Privacy Policy

for Domestic Users

for Overseas Users

Personal Information Protection Policy (for Domestic Users)

SBI Holdings, Inc. (the “Company”) (a) recognizes the importance of protecting the personal information of participants in Expo 2025 Osaka, Kansai, Japan to be held by Japan Association for the 2025 World Exposition (the “Expo”; those participants, including Virtual Expo participants, are hereinafter collectively referred to as “Participants”) that will be obtained in relation to the provision of services regarding non-fungible tokens (“NFTs”) and other services incidental to those services that will be provided by the Company at the Expo (collectively, the “Services”), (b) will comply with the Act on the Protection of Personal Information (the “APPI”), and (c) will endeavor to appropriately handle and protect that personal information in accordance with the personal information protection policy (for domestic users) set out below (this “Policy”). Unless otherwise specified in this Policy, the definitions of terms used in this Policy will be in accordance with the provisions of the APPI. This Policy is prepared in Japanese. In the event of any discrepancy between this Policy prepared in Japanese and the English translation of this Policy provided by the Company, the Japanese provisions shall prevail.
This Policy applies to the handling of personal information of Participants located in Japan. A “Personal Information Protection Policy (for Overseas Users)” that is separate from this Policy applies to the handling of personal information of Participants who reside outside of Japan. Please refer to it here.

1. Definition of personal information
In this Policy, personal information means personal information as defined in Article 2, paragraph (1) of the APPI.

2. Purposes of use of personal information
In addition to the purposes of joint use of personal information provided for in Section 8, the Company will use personal information for the following purposes:

  1. to distribute NFTs to Participants and provide Participants with the experience of creating NFTs in response to certain actions related to the Expo;
  2. to confirm whether or not images and the like provided by Participants to the Company for the purpose of creating NFTs conform to the standards separately determined by the Company;
  3. to process and produce mosaics and other secondary works (“Secondary Works”) using images and the like provided by Participants to the Company for the purpose of creating NFTs, and to exhibit and publish those Secondary Works on the internet, including on the Company’s website;
  4. to confirm each Participant’s identity or the identity of the Participant’s agent;
  5. to hold competitions and the like for NFTs created based on images provided by Participants, and to exhibit and publish the submitted images on the internet, including on the Company’s website;
  6. to send prizes to winners of competitions and the like, or to contact those winners with necessary information;
  7. to provide SBI VC Trade Co., Ltd. (1-6-1 Roppongi, Minato-ku, Tokyo; Tomohiko Kondo, Representative Director) with the personal information of any Participant who wishes to continue to hold NFTs after the period of the Expo ends, for the purpose of completing the procedures to open an account with that company or to start use of services similar to such an account;
  8. to appropriately perform entrusted work in cases where all or a part of the processing of personal information is entrusted by another business entity or the like;
  9. to provide information and to respond to inquiries and the like regarding the Services;
  10. to respond to any violation of terms of service, policies, and the like related to the Services (“Terms of Service, Etc.”);
  11. to provide notification of amendments and the like to Terms of Service, Etc.;
  12. to analyze browsing histories, use histories, and other similar information obtained from sites operated or managed by the Company, for the purpose of improving services, developing additional services, and the like;
  13. to create statistical data in connection with the Company’s services that is processed into a format that does not allow individuals to be identified;
  14. to exercise rights or perform obligations under agreements with Participants, laws, and the like;
  15. to conduct provision to third persons in the manner described in this Policy; and
  16. for other purposes incidental to the purposes of use set out above.

3. Amendments to the purposes of use of personal information
The Company might amend the purposes of use of personal information to the extent that it is reasonably considered to be relevant to do so, and if any amendment is made, the Company will notify the individual who is the subject of the personal information in question (the “Identifiable Person”) or publicly announce the amendment.

4. Use of personal information

4.1 The Company will not handle personal information beyond the scope necessary to achieve the purpose of use without the consent of the Identifiable Person in question, except as permitted by the APPI and other laws and regulations. However, this provision will not apply in any of the following cases:

  1. if required by any law or regulation;
  2. if it is necessary for the protection of the life, body, or property of an individual and it is difficult to obtain the consent of the Identifiable Person in question;
  3. if it is especially necessary in order to improve public health or to promote the sound growth of children and it is difficult to obtain the consent of the Identifiable Person in question;
  4. if it is necessary in order to cooperate in the execution of affairs that are prescribed by law or regulation and that are executed by a national agency, a local government, or an individual or entity entrusted by either a national agency or local government, and obtaining the consent of the Identifiable Person in question is likely to impede the execution of those affairs; or
  5. if personal data is provided to an academic research institution or the like and it is necessary for that academic research institution or the like to handle that personal data for academic research purposes (including cases where part of the purpose of handling that personal data is for academic research purposes, but excluding cases where there is a risk of unjust infringement of the rights and interests of individuals).

4.2 The Company will not use personal information in a manner that is likely to encourage or induce unlawful or improper activities.

5. Appropriate acquisition of personal information

5.1 The Company will acquire personal information in an appropriate manner and will not acquire it through deception or other wrongful means.

