Legal · Compliance

Privacy Policy

Established August 2, 2021 | Last Revised April 1, 2026

AironWorks Co., Ltd. ("we," "us," or "our") regards the protection of personal information as a core responsibility of our business. We comply with the Act on the Protection of Personal Information of Japan ("APPI"), and where applicable, the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other relevant laws and guidelines, and adopt international standards for the protection of personal data appropriate for an AI cybersecurity provider. This Privacy Policy ("Policy") sets forth how we collect, use, and disclose your personal information.

Unless otherwise defined herein, terms used in this Policy shall have the meanings given to them under the APPI and applicable laws.

Chapter 1 — General Provisions

1. Scope of Application

(1) This Policy applies to all personal information (including "personal data" as defined under applicable laws; collectively, "Personal Information") processed by us in connection with our websites, applications, SaaS products, and any other services we provide.

(2) Where the data subject resides in Japan, this Policy is applied in accordance with the APPI. Where the data subject resides outside Japan, this Policy is applied with reference to the laws applicable in the relevant jurisdiction.

2. Data Controller

The entity responsible for the processing of Personal Information under this Policy is as follows:

• Name: AironWorks Co., Ltd.
• Address: 1-10-5 Toranomon, Minato-ku, Tokyo, Japan
• Representative: Representative Director
• Contact: legal@aironworks.com

Chapter 2 — Personal Information We Collect

3. Categories of Personal Information

We may collect the following categories of Personal Information to the extent necessary to provide our services.

(1) Information You Provide Directly

• Name, organization, job title, and department
• Email address, telephone number, postal address, and other contact information
• Information provided when registering for our website, services, events, or document download forms
• Information provided through inquiries, support requests, sales discussions, or other communications
• Information provided during recruitment (including résumés and employment history)
• Information provided in connection with payments (credit card information is processed by our payment service providers and, as a rule, not retained by us)

(2) Information Collected Automatically

• IP address, browser type and version, operating system, and device identifiers
• Referral source URL, visit timestamps, length of visit, page views, and website navigation paths
• Geographical location estimated from IP address (country/region level)
• Information obtained through cookies, local storage, pixel tags, web beacons, and other similar technologies (see Section 13)

(3) Information Generated Through Use of the Services

• Login history, operation logs, and feature usage data
• Records of cybersecurity training participation, responses to phishing simulations, and learning progress data
• Business-related data analyzed by our AI models (limited to the scope designated by our customers)

(4) Information Obtained from Third Parties

• Employee information provided to us by our customers (e.g., names, email addresses, and departments of training participants)
• Information about companies and individuals obtained from publicly available sources, social media, and business databases
• Information provided by business partners, resellers, or referrers

4. Special Categories of Personal Data

We do not collect special category data under the APPI ("Sensitive Personal Information") or under applicable laws (such as data relating to race, ethnicity, religion, political opinions, health, or sexual orientation) except where permitted by law or with the data subject's explicit consent.

Chapter 3 — Purposes of Processing

5. Purposes of Use

We collect and use Personal Information within the scope of the following purposes ("Purposes"):

• To provide, operate, maintain, and improve our services
• For identity verification, authentication, and account management
• To respond to inquiries, consultations, and support requests
• To customize our services and enhance user experience
• For billing, payment processing, and debt collection
• To analyze usage patterns and improve our services and AI models
• To send notices and marketing communications from us, our group companies, or business partners (you may opt out of marketing communications at any time)
• For recruitment, onboarding, and human resources management
• To ensure security, detect and prevent unauthorized access or misuse
• To comply with legal obligations, manage disputes, and respond to litigation
• To produce and disclose statistical, anonymized, or pseudonymized information to third parties (such information does not allow identification of individuals)

6. Compliance with Foreign Laws

We implement appropriate safeguards in accordance with the GDPR, the UK GDPR, and other applicable laws as relevant.

