Liveness Detection API Service
Privacy Policy

This Policy is a special provision to the general Privacy Policy of the Company (https://bio-check.pas-ta.io/en/policy/privacypolicy/), setting forth handling specific to the Service. Matters not provided for in this Policy are governed by the general Privacy Policy.

1. Provider Information

2. Scope of This Policy

1. This Policy sets forth how the Company handles Personal Information, Personal Information including individual identification codes, and personally referable information in connection with its provision of the “Liveness Detection API Service” (the “Service”).

2. In the Service, the Company acquires and handles Personal Information from the following two types of parties. The provisions of this Policy that apply differ for each.

3. Definitions

The terms used in this Policy shall, in accordance with the Act on the Protection of Personal Information (the “APPI”), the GDPR, and other applicable laws and regulations, have the following meanings respectively.

1. “Personal Information”: Personal information as defined in Article 2, Paragraph 1 of the APPI.
2. “Special Care-Required Personal Information”: Special care-required personal information as defined in Article 2, Paragraph 3 of the APPI (a category of sensitive personal information under the APPI). Under the APPI, facial images do not, in themselves, constitute Special Care-Required Personal Information; provided, however, that where feature values for facial recognition are generated, they may be handled as Personal Information containing an individual identification code (Article 2, Paragraph 2 of the same Act) (where the GDPR applies, they fall under the Special Category Data set forth in item (3)).
3. “Special Category Data”: Personal data as defined in Article 9, Paragraph 1 of the GDPR, including biometric data processed for the purpose of uniquely identifying a natural person.
4. “Controller”: A person as defined in Article 4(7) of the GDPR.
5. “Processor”: A person as defined in Article 4(8) of the GDPR.
6. “Data Subject”: A natural person identified by Personal Information. In this Policy, this refers to Customers and End Users.
7. “Image Data”: The facial image data of an End User that the Customer transmits to the Service as part of an API request, including still images and video, where video is processed as a set of consecutive image frames.
8. “Processing Result”: The data returned to the Customer as a result of the Service’s processing of Image Data (including a binary result (true/false), the confidence score, analysis data, and other accompanying information). The term “determination” in the product brand name “Liveness Detection API” is a designation used for the product name, and the substance of the data provided shall mean the “Processing Result” as defined in this item.
9. “Customer Information”: The Customer’s name, email address, affiliated company name, AWS Account ID, payment information, the last-used time of the API Key issued by the Company, and the like.

4. Categories of Personal Information Collected

4.1 Customer Information (individual representatives of the Customer)

4.2 Personal Information of End Users

Important: The Company does not collect any attribute information of End Users, such as their names, contact details, or addresses.

4.3 Collection on the Company Website / Customer Dashboard

• IP address, Cookies, User-Agent, referrer, access date and time, and the like
• Statistical information using Google Analytics 4 (in a form that does not identify individuals)

5. Special Handling of Facial Images (Personal Information)

5.1 Basis for Collection

The Company acquires the facial images of End Users under entrustment from the Customer. Before using the Service, the Customer shall be solely responsible for obtaining the necessary consents from, or otherwise securing a valid lawful basis under applicable laws and regulations regarding, the relevant End Users with respect to the following matters, and the Company handles facial images on the premise that such lawful basis for acquisition has been secured (consistent with Article 9 of the Terms of Service for the Service):

1. that the facial image, as Personal Information including an individual identification code (where facial recognition feature values are generated), is provided to a third party (the Company) for the purpose of liveness detection;
2. that the Company processes such Image Data on cloud infrastructure within Japan (the AWS Tokyo region); and
3. that the Processing Result is returned to the Customer and used for the Customer’s business purposes.

Where a dispute arises with an End User or other third party as a result of the Customer’s failure to secure the basis for acquisition described above, the Customer shall resolve it at its own responsibility and expense, and the Company shall bear no liability whatsoever. Where the Company incurs damage, the Company may claim compensation from the Customer pursuant to the Terms of Service and the like.

5.2 Purposes of Processing

Facial images are processed solely for the following purposes:

1. execution of the liveness detection algorithm; and
2. generation of the Processing Result by such algorithm.