5.2 The Company will not acquire sensitive personal information (as defined in Article 2, paragraph (3) of the APPI) without obtaining the prior consent of the Identifiable Person in question, except in the following cases:

  1. a case that falls under any of items (1) through (4) of Section 4.1;
  2. a case where sensitive personal information that is evident based on visually inspecting or filming the external appearance of the Identifiable Person in question is acquired; or
  3. a case where provision of sensitive personal information is received from a third person and that provision by the third person falls under any of the items of Section 9.1.

6. Managing the security of personal information
The Company will conduct necessary and appropriate supervision over its employees to ensure the security of personal information is managed against the risk of personal information loss, destruction, falsification, leakage, and the like. In addition, when the Company entrusts all or a part of the handling of personal information, it will provide necessary and appropriate supervision to ensure that the entrusted entity manages the security of personal information. Specific measures for managing the security of personal data held by the Company are set out below.

Formulation of basic policy
Formulate this Policy as a basic policy for “compliance with related laws, regulations, guidelines, and the like,” “contact details for handling questions and complaints,” and the like to ensure appropriate handling of personal data

Maintaining discipline in the handling of personal data
Formulate rules for handling personal data at each stage of acquisition, use, storage, provision, deletion or disposal, and the like, including handling methods, a person in charge and personnel responsible, and the duties of those persons

Organizational measures for managing security
1) Select a person in charge of the handling of personal data; in principle, personal data is be handled by that person
2) Establish a system for reporting to the person in charge if a violation of law or handling regulations by an employee handling personal data, or any sign of such a violation, is ascertained

Personnel-related measures for managing security
1) Implement regular training for employees on matters to be considered in relation to handling personal data
2) State, in employment regulations, matters regarding the confidentiality of personal data

Physical measures for managing security
Take measures to ensure that equipment, electronic media, documents, and the like that handle personal data are handled only by information system personnel, planning personnel, customer support personnel, and the person in charge of compliance, and that personal data is not easily revealed when such equipment, electronic media, and the like are carried around

Technical measures for managing security
1) Implement access controls to limit the scope of personnel responsible and of personal information databases and the like handled
2) Implement mechanisms to protect information systems that handle personal data from unauthorized external access or unauthorized software

Ascertainment of external environment
When handling personal data in a country other than Japan, take necessary and appropriate measures to manage the security of personal data, based on ascertainment of the external environment, such as systems for the protection of personal data in that country

7. Reporting in case of leakage
If personal information handled by the Company is leaked, lost, damaged, or the like, and if, in accordance with the provisions of the APPI, reporting to the Personal Information Protection Commission, Government of Japan and provision of notification to the Identifiable Person in question are required, the Company will conduct such reporting and notification.

8. Joint use of personal information
The Company might conduct joint use of personal information it holds and that is listed in (1) below with the entities listed in (2) below.

  1. Items of personal information to be jointly used
    Names, addresses, dates of birth, telephone numbers, email addresses, and information regarding appearance and other personal attributes contained in images provided by Participants to the Company for the purpose of creating NFTs
  2. Scope of joint users
    a. SBI VC Trade Co., Ltd.
      1-6-1 Roppongi, Minato-ku, Tokyo
      Tomohiko Kondo, Representative Director
    b. SBINFT Co., Ltd.
      1-6-1 Roppongi, Minato-ku, Tokyo
      Jangdeok Ko, Representative Director
    c. SBI Point Co., Ltd.
      1-6-1 Roppongi, Minato-ku, Tokyo
      Shimpei Kurihara, Representative Director
  3. Purpose of joint use
    Joint provision of the Services with the Company
  4. Name and address of entity responsible for the management of personal information and the name of its representative
    SBI Holdings, Inc. (For the address and the representative’s name, please refer to the URL below.)
    https://www.sbigroup.co.jp/english/company/information/profile.html
  5. Contact details for inquiries regarding joint use
    Personal Information Protection Consultation Service for the Expo
    SBI Holdings, Inc.
    Inquiry form

9. Provision to third persons

9.1 The Company will not provide personal information to any third person without obtaining the prior consent of the Identifiable Person in question, except in cases that fall under any of the items of Section 2 or Section 4.1 or any of the items of Section 9.2. However, none of the following cases will constitute the provision of personal information to third persons as stipulated above:

  1. if personal information is provided in conjunction with the entrustment of all or a part of the handling of personal information within the scope necessary for the achievement of the purpose of use;
  2. if personal information is provided in conjunction with a merger or the succession of business due to any other similar reason; or
  3. if joint use is conducted in accordance with the provisions of the APPI.