7. Automated Decision-Making and Profiling

(1) Certain features of our services involve analysis and scoring by AI models (e.g., phishing resilience scoring and risk assessment). Such processing is generally used to support human decision-making and does not constitute a solely automated decision producing legal or similarly significant effects on the data subject.

(2) Where applicable law restricts solely automated decision-making, the data subject has the right not to be subject to such decisions, the right to obtain human intervention, the right to express their views, and the right to contest the decision.

Chapter 4 — Disclosure and Outsourcing

8. Disclosure to Third Parties

(1) We do not disclose Personal Information to third parties without the prior consent of the data subject, except in the following cases:

• Where required by law
• Where necessary to protect the life, body, or property of a person, and obtaining the data subject's consent is difficult
• Where particularly necessary to improve public health or promote the sound upbringing of children, and obtaining the data subject's consent is difficult
• Where cooperation with a national or local government agency (or a party entrusted by it) carrying out statutory functions is necessary, and obtaining the data subject's consent could impede such functions
• Where the third party is an academic research institution that needs to process the data for academic research purposes
• Where Personal Information is provided in connection with outsourcing within the scope necessary to achieve the Purposes
• Where Personal Information is provided in connection with a business succession
• Where Personal Information is jointly used pursuant to applicable law

(2) Notwithstanding the foregoing, where you consent to this Policy, we may share Personal Information with the following subsidiaries, affiliates, and other companies with which we have a capital relationship:

• AironWorks Technologies Ltd. (Israel)
• Other domestic and overseas subsidiaries and affiliates with which we have a capital relationship

9. Outsourcing

(1) We may outsource the handling of Personal Information to external service providers to the extent necessary to achieve the Purposes. Such service providers may include cloud infrastructure providers, email delivery providers, payment processors, analytics providers, customer support providers, and AI model infrastructure providers.

(2) When outsourcing, we evaluate and select service providers in accordance with our internal criteria, require appropriate security measures by contract, and exercise necessary and appropriate supervision.

10. Cross-Border Transfers

(1) For the purposes of providing our services and operating our group, we may transfer your Personal Information to recipients located outside Japan, including, but not limited to, Israel, the United States, and EEA member states.

(2) For transfers subject to Article 28 of the APPI, we obtain the data subject's prior consent except in cases prescribed by law. At the time of obtaining consent, we provide information regarding the data protection regime of the recipient country and the safeguards implemented by the recipient, including:

• Transfers to recipients in countries designated by the rules of the Personal Information Protection Commission (such as EEA member states and the UK)
• Transfers where the recipient is bound by contract to implement measures aligned with the APPI
• Transfers where the recipient has obtained certification under an internationally recognized framework (such as APEC Cross-Border Privacy Rules)

(3) Where the laws of the recipient jurisdiction apply (such as the GDPR), we implement appropriate safeguards in accordance with applicable law, including reliance on adequacy decisions of the European Commission, Standard Contractual Clauses, or equivalent measures.

(4) For more information on cross-border transfers, please contact legal@aironworks.com.

Chapter 5 — Retention and Security

11. Data Retention

We retain Personal Information only for as long as necessary to fulfill the Purposes. The retention periods vary depending on the type of Personal Information and the purpose of processing, as follows:

• Information collected in connection with contracts: until the expiration of the applicable statutory retention period (in principle, seven years) following termination of the contract
• Inquiry- and recruitment-related information: in principle, two years following completion of the response or the recruitment process
• Marketing information: three years from the date of opt-out or last interaction
• Information collected through cookies and similar technologies: until the expiration of the relevant cookie (see Section 13)
• Security and access logs: in principle, one year from collection

Following the expiration of the relevant retention period, we promptly delete or irreversibly anonymize the Personal Information. We may retain Personal Information for longer periods where required by law or necessary in connection with disputes.