5.3 Retention Policy (Non-Retention; Data Minimization)

Except where there is a separate agreement under Section 5.5, the Company shall promptly discard facial images after the completion of processing, and shall not permanently store or accumulate the contents of Image Data (including byte sequences and feature values) on the Company’s servers, storage, databases, logs, or backups. However, Image Data may temporarily remain to the extent reasonably necessary, including responding to system failures, security measures, and the performance of obligations under laws and regulations. The specific technical measures are as follows:

1. After being received as the body of an HTTP request, a facial image is expanded only in the memory of the container, and after the inference processing is completed, it is erased from memory upon the termination of the relevant process.
2. The Company’s application adopts a design that does not permanently write out facial images to disk, databases, logs, or backups (implementation details are described in the Company’s Security Whitepaper).
3. Logs concerning processing record only metadata such as image size, Processing Result (boolean value), and error codes; the image itself is not recorded.
4. Image Data may be momentarily held in temporary buffers on the AWS infrastructure (such as the OS kernel network stack and the container runtime); however, the Service is architected and designed such that the application code does not retain or persist such data.

5.4 Prohibition of Provision to Third Parties

The Company does not provide facial images to any third party, except where they are passed to the algorithm for the generation of the Processing Result and where required by laws and regulations.

5.5 Prohibition of Use for Machine Learning / Model Improvement

The Company does not use facial images received from the Customer for the retraining, fine-tuning, performance evaluation, or other improvement of the Company’s machine learning models. However, where there is a separate express agreement between the Customer and the Company, the Company may exceptionally use them within the scope of such agreement.

5.6 Creation of Statistical Information

The Company may create statistical information in a form that does not include facial images (such as the number of processing operations, error rates, and average processing time) and use it for the operational improvement and quality assurance of the Service. Such statistical information is processed into a form from which no specific individual or End User can be identified.

5.7 Explanation Concerning Processing by AI / Algorithms

The Processing Result of the Service is based on statistical estimation by AI and algorithms, does not guarantee 100% accuracy or completeness, and may result in erroneous determinations (false positives or false negatives). The Customer shall, in light of such nature and limitations of the Processing Result, appropriately use the Processing Result at its own responsibility. Where making a decision that has a significant effect on an End User (such as the final determination of identity verification or the rejection of a transaction), the Customer is encouraged to take, as necessary, supplementary measures such as human review. With respect to the rights of Data Subjects where the GDPR applies (Section 12.2(7), the right concerning automated decision-making), the Customer, as the Controller, bears primary responsibility for responding.

6. Purposes of Use

6.1 Purposes of Use of Customer Information

6.2 Purposes of Use of End User Information

7. Provision to Third Parties

1. As a general rule, the Company does not provide Personal Information to third parties without the consent of the individual (including, for End Users, consent obtained through the Customer). However, in the following cases, the Company may provide Personal Information without the consent of the individual, to the extent not in violation of applicable laws and regulations:

1. where based on laws and regulations;
2. where it is necessary for the protection of the life, body, or property of a person, and it is difficult to obtain the consent of the individual;
3. where it is especially necessary for improving public health or promoting the sound upbringing of children, and it is difficult to obtain the consent of the individual;
4. where it is necessary to cooperate with a national agency, a local government, or a party entrusted by either of them in performing affairs prescribed by laws and regulations, and obtaining the consent of the individual is likely to impede the performance of such affairs;
5. where a business including Personal Information is succeeded due to a merger, corporate split, business transfer, or other cause; or
6. where the Customer engages, or attempts to engage, in an act in violation of the Terms of Service for the Service, and necessary measures are taken in response to such act.

2. Where the Company provides personal data to a third party or receives personal data from a third party, the Company shall create the records required by Articles 26 and 26-2 of the APPI and retain them for the period prescribed by laws and regulations (in principle, three years).

8. Entrustment / Sub-Processors

8.1 The Company’s Entrusted Parties

In providing the Service, the Company entrusts the handling of Personal Information to the following entrusted parties (which, where the GDPR applies, constitute the Company’s sub-processors) to the extent necessary to perform the business.

8.2 Supervision of Entrusted Parties

The Company conducts necessary and appropriate supervision so that the safe management of Personal Information is ensured at the entrusted parties. Specifically:

1. security assessment at the time of selecting the entrusted party (AWS has obtained various certifications such as ISO/IEC 27001, SOC 1/2/3, and ISMAP);
2. imposition of obligations as a data processor under the AWS Customer Agreement and the AWS GDPR Data Processing Addendum; and
3. reliable deletion of data after the completion of the entrusted business (the customer-side scope of responsibility under the AWS shared responsibility model).

