Privacy Policy
Last updated: January 18, 2026
IDIT Co., Ltd. ("we", "our", or "the Company") establishes this Privacy Policy ("Policy") regarding the handling of personal information in the IDIT platform service ("Service").
1. Information We Collect
We collect the following information through lawful and fair means.
- User Information: Name, email address, phone number (used for SMS verification), and Google account information (used for authentication).
- Payment Information: Payment information such as credit card details is collected and managed directly by the payment processor (Stripe), and we do not directly retain most of this data (such as full card numbers).
- Usage Data: Prompts (instruction text) for AI generation, generated code, images, uploaded materials, and service access logs, cookies, IP addresses, device information, and similar data.
- Heatmap Data: Behavioral data such as click locations and scroll positions.
- Analytics Data: Traffic and browsing data such as page views, UTM parameters, and referrers.
2. Purpose of Use
We use collected information for the following purposes.
- To provide, maintain, and improve the Service
- To verify user identity and prevent fraudulent use
- To bill and process payments
- To improve AI model quality and develop features (in some cases as statistical or training data with personally identifiable information removed)
- To respond to inquiries and send important notices
3. Provision to Third Parties
We do not provide personal information to third parties without user consent, except in the following cases.
- When Required by Law: When disclosure is lawfully requested by courts, law enforcement, or other public authorities.
- Outsourcing: When we outsource operations to trusted third parties (such as cloud providers, payment processors, and AI API providers) within the scope necessary to provide the Service.
- Major vendors: Vercel (hosting/AI Gateway), Supabase (database), Stripe (payments)
- Business Transfer: When provided in connection with succession of business due to merger or similar transactions.
4. Handling of AI-Specific Information
The Service performs AI generation using information entered by users.
- Information such as prompts entered by users may be used to improve AI models. Please do not enter personal or confidential information in prompts.
- In accordance with AI Gateway and connected provider policies, input data may be retained for a certain period for purposes such as abuse monitoring, and is generally not used for training (we apply opt-out settings where available).
5. Security Measures
We implement necessary and appropriate measures to prevent leakage, loss, or damage of personal information and to otherwise manage personal information securely.
6. User Rights
Users may request disclosure, correction, addition, deletion, or suspension of use of their personal information held by us. Please contact us using the contact point below.
7. Changes to This Policy
We may change this Policy when necessary. In the event of material changes, we will notify users by posting on the website or by other appropriate means such as email.
8. Contact
For inquiries about this Policy, please contact us below.
Business Name: IDIT
Address: (TBD)
Email: privacy@idit.jp
9. Cookies and Tracking Technologies
We use the following cookies and tracking technologies for service delivery, security, and analytics.
- Supabase Auth Cookie (sb-*-auth-token): Used for login state and session management. Retention period: session.
- Locale Cookie (NEXT_LOCALE): Used to retain language preference. Retention period: persistent.
- CSRF Token Cookie (csrf_token): Used to protect against CSRF attacks. Retention period: session.
- VisitorID (localStorage): Stores an identifier for analytics. Retention period: persistent.
10. Cross-Border Data Transfers
When using the Service, data may be transferred to the following overseas service providers.
| Service | Country | Transferred Data | Purpose |
|---|---|---|---|
| Vercel | United States | General traffic data | Hosting |
| Supabase | United States | Authentication data, all DB data | Authentication and data storage |
| Stripe | United States | Payment and customer data | Payment processing |
| OpenAI | United States | Prompts | AI generation |
| Anthropic | United States | Prompts | AI generation |
| Google AI | United States | Prompts | AI generation |
| Twilio | United States | Phone numbers | SMS verification |
| Hetzner | Germany | VM instance data | Claw VM |
| Cloudflare | United States / Global | Images and configuration | R2 storage |
| AWS | United States | Site code | S3 storage |
| Upstash | United States | Rate-limit data | Redis |
*We have executed appropriate data processing agreements (DPAs) with each service provider.
11. Data Retention Periods
We retain collected information for the following periods.
- Account information: Until account deletion
- Payment records: 7 years as required by law
- Access logs: 90 days
- AI generation logs: 6 months
- Heatmap data: 180 days
12. Security Controls
We implement the following technical and organizational controls to protect personal information.
- Encrypted communications (TLS 1.2 or higher)
- CSRF protection
- Rate limiting
- Content Security Policy (CSP)
- HSTS
- Database encryption
- Access control and role-based authentication
13. Disclosure Under External Transmission Rules
Pursuant to Article 27-12 of the Telecommunications Business Act of Japan, we disclose information transmitted externally from user devices.
For destination services, transmitted data, and purposes, please refer to "10. Cross-Border Data Transfers."