9.2 The Company might provide third persons with personal information in the Company’s possession in the following cases:


  1. (i) Recipients
    An unspecified number of persons with access to information on the internet
    (ii) Items of personal information provided
    All personal information (including, but not limited to, information regarding appearance and other personal attributes) contained in the images provided by Participants to the Company for the purpose of creating NFTs
    (iii) Reason for provision
    To distribute NFTs to Participants and to provide Participants with the experience of creating NFTs in response to certain actions related to the Expo

  2. (i) Recipients
    a. Organizer of the Expo (manager of Expo IDs)
    Japan Association for the 2025 World Exposition
    Osaka Prefectural Government Sakishima Building, 1-14-16 Nanko-Kita, Suminoe-ku, Osaka City, Osaka
    Hiroyuki Ishige, Secretary General
    b.  EXPO 2025 Digital Wallet provider
    HashPort Inc.
    12th Floor, Hamamatsucho Building, 1-1-1 Shibaura, Minato-ku, Tokyo
    Seihaku Yoshida, CEO
    c.  MYAKU-PE! service provider
    Sumitomo Mitsui Banking Corporation
    1-1-2 Marunouchi, Chiyoda-ku, Tokyo
    Akihiro Fukutome, President and Chief Executive Officer (Representative Director)
    d.  MYAKU-PO! service provider
    Resona Bank, Limited
    2-2-1 Bingomachi, Chuo-ku, Osaka City
    Shoichi Iwanaga, Representative Director
    e.  EXPO 2025 Digital Wallet customer support service operator
    TMJ Inc.
    Sumitomo Fudosan Nishi-Shinjuku Building, 7-20-1 Nishi-Shinjuku, Shinjuku, Tokyo
    Hideki Maruyama, President and CEO
    (ii) Items of personal information provided
    Names, addresses, dates of birth, telephone numbers, email addresses, and information regarding appearance and other personal attributes contained in images provided by Participants to the Company for the purpose of creating NFTs
    (iii) Reason for provision
    a. To distribute NFTs to Participants and to provide Participants with the experience of creating NFTs in response to certain actions related to the Expo
    b. To provide information and to respond to inquiries and the like regarding the Services

  3. (i) Recipient
    SBI VC Trade Co., Ltd.
    1-6-1 Roppongi, Minato-ku, Tokyo
    Tomohiko Kondo, Representative Director
    (ii) Items of personal information to be provided
    Names, addresses, dates of birth, telephone numbers, email addresses, and information regarding appearance and other personal attributes contained in images provided by Participants to the Company for the purpose of creating NFTs
    (iii) Purpose of provision
    To provide SBI VC Trade Co., Ltd. with the personal information of Participants who wish to continue to hold NFTs after the period of the Expo ends, for the purpose of completing the procedures to open an account with that company or to start use of services similar to such an account

10. Disclosure of personal information, etc.
If the Company receives from an Identifiable Person a request for disclosure of personal information under the provisions of the APPI in accordance with the Company’s separately stipulated procedures for responding to requests for disclosure or the like (including methods for confirming that the person making the request for disclosure or the like is the Identifiable Person in question or his or her agent), then the Company will disclose the personal information to the Identifiable Person in question (if the personal information does not exist, then the Company will provide notification to that effect) without delay, unless the Company is not obligated to conduct that disclosure under the APPI or other laws and regulations. Please note that a fee (one thousand Japanese Yen (\1,000) per case) will be charged for the disclosure of personal information.

11. Correction of personal information, etc.
If, on the grounds that personal information is untrue, the Company receives from the Identifiable Person in question a request for correction of, addition to, or deletion of the content of that personal information (“Correction, Etc.”) under the provisions of the APPI in accordance with the Company’s separately stipulated procedures for responding to requests for disclosure or the like (including methods for confirming that the person making the request for disclosure or the like is the Identifiable Person in question or his or her agent), then the Company will, within the scope necessary to achieve the purpose of use of that personal information, conduct a necessary investigation and, based on the results of that investigation, conduct Correction, Etc. of the content of the personal information in question and notify the Identifiable Person in question to that effect (if the Company decides not to conduct Correction, Etc., it will notify the Identifiable Person in question to that effect) without delay, unless the Company is not obligated to conduct Correction, Etc. under the APPI or other laws and regulations.

12. Cessation of use, etc. of personal information
If the Company receives from an Identifiable Person any of the following requests in accordance with the Company’s separately stipulated procedures for responding to requests for disclosure or the like (including methods for confirming that the person making the request for disclosure or the like is the Identifiable Person in question or his or her agent), and there are found to be grounds for that request, then the Company will conduct Cessation of Use, Etc. (as defined below) or Cessation of Provision (as defined below) of the personal information in question and notify the Identifiable Person to that effect without delay, unless the Company is not obligated to conduct Cessation of Use, Etc. or Cessation of Provision under the APPI or other laws and regulations: (1) if, on the grounds that the Identifiable Person’s personal information is being handled in a manner that falls outside the scope of use publicly announced in advance or is being used in a way in which there is a possibility of fomenting or inducing an unlawful or unjust act, or on the grounds that the Identifiable Person’s personal information has been acquired by deception or other wrongful means, the Identifiable Person requests cessation of use or requests deletion (“Cessation of Use, Etc.”) of the personal information in question under the provisions of the APPI; (2) if, on the grounds that the Identifiable Person’s personal information has been provided to a third person without the consent of the Identifiable Person, the Identifiable Person requests cessation of provision of the personal information in question to a third person (“Cessation of Provision”) under the provisions of the APPI; or (3) if, on the grounds that it has ceased to be necessary for the Company to use the Identifiable Person’s personal information, that circumstances concerning the personal information in question as prescribed in the main text of Article 26, paragraph (1) of the APPI have occurred, or that handling the personal information is likely to harm any of the Identifiable Person’s rights or interests, the Identifiable Person requests Cessation of Use, Etc. or Cessation of Provision of the personal information in question under the provisions of the APPI.

