referral URLs, session duration, click history
  • Location Data: Approximate location based on IP address (GPS data is not collected without explicit consent)
  • Cookies & Identifiers: Session cookies, authentication tokens, advertising identifiers

4. Purposes of Processing

  • Service delivery, booking processing, account management, and identity verification
  • Billing, refund processing, and subscription management
  • Customer support and inquiry handling
  • Service improvement, usage analysis, and new feature development
  • Notifications and promotional communications (consent-based)
  • Fraud detection, prevention, and security
  • Legal compliance, exercise or defense of legal rights

5. Legal Basis (for EEA/UK Users)

  • Performance of Contract: Processing necessary for booking and service delivery
  • Legitimate Interests: Service improvement, fraud prevention, security
  • Legal Obligation: Tax and accounting compliance
  • Consent: Marketing emails, non-essential cookies

6. Payment Processing

Online payments are processed by Stripe, Inc. and PayPal Holdings, Inc.Sensitive payment data (credit card numbers, etc.) is never stored on our servers and is encrypted and processed in PCI DSS-compliant environments. We only receive and store transaction results (success/failure, transaction ID, amount).

7. Third-Party Sharing

We share personal information with third parties only to the minimum extent necessary:

  • Payment Processors: Stripe, PayPal
  • Experience/Tour Providers: Information necessary for booking fulfillment (name, party size, contact details)
  • Cloud Infrastructure: Railway (server hosting), Vercel (frontend)
  • Analytics: Google Analytics (anonymized)
  • Email Delivery: Mailgun (transactional emails and notifications)
  • Media Management: Cloudinary (image and video optimization)
  • Legal Requests: Court orders, lawful government requests
  • Corporate Restructuring: Mergers, acquisitions, or asset transfers

8. International Data Transfers

Your personal data may be processed and stored outside Japan (e.g., United States) for service delivery. In such cases, we implement appropriate safeguards (Standard Contractual Clauses, adequacy decisions, etc.).

9. Data Retention

  • Account Data: Deleted within 30 days of account deletion (except where legal retention is required)
  • Transaction Records: Retained for up to 7 years as required by law
  • Access Logs: Retained for up to 12 months for security purposes
  • Support Records: Retained for up to 3 years after resolution

10. Security Measures

  • Encryption in transit (TLS 1.2+)
  • Password hashing (bcrypt)
  • HttpOnly / Secure / SameSite cookie management for authentication tokens
  • Role-based access control (minimum privilege)
  • Regular vulnerability assessments
  • Incident response plan

11. Cookies & Tracking

11.1 Essential Cookies

We use essential cookies for authentication sessions, CSRF protection, and language preferences. These cannot be disabled.

11.2 Analytics Cookies

We use analytics tools such as Google Analytics to anonymously analyze service usage. You can disable these via browser settings or opt-out tools.

11.3 Apple App Tracking Transparency

Our iOS app complies with Apple's App Tracking Transparency (ATT) framework and requests user permission before any tracking.

12. Your Rights

  • Right of Access: Request disclosure of personal data we hold
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of personal data (account deletion)
  • Right to Restriction: Request limitation of processing
  • Right to Data Portability: Receive data in machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time for consent-based processing

To exercise your rights, contact office@jonandcoo.org. We will respond within 30 days after identity verification.

Account Deletion can be performed directly from in-app account settings or the website at matsuri.group/accounts/delete/.

13. Children's Privacy

The Service is not intended for children under 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will promptly delete it. Parents may contact office@jonandcoo.org.

14. Changes to This Policy

We may update this Policy from time to time. For material changes, we will provide notice through the Service or via email. The updated Policy takes effect upon publication.

15. Contact Us

For privacy-related questions or requests, please contact:

Jon&Coo Inc. — Privacy Office (Responsible Person: Ko Takahashi)
Shinjuku Park Tower 30F, 3-7-1 Nishi-Shinjuku, Shinjuku-ku, Tokyo 160-0023, Japan
Email: office@jonandcoo.org
Phone: +81-80-5060-5588 (Weekdays 9:00–18:00 JST)

If you are unsatisfied with our response, you may file a complaint with the Personal Information Protection Commission (Japan) or your local data protection supervisory authority.