12. Security Measures

We implement appropriate and reasonable security measures to prevent leakage, loss, damage, or other incidents involving Personal Information, including the following:

(1) Organizational Measures

• Appointment of a personal information protection manager and clear assignment of responsibilities
• Implementation of internal policies and employee training on personal information protection
• Regular audits and reviews of the handling of Personal Information
• Incident response plans for handling data breaches

(2) Personnel Measures

• Confidentiality agreements with employees
• Regular training on personal information protection and cybersecurity

(3) Physical Measures

• Access controls for areas where Personal Information is handled
• Measures to prevent theft and loss of devices, electronic media, and documents

(4) Technical Measures

• Access controls, identity and password management, and multi-factor authentication
• Encryption of data in transit and at rest
• Protection against unauthorized access and malware
• Continuous monitoring of information security events

For details of our security measures, please contact legal@aironworks.com.

13. Cookies and Similar Technologies

(1) Our website uses cookies, local storage, pixel tags, web beacons, and similar technologies (collectively, "Cookies").

(2) Cookies are categorized according to their purposes as follows:

• Strictly necessary cookies: essential for the basic functioning of the website, used without requiring consent
• Functional cookies: used to remember user preferences and enhance usability
• Analytics cookies: used to analyze website usage (e.g., Google Analytics)
• Advertising cookies: used to deliver targeted advertising by us or third parties

(3) For cookies other than strictly necessary cookies, we obtain the data subject's consent through a cookie banner on the first visit. The data subject may decline or change cookie preferences at any time through browser settings or the cookie banner. Declining cookies may limit certain functionality of our services.

(4) We use Google Analytics to understand how our website is used. Google Analytics collects user information via cookies. For details, please refer to Google's privacy policy and terms of service.

Chapter 6 — Your Rights

14. Rights Under the APPI

You may exercise the following rights with respect to your Personal Information:

• Request notice of the purposes of use
• Request disclosure of retained personal data and records of third-party provision (including in electronic form)
• Request correction, addition, or deletion of inaccurate Personal Information
• Request suspension of use or erasure of Personal Information
• Request suspension of disclosure to third parties

To exercise these rights, please follow the procedures we provide separately and submit identification documents. A fee may apply for requests for notice of purposes of use or disclosure. We respond to such requests without undue delay.

15. Rights of Data Subjects Outside Japan

Data subjects to whom the GDPR or other applicable laws apply may exercise, in addition to the rights set forth in Section 14, such rights as may be granted under such laws, including the rights of access, rectification, erasure, restriction of processing, data portability, objection, withdrawal of consent, and lodging a complaint with a supervisory authority. For inquiries, please contact legal@aironworks.com.

Chapter 7 — Miscellaneous

16. Data Breach Response

In the event of a leakage, loss, damage, or other incident involving Personal Information for which notification is required under applicable law, we will report to the relevant supervisory authority and notify affected data subjects within the time period required by such law.

17. Personal Information of Minors

Our services are primarily directed at corporate clients and working professionals and are not principally intended for minors. Where we collect Personal Information of minors, we obtain consent from a parent or guardian where required by applicable law.

18. Use of Data for AI Model Training

Personal data processed on behalf of our customers is, in principle, not used to train our AI models. However, anonymized or aggregated data, or data used pursuant to a contract or consent with the customer, may be used for service improvement, model evaluation, and similar purposes.

19. Updates to this Policy

(1) We may amend this Policy from time to time in response to changes in law, our services, or other circumstances.

(2) In the event of a material amendment, we will provide advance notice through our website, email, or other appropriate means. The amended Policy will take effect upon posting on our website.

20. Contact

For inquiries, requests, complaints, or other communications regarding the handling of Personal Information, please contact us at:

21. Governing Law and Jurisdiction

This Policy shall be governed by and construed in accordance with the laws of Japan. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the Tokyo District Court as the court of first instance. The foregoing does not, however, limit any rights that the data subject may have under mandatory consumer protection laws or other mandatory rules of the country or region in which the data subject resides.