13. Handling of personal information related to images associated with NFTs
Notwithstanding the provisions of Sections 11 and 12, each Identifiable Person (a) acknowledges that even if grounds for a request for Correction, Etc. or Cessation of Use, Etc. under Section 11 or 12 are acknowledged in relation to any image that can identify that Identifiable Person and that is contained in a Secondary Work already exhibited or published on the internet, in such instances Correction, Etc., Cessation of Use, Etc., or Cessation of Provision is difficult by nature and (b) accepts that the Company might not be able to conduct Correction, Etc., Cessation of Use, Etc., or Cessation of Provision of the image that can identify the Identifiable Person and that is contained in the Secondary Work.

14. Use of cookies and other technologies

14.1 The Company’s services might use cookies and similar technologies. These technologies assist the Company in ascertaining the status of use of the Company’s services and also contribute to the enhancement of services. Any Participants who wish to disable cookies can disable them by altering web browser settings. However, disabling cookies might result in the inability to use some of the features of the Company’s services.

14.2 The Company’s services that might be subject to the external transmission rules for information transmission order communications pursuant to Article 27-12 of the Telecommunications Business Act, and disclosures made under those rules for those services, are set out below.
The Company uses Google Analytics and receives analysis results from Google LCC and its affiliated companies (“Google”) to ascertain the status of each Participants’ access of the Company’s services and each Participants’ browsing history and behavioral history. For this purpose, the information set out below is sent to Google. Data obtained from Google Analytics is collected anonymously and does not identify individuals. Information sent to Google is set out below.

  • Information on systems, devices, networks, and communications ordinarily used for internet communications
  • Location information
  • Data on behavior within the site or application
  • Data on viewed pages
  • User identifiers (cookies, device identifiers, etc.)

The Company collects the information above in order to check Participants’ activity and as a reference for customer success, as well as a reference for the Company’s service development policy, and Google collects the information above in order to analyze Participants’ browsing trends, browsing history, and the like. The information in question is managed in accordance with Google’s privacy policy and the like (https://policies.google.com/technologies/partner-sites?hl=en). It is possible to disable Google Analytics by downloading and installing the “Google Analytics Opt-Out Add-on” from the Google Opt-Out Add-on Download Page (https://support.google.com/analytics/answer/181881?hl=en) and changing browser add-on settings.

15. Use of advertising services
The Company’s services might use internet advertising services operated by third persons (“Advertising Service Operators”). In order to measure the effectiveness of internet advertising, the Company might obtain information from Advertising Service Operators in relation to internet advertisements clicked on by Participants prior to their visits to this website (such as the click date and the website on which the advertisement was placed) and match this information with information the Company holds in relation to Participants.

16. Governing law
This Policy is governed by the laws of Japan.

17. Inquiries
Contact details for requests for disclosure, opinions, questions, complaints, and other inquiries regarding the handling of personal information are set out below.
Name and address of the business operator handling personal information, and name of that operator’s representative:

operator’s representative:
SBI Holdings, Inc. (For the address and the representative’s name, please refer to the URL below.
https://www.sbigroup.co.jp/english/company/information/profile.html

Reception for inquiries
Personal Information Protection Consultation Service for the Expo
SBI Holdings, Inc.
Inquiry form

18. Continuous improvement
The Company will review the operational status of the handling of personal information from time to time and strive for continuous improvement and might amend this Policy as necessary.

Personal Information Protection Policy (for Overseas Users)

SBI Holdings, Inc. (the “Company”) prescribes the following Privacy Policy covering the handling of personal information for overseas users (this “Privacy Policy”) with respect to the services relating to the non-fungible tokens (“NFTs”) and other services incidental to those services that will be provided by the Company (“Services”) and other activities of the Company in connection with Expo 2025 Osaka, Kansai, Japan (the “World Exposition”).

The term “User(s)” is used to refer collectively to general visitors of the World Exposition, users of the Company’s website and application, volunteer staff, freelance journalists, and other individuals who participate in or are involved with the World Exposition as individuals not belonging to any certain organization that participates in or is involved with the World Exposition (all of which include Users in the Virtual World Exposition).

This Privacy Policy is prepared in Japanese. In the event of any discrepancy between this Privacy Policy prepared in Japanese and the content of this Privacy Policy translated into English provided by the Company, the Japanese provisions shall prevail.