8.3 Addition or Change of Sub-Processors

Where the Company adds or changes a sub-processor, the Company shall update this Policy and notify the Customer.

9. Cross-Border Data Transfer

9.1 General Rule

The Company shall locate the data center for the Service within Japan (the AWS Tokyo region ap-northeast-1) and shall carry out the principal processing of facial images and Customer Information within Japan.

9.2 Where Cross-Border Transfer Occurs

However, Personal Information may be transferred outside Japan in the following cases:

1. contract formation and billing processing via AWS Marketplace (routing through AWS’s global infrastructure);
2. where the operator of a SaaS service used by the Company (email delivery, support CRM, etc.) is located outside Japan; or
3. where a Customer or End User accesses from outside Japan and routes through AWS’s CDN.

Where the provision of personal data to a third party in a foreign country falls under Article 28 of the APPI, the Company shall, upon the request of the individual, provide information on the name of the destination country, an overview of the personal information protection system in such country, and the measures taken by such third party for the protection of personal information. The principal destination is the United States (where AWS’s global infrastructure is operated), and such transfer is conducted under protective measures based on the contract with AWS (including the AWS GDPR Data Processing Addendum and the Standard Contractual Clauses).

9.3 Measures Where the GDPR Applies

Where personal data relating to End Users within the EU is processed, the Company shall take the appropriate safeguards set forth in Chapter V of the GDPR. Specifically, the Company ensures an appropriate level of protection by concluding a contract with AWS based on the Standard Contractual Clauses (SCC) adopted by the European Commission.

10. Security Control Measures

For the prevention of leakage, loss, or damage of Personal Information and the other safe management of Personal Information, the Company takes the following measures.

10.1 Organizational Security Control Measures

1. appointment of a Personal Information Protection Manager (the Representative Director);
2. limitation of the scope of employees handling Personal Information and clarification of the allocation of roles;
3. auditing of the status of handling of Personal Information; and
4. establishment of incident response procedures and training.

10.2 Human Security Control Measures

1. provision of education on personal information protection and information security to employees; and
2. confidentiality agreements concluded with employees.

10.3 Physical Security Control Measures

1. physical security of the AWS data centers (within AWS’s scope of responsibility); and
2. theft prevention and encryption of development terminals (such as FileVault).

10.4 Technical Security Control Measures

1. encryption of communications (TLS 1.2 or higher);
2. encryption of stored data (encrypted storage in RDS / EBS / S3 — using AWS KMS);
3. access control (IAM least privilege / Cognito authentication / API Keys stored as SHA-256 hashes);
4. multi-factor authentication (TOTP MFA required for the administrative console);
5. prevention of unauthorized access by WAF (application of an IP allowlist to the administrative console);
6. acquisition and retention of access logs and audit logs (CloudWatch Logs / the admin_audit_logs table); and
7. not permanently storing or accumulating facial images on disk, databases, or logs (Section 5.3).

For details, please refer to the separate “Security Whitepaper.”

10.5 Security Control Measures in Foreign Countries

Where the Company handles personal data in a foreign country (such as where it routes through AWS’s global infrastructure), the Company shall, after understanding the personal information protection system of such foreign country, conduct necessary and appropriate supervision of the entrusted party so that measures equivalent to the security control measures set forth in this Section are taken.

11. Requests for Disclosure, etc. of Retained Personal Data

11.1 Matters That May Be Requested

A Data Subject may make the following requests to the Company:

1. request for notification of the purpose of use;
2. request for disclosure (Article 33 of the APPI);
3. request for correction, addition, or deletion (Article 34 of the APPI);
4. request for cessation of use, erasure, or cessation of provision to third parties (Article 35 of the APPI); and
5. request for disclosure of records of provision to third parties (Article 33, Paragraph 5 of the APPI).

11.2 Request Procedure

Please submit a request by email to support@swallow-incubate.com. The Company may ask for the submission of documents to verify identity.

11.3 Response Period

The Company will respond within a reasonable period after receiving the request (in principle, within 30 days).

11.4 Fees

The Company responds to disclosure requests free of charge as a general rule. However, where actual costs such as postage are required, including the provision of electromagnetic records, the Company will charge the amount equivalent to such actual costs (free of charge where no actual costs arise); in addition, for clearly unreasonable or excessive requests, such as identical requests repeated within a short period, the Company reserves the right to charge a reasonable administrative fee. For reasonable requests from Data Subjects to whom the GDPR applies, the Company responds free of charge as a general rule.