In compliance with applicable data protection laws and regulations (including, but not limited to the General Data Protection Regulation (EU) 2016/679 (the “GDPR”), the United Kingdom General Data Protection Regulation (the “UK GDPR”), the China Personal Information Protection Law, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CCPA”), the Swiss Confederation Federal Act on Data Protection, AS 2022 491 (the “FADP”)), the Company hereby prescribes the following Privacy Policy (for Overseas Users) (in this Privacy Policy (for Overseas Users) referred to as this “Policy”) to cover the handling of personal information in relation to the Services containing the User’s registered information.

This Policy applies to the handling of personal information of Users residing outside Japan, including, but not limited to, the European Economic Area (EEA), the United Kingdom, China and the State of California in the United States. For the handling of personal information of Users residing in Japan, a separate policy “Privacy Policy (for Domestic Users)” shall be applied and be referred to.

1. Categories of Personal Information the Company Collects
The Company will collect and handle the following personal information in relation to the Services.

  1. Basic Information of the Users (name, address, date of birth, phone number, e-mail address, or country of residence, etc.);
  2. Location information;
  3. Biometric information (facial images); and
  4. Information obtained from the Users’ terminals (type of terminal, OS, terminal identifier, IP address, browser type and other browser information, referrer information, cookie ID, information related to browsing history and purchase history obtained by using cookies and cookie-like technologies, advertising identifiers such as IDFA and Google Play advertising ID, etc.).

2. Purposes of Use of Personal Information and Legal Grounds for Data Processing
The Company collects and handles personal information based on the User’s consent, performance of contracts or legitimate interests for the following purposes of use in connection with the Services:

  1. to distribute NFTs to Users and provide Users with the experience of creating NFTs in response to certain actions related to the World Exposition;
  2. to confirm whether or not images and the like provided by Users to the Company for the purpose of creating NFTs conform to the standards separately determined by the Company;
  3. to process and produce mosaics and other secondary works (“Secondary Works”) using images and the like provided by Users to the Company for the purpose of creating NFTs, and to exhibit and publish those Secondary Works on the internet, including on the Company’s website;
  4. to confirm each User’s identity or the identity of the User’s agent;
  5. to hold competitions and the like for NFTs created based on images provided by Users, and to exhibit and publish the submitted images on the internet, including on the Company’s website;
  6. to send prizes to winners of competitions and the like, or to contact those winners with necessary information;
  7. to provide SBI VC Trade Co., Ltd. (1-6-1 Roppongi, Minato-ku, Tokyo; Tomohiko Kondo, Representative Director) with the personal information of any User who wishes to continue to hold NFTs after the period of the World Exposition ends, for the purpose of completing the procedures to open an account with that company or to start using services similar to such an account;
  8. to appropriately perform entrusted work in cases where all or part of the processing of personal information is entrusted by another business entity or the like;
  9. to provide information and to respond to inquiries and the like regarding the Services;
  10. to respond to any violation of terms of service, policies, and the like related to the Services (“Terms of Service, Etc.”);
  11. to provide notification of amendments and the like to any Terms of Service, Etc.;
  12. to analyze browsing histories, use histories, and other similar information obtained from sites operated or managed by the Company, for the purpose of improving services, developing additional services, and the like;
  13. to create statistical data in connection with the Company’s services that is processed into a format that does not allow individuals to be identified;
  14. to exercise rights or perform obligations under laws, regulations, agreements with Users, and the like;
  15. to conduct provision to third parties in the manner described in this Policy; and
  16. for other purposes incidental to the purposes of use set out above.

3. Disclosure of Personal Information
The Company may provide the User’s personal information to the following businesses and organizations.

  1. The Company uses outsourcing companies such as service providers, marketing service providers and security service providers to offer the Services, and these contractors will access and process the Users’ personal information to the extent necessary to offer the Services.
  2. In addition to the preceding item, the Company may provide personal information held by it to a third party in the following cases:

    3. (a)
    (i) Recipients (NFTs related)
    An unspecified number of persons with access to information on the internet
    (ii) Items of personal information provided
    All personal information (including, but not limited to, information regarding appearance and other personal attributes) contained in the images provided by Users to the Company for the purpose of creating NFTs
    (iii) Reason for provision
    To distribute NFTs to Users and provide Users with the experience of creating NFTs in response to certain actions related to the World Exposition

    (b)
    (i) Recipients (World Exposition organizers, sponsors, etc.)
    a. Organizer of the World Exposition (manager of Expo IDs)
     Japan Association for the 2025 World Exposition
     Osaka Prefectural Government Sakishima Building, 1-14-16 Nanko-Kita, Suminoe-ku, Osaka City, Osaka
     Hiroyuki Ishige, Secretary General
    b. EXPO 2025 Digital Wallet provider
     HashPort Inc.
     12th Floor, Hamamatsucho Building, 1-1-1 Shibaura, Minato-ku, Tokyo
     Seihaku Yoshida, CEO
    c. MYAKU-PE! service provider
     Sumitomo Mitsui Banking Corporation
     1-1-2 Marunouchi, Chiyoda-ku, Tokyo
     Akihiro Fukutome, President and Chief Executive Officer (Representative Director)
    d. MYAKU-PO! service provider
     Resona Bank, Limited
     2-2-1 Bingomachi, Chuo-ku, Osaka City
     Shoichi Iwanaga, Representative Director
    e. EXPO 2025 Digital Wallet customer support service operator
     TMJ Inc.
     Sumitomo Fudosan Nishi-Shinjuku Building, 7-20-1 Nishi-Shinjuku, Shinjuku, Tokyo
     Hideki Maruyama, President and CEO