11.5 Exceptions

Where the Company does not bear these obligations under the APPI or other laws and regulations, where requests for the same content are repeated many times without legitimate reason, or where excessive technical work is required, the Company may be unable to carry out these procedures.

11.6 Requests Concerning the Personal Information of End Users

Where an End User makes a request for disclosure or the like directly to the Company, the Company will advise that the primary point of contact for such End User is the Customer (the business operator that acquired the facial image as a personal information handling business operator), forward such request to the Customer, and cooperate with and support the Customer’s handling of the request to a reasonable extent. The Company does not retain information identifying the identity of End Users, such as their names or contact details (Section 4.2), and it is technically difficult for the Company to independently confirm by which End User a given request is made; therefore, identity verification and the handling of requests shall be conducted through the Customer.

12. Special Provisions Where the GDPR Applies

This Section applies where personal data relating to Data Subjects within the EU is processed.

12.1 Position as a Processor

Where the Company processes the personal data of End Users, it is positioned as a Processor that processes data in accordance with the instructions of the Customer (the Controller). The Company’s obligations as a Processor are governed by the Data Processing Agreement (DPA) separately concluded between the Company and the Customer.

12.2 Rights of Data Subjects

Under the GDPR, a Data Subject may exercise the following rights:

1. the right of access (Art. 15);
2. the right to rectification (Art. 16);
3. the right to erasure / the right to be forgotten (Art. 17);
4. the right to restriction of processing (Art. 18);
5. the right to data portability (Art. 20);
6. the right to object (Art. 21); and
7. the right concerning automated decision-making (Art. 22).

Requests may be made in accordance with the procedure in the preceding Section, but the primary point of contact for rights relating to End Users is the Customer. As a Processor, the Company supports the Customer (the Controller) to a reasonable extent in responding to the exercise of Data Subjects’ rights (GDPR Art. 28(3)(e)).

12.3 Breach Notification

Where the Company becomes aware of a leakage incident of personal data (including a suspected one), the Company shall, as a Processor, notify the Customer (the Controller) without undue delay. Notification to supervisory authorities and Data Subjects shall, as a general rule, be conducted by the Customer (the Controller) at its own responsibility, and the Company shall cooperate therewith to a reasonable extent.

12.4 Cross-Border Transfer

As set forth in Section 9.3, the Company takes appropriate safeguards.

13. Special Provisions Where the CCPA / CPRA Applies

This Section applies where personal information relating to residents of California is processed.

13.1 Position as a Service Provider

As a “Service Provider” under the CCPA, the Company processes personal information only in accordance with the instructions of the Customer. The Company does not sell or share personal information received from the Customer to any third party. The statistical information created by the Company (Section 5.6) is limited to information processed and aggregated so that no specific individual can be identified (de-identified / aggregated information), and does not constitute a “sale” or “share” under the CCPA.

13.2 Rights of California Residents

California residents have the following rights:

1. the Right to Know;
2. the Right to Delete;
3. the Right to Correct;
4. the Right to Opt-Out of sale/share — not applicable, as the Company does not sell or share; and
5. the Right to Non-Discrimination.

Requests may be made in accordance with the procedure in Section 11, but the primary point of contact for rights relating to End Users is the Customer.

14. Cookies and Similar Technologies

On the Company Website and the customer dashboard, the Company may use Cookies and similar technologies to improve Customer convenience and the Service. The Customer may disable Cookies through its browser settings; however, some functions of the Service may become unavailable.

15. Personal Information of Children

The Service is provided as a service exclusively for business entities, and the Company does not contemplate acquiring personal information directly from children under the age of 16. Where End Users include children under the age of 16, the Customer bears the responsibility for obtaining consent from the statutory agents of such children pursuant to Article 8 of the GDPR and other applicable laws and regulations.

16. Complaints / Inquiries

Data Subjects within the EU may lodge a complaint directly with the supervisory authority of their country of location or residence.

17. Amendment Procedure

The Company may amend this Policy in response to amendments to laws and regulations, changes to the Service, or as otherwise necessary. Where a material change is made, the Company will notify the Customer at least 30 days prior to the effective date.

Enacted on June 3, 2026
Swallow Incubate Co., Ltd.
Tsukuba Center Institute B-5, 2-1-6 Sengen, Tsukuba, Ibaraki 305-0047, Japan
Toshikazu Ohno, Representative Director

Top