    (ii) Items of personal information provided
    Names, addresses, dates of birth, telephone numbers, email addresses, and information regarding appearance and other personal attributes contained in images provided by Users to the Company for the purpose of creating NFTs

    (iii) Reason for provision
    a. To distribute NFTs to Users and to provide Users with the experience of creating NFTs in response to certain actions related to the World Exposition
    b. To provide information and to respond to inquiries and the like regarding the Services

    (c)
    (i) Recipient (the Company's group companies)
    a. SBI VC Trade Co., Ltd.
     1-6-1 Roppongi, Minato-ku, Tokyo
     Tomohiko Kondo, Representative Director
    b. SBINFT Co., Ltd.
     1-6-1 Roppongi, Minato-ku, Tokyo
     Jangdeok Ko, Representative Director
    c. SBI Point Co., Ltd.
     1-6-1 Roppongi, Minato-ku, Tokyo
     Shimpei Kurihara, Representative Director

    (ii) Items of personal information to be provided
    Names, addresses, dates of birth, telephone numbers, email addresses, and information regarding appearance and other personal attributes contained in images provided by Participants to the Company for the purpose of creating NFTs

    (iii) Purpose of provision
    Joint provision of the Services with the Company

    (d)
    (i) Recipient (for management of NFTs after the World Exposition)
     SBI VC Trade Co., Ltd.
     1-6-1 Roppongi, Minato-ku, Tokyo
     Tomohiko Kondo, Representative Director

    (ii) Items of personal information to be provided
    Names, addresses, dates of birth, telephone numbers, email addresses, and information regarding appearance and other personal attributes contained in images provided by Participants to the Company for the purpose of creating NFTs

    (iii) Purpose of provision
    To provide SBI VC Trade Co., Ltd. with the personal information of Users who wish to continue to hold NFTs after the period of the World Exposition ends, for the purpose of completing the procedures to open an account with that company or to start using services similar to such an account

  3. The Company may provide the User’s personal information to the related parties of the World Exposition such as the Japan Association for the 2025 World Exposition etc.
  4. The Company may provide personal information to business partners or information collection module providers.
  5. The Company may disclose personal information to public authorities in accordance with applicable laws and regulations (including ordinances, court rulings, and administrative orders and recommendations)

4. Source of Personal Information
The Company collects personal information directly from the Users. Most of the personal information that the Company may collect will be obtained indirectly from: (i) related parties of the World Exposition such as the Japan Association for the 2025 World Exposition, World Exposition sponsoring companies (including, but not limited to, Sumitomo Mitsui Banking Corporation and Resona Bank, Limited), pavilion exhibitors, and the EXPO 2025 Digital Wallet provider (HashPort Inc.) etc.; operators such as LINE, X, Facebook, Instagram, Google, etc.; (iii) administrators of websites and applications managed or operated by third parties other than the Company; and (iv) outsourcing companies listed in section 3 (1) above.

5. International Transfer of Personal Information
The Company may transfer the User’s personal information to countries outside of the User’s country of residence (for Users residing in the EU, to outside of the EU) (the “International Transfer”) for the purpose of offering the Services. These countries include countries where the level of protection of personal information is lower than laws and regulations applicable to the country where the User resides, including the United States.

When the Company conducts International Transfer of Users’ personal information to these countries, it will: (i) take necessary measures for the protection of personal information such as the conclusion of standard contractual clauses under Article 46 (2) of the GDPR, if the Users reside in the EU; (ii) take necessary measures for the protection of personal information such as the conclusion of standard contractual clauses under Article 46 (2) of the UK GDPR if the Users reside in the UK. If Users would like more information, they are requested to contact the Company at the contact information indicated under section “14. Inquiries” below.

6. Retention Period of Personal Information
The Company will retain Users’ personal information for as long as it is necessary to fulfil the purposes of use prescribed in this Policy. To determine the appropriate retention period for the personal information, the Company considers: (i) whether there is an ongoing relation with the User; (ii) whether the Company is legally obligated to store the personal information; and (iii) whether it is necessary to fulfill any contract with the User.

7. Processing Minor Children’s Personal Information
The Company does not knowingly collect or process personal information of Users under the age of sixteen (16) without the consent of a parent or guardian. Users under the age of sixteen (16) must provide their personal information to the Company only with the consent of a parent or guardian.

If the Company discovers that it has collected the personal information of a User under the age of sixteen (16) without the consent of the parent or guardian, it will immediately take appropriate action.

Parents and guardians are requested to agree that the personal information directly obtained from the User under the age of sixteen (16) in connection with the various services provided by the Company using the relevant Expo ID will also be handled in accordance with this Policy. The various services provided by the Company to Users under the age of sixteen (16) using the Expo ID include, but are not limited to, the following services:

  1. To acquire and manage NFTs distributed in connection with the World Exposition;
  2. To create and manage NFTs;
  3. To submit the created NFTs to competitions, etc.;
  4. To receive online services provided by the Company, such as content distribution, virtual expo experiences, guides of the ideal courses and routes within the exhibition, and creation of avatar images; and
  5. To receive optimal exhibition experiences and advertisements by analyzing online and offline behavior histories.

8. Rights for Disclosure, Correction, Addition, Deletion etc. of Personal Information
Users may have the following rights with respect to their own personal information, in accordance with applicable laws and regulations:

  1. right to seek access to personal information (including copies);
  2. right to request correction;
  3. right to seek removal (the right to be forgotten) when certain conditions are met;
  4. right to restrict or stop the processing of personal information if certain conditions are met; and
  5. right to receive personal information in a structured, machine-readable form if certain conditions are met (the right to data portability).

These rights may be limited, on an exceptional basis, if complying with a User’s request would infringe the rights of Company or a third party, or if the Company is required to delete information that the Company is required to retain in accordance with laws and regulations. Exceptions to these rights are set out in the applicable laws and regulations.

If Users wish to exercise these rights, they are requested to use the contact details listed in section “14. Inquiries” below.

9. Right to Object the Handling of Personal Information
Users may have the right at any time to object to the handling of personal information that is being handled on the basis of legitimate interests under applicable laws and regulations. The handling of personal information in this context includes profiling (this refers to analyzing and predicting the behavior of users based on their information; the same shall apply hereafter.).

Users may have the absolute right under applicable laws and regulations to refuse direct marketing or to refuse profiling done for that purpose if their personal information is being handled for direct marketing purposes.

If Users wish to exercise these rights, they are requested to use the contact details listed in section “14. Inquiries” below.

10. Right to Withdraw Consent
Users have the right to withdraw their consent whenever the Company handles Users’ personal information based on their consent. This withdrawal does not affect the legality of any treatment made on the basis of consent previously given.

If Users wish to exercise these rights, they are requested to use the contact details listed in section “14. Inquiries” below.

11. Handling of Personal Information Related to Images Associated with NFTs
Notwithstanding the provisions of Sections 8, 9 and 10 and the Supplementary Provisions, the User: (i) acknowledges that correction, addition, deletion etc. of personal information is difficult by nature in relation to any image that can identify that User and that is contained in a Secondary Works already exhibited or published on the internet; and (ii) accepts that the Company might not be able to conduct correction, addition, deletion etc. of any image that can identify the User and that is contained in the Secondary Works.

12. Required Personal Information
The personal information Users are required to provide for the provision of the Services is indicated in the form to be sent by the User. The User assumes no obligation to provide such personal information, but if such personal information is not provided, the Company shall not be obliged to offer the Services.

13. The Right to File a Complaint with a Supervisory Authority
Users may have the right to file a complaint with a supervisory authority under applicable laws and regulations. The supervisory authorities where complaints can be filed may include the supervisory authorities of the EU Member State where the User resides or works or where the GDPR complaint is filed, as well as the UK supervisory authorities.

14. Inquiries
For inquiries regarding personal information, please make contact as set forth below:

SBI Holdings, Inc.
Personal Information Protection Consultation Service for the Expo
* Inquiries about the Handling of Personal Information click [here].

California residents can exercise their rights under the CCPA by making contact as set forth below:
* Inquiries about the Handling of Personal Information click [here]

15. Representative
The Company has appointed DataRep (the “Representative”) as its Data Protection Representative for the purposes of GDPR, UK GDPR, and FADP in the Swiss Confederation. If Users want to raise a question to the Company, or otherwise exercise their rights in respect of their personal information, please make contact as set forth below:

  1. Sending an email
    datarequest@datarep.com
    It is ESSENTIAL that you quote <SBI HOLDINGS, INC.> in the subject line.
  2. Online webform
    www.datarep.com/data-request
  3. Mailing
    Mailing your inquiry to the Representative at the most convenient address [here].
    When mailing your inquire, it is ESSENTIAL that you address it to “DataRep”, not to “SBI Holdings, Inc.”, otherwise your inquiry does not reach the Representative. In addition, please make it clear in your letter that the content is related to SBI Holdings, Inc..

Supplementary Provisions for Processing of Personal Information of California Residents
In addition to the provisions set forth above, the following provisions apply to the processing of personal information of residents residing in the state of California in the United States (that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household; hereinafter the same) in accordance with the CCPA.

1. Categories of Personal Information the Company Collects and the Parties Receiving the Information
The Company will collect and has collected in the last twelve (12) months, the following categories of personal information from the Users. Further, the Company has disclosed the personal information collected in the last twelve (12) months to the receiving party indicated below. The section numbers indicated under “Receiving Party” are the numbers indicated in section “3. Disclosure of Personal Information” above.

Category:Receiving Party
Identifiers : (1) (2) (3)
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). : (1) (2) (3)
Protected classification characteristics under California Law or Federal Law : (1) (2) (3)
Commercial information : (1) (2) (3)
Biometric information : (1) (2) (3)
Internet or other electronic network activity information : (1) (2) (3)
Location data : (1) (2) (3)

For details on the personal information the Company collects, refer to section “1. Categories of Personal Information the Company Collects” above, for the business purpose and commercial purpose of the personal information the Company collects, refer to section “2. Purposes of Use of Personal Information and Legal Grounds for Data Processing” above, for the source of the personal information the Company collects, refer to section “4. Source of Personal Information” above, and for the retention period of the personal information the Company collects, refer to section “6. Retention Period of Personal Information” above.

2. Your Rights and Choices under the CCPA
The CCPA provides residents of California with specific rights regarding personal information. If the User is a California resident, the following describes such User’s rights under the CCPA and explains how to exercise those rights.

  1. Right to access personal information
    Users have the right to request that the Company discloses certain information to them about its collection, sharing, disclosure or use of their personal information. Once the Company receives and confirms a User’s verifiable user request, the Company will disclose the following information to such User:
    * The categories of personal information the Company collected about the User;
    * The categories of sources for the personal information the Company collected about the User;
    * The Company’s business or commercial purpose for collecting, selling, or sharing that personal information;
    * The categories of third parties with whom the Company shares or sells that personal information; and
    * The specific pieces of personal information the Company collected about the User.
  2. Right to request deletion
    Users have the right to request that the Company deletes any of Users’ personal information that the Company have collected from Users and retained, subject to certain exceptions. Once the Company receives and confirms a User’s verifiable user request, the Company will delete (and notify its contractors to delete the same) such User’s personal information from its records, unless an exception applies.

    The Company may deny the User’s deletion request if retaining the information is necessary for it or its contractors in order to:
    * Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the User, or reasonably anticipated by the User within the context of the Company’s ongoing business relationship with the User, or otherwise perform the Company’s contract with the User;
    * Help to ensure security and integrity to the extent the use of the User’s personal information is reasonably necessary and proportionate for those purposes;
    * Debug products to identify and repair errors that impair existing intended functionality;
    * Exercise free speech, ensure the rights of other consumers to exercise their free speech rights, or exercise other rights provided for by law;
    * Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
    * Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if the User previously provided informed consent;
    * Enable solely internal uses that are reasonably aligned with the User’s expectations based on the relationship between the User and the Company; and
    * Comply with legal obligations.

  3. Right to request correction
    Users have the right to request that the Company corrects any of their inaccurate personal information that it has collected from them and retained. Once the Company receives and confirms a User’s verifiable user request, the Company will correct (and notify its contractors to correct the same) such User’s inaccurate personal information. The Company may deny the User’s request for correction if it determines that the contested personal information is more likely than not to be accurate based on the totality of the circumstances.
  4. Right to opt-out of sale or sharing
    The Company has not sold or shared personal information collected from Users in the past twelve (12) months and it will not sell or share the same in the future.
  5. Right to opt-in to sale or sharing of personal information
    The Company will not sell or share the personal information of any User over the age of thirteen (13) and under the age of sixteen (16) without obtaining the prior consent of the User himself or herself, or the parent or guardian of the User if under the age of thirteen (13).
    If a parent or guardian provides personal information to the Company on behalf of a User under the age of sixteen (16), he or she should please obtain the necessary consent for the Company to sell or share the personal information.
  6. Right to limit the use of sensitive personal information
    The Company has not used and disclosed and will not use or disclose sensitive personal information collected from Users for any purpose other than the following:
    * To perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services;
    * To help to ensure security and integrity to the extent the use of the User’s personal information is reasonably necessary and proportionate for those purposes;
    * For short-term, transient use (except those involving profiling or changes to the future consumer experience);
    * To perform services on behalf of the Company; and
    * To undertake activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the Company.
  7. Non-discrimination
    The Company will not discriminate against California residents for exercising any of their rights under the CCPA. Moreover, unless permitted by the CCPA, the Company will not:
    * Deny the goods or services to the Users;
    * Charge Users different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
    * Provide Users with different levels or qualities of goods or services;
    * Suggest that Users may receive a different price or rate for goods or services or a different level or quality of goods or services; or
    * Retaliate against an employee, applicant for employment, or independent contractor.
  8. Exercising rights for disclosure request, deletion request and correction request
    To exercise a User’s rights for disclosure request, deletion request and correction request described above, the User should submit a verifiable User request to the Company by contacting it in the manner set forth in section “14. Inquiries”.
    Only the User, a natural person or a person registered with the California Secretary of State that the User authorizes to act on the User’s behalf, or a person who has a power of attorney or is acting as a conservator for the User, may make a verifiable User request related to the User’s personal information. The User may also make a verifiable User request on behalf of the User’s minor child.
    The verifiable User request must:
    * Provide sufficient information that allows the Company to reasonably verify that the User is the person about whom it collected the personal information or an authorized representative; and
    * Describe the User’s request with sufficient detail that allows the Company to properly understand, evaluate, and respond thereto.

Established on July 1st, 2024

Last updated: July 23, 2024

Page top