Privacy Policy

Last Updated: November 24, 2024

1. Introduction and Overview

This Privacy Policy (“Policy”) describes how NFF (“Company,” “we,” “our,” or “us”), processes personal information about you. Our principal office is located at 3-1-36 Minami-Aoyama, 6F, Minato, Tokyo 107-0062, Japan.

This Policy applies to personal information we collect when you:

  • Access or use our websites (www.nff.ai and app.nff.ai)
  • Use our products and services
  • Interact with us through our official messaging channels on third-party platforms (such as Discord) that are accessed through subscriptions purchased via our website

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy.

2. How to Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or our privacy practices, please contact us at:

Email: support@nff.ai

3. Your Privacy Rights

Subject to applicable law, you may have certain rights regarding your personal information, including:

  • The right to access your personal information and receive information about our use of it
  • The right to require us to correct any inaccurate personal information
  • The right to require us to erase your personal information
  • The right to request restriction of our processing of your personal information
  • The right to receive your personal information in a structured, commonly used format and to transmit such information to another controller
  • The right to object to the processing of your personal information
  • Where our processing of your personal information is based on your consent, the right to withdraw such consent at any time

To exercise any of these rights, please contact us using the information provided in Section 2 above. Please note that these rights may be limited under applicable law, and we may take reasonable steps to verify your identity before responding to your request.

4. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by posting the revised version on our website or through other appropriate communication channels. Your continued use of our Services following the posting of changes constitutes your acceptance of such changes.

5. Information We Collect

5.1 Personal Data Categories

a) Enquiry Information

When you contact us with questions or instructions, we may collect:

  • Your name
  • Contact details
  • Any additional personal information you provide in your communications with us

b) Platform and Community Data

When you register for or use our web-based platform and associated communities, we collect:

  • Your name
  • User identification numbers (such as Discord user ID)
  • Usernames (such as Discord username)
  • Order and transaction history
  • Communications made through our Services or associated communities
  • Usage data and telemetry related to your use of our Services and associated communities
  • Your feedback and responses to surveys

c) Marketing Communication Information

When you opt into our mailing lists, we collect:

  • Your name
  • Email address
  • User identification numbers (such as Discord user ID)
  • Usernames (such as Discord username)
  • Country of residence

5.2 Collection Methods

a) Direct Collection

We collect information directly from you when you:

  • Submit enquiries or instructions through our communication channels
  • Register for our Services
  • Complete forms on our websites
  • Subscribe to our mailing lists
  • Participate in surveys or provide feedback
  • Make purchases or complete transactions
  • Communicate with us through our Services

b) Automated Collection

We automatically collect certain information when you use our Services, including:

  • Usage data and telemetry information
  • Platform interaction data
  • Transaction and order history

c) Third-Party Platforms

We may receive information about you from third-party platforms when you:

  • Connect your third-party platform account (such as Discord) to our Services
  • Interact with our Services through third-party platforms
  • Participate in communities where our software is used

The information we receive from these third-party platforms is governed by this Privacy Policy as well as the privacy policies and settings of the third-party platforms.

6. How We Use Your Information

6.1 Purposes of Processing

a) Enquiry Management

  • To respond to and handle your inquiries and support requests
  • To provide customer service through email and live chat support
  • To maintain records of our communications with you

b) Platform and Community Operations

  • To facilitate your access to and use of our Services
  • To share relevant platform data with community operators (our Customers)
  • To enable Customers to manage and operate their communities
  • To maintain platform functionality and security

c) Marketing Communications

  • To send you company news and service updates where you have consented
  • To deliver marketing messages via email and/or Discord direct messages
  • To share your information with specific Customers for their marketing purposes, where you have explicitly consented
  • To manage your marketing preferences and consent settings

6.2 Legal Bases for Processing

Under applicable data protection laws, including GDPR, we rely on the following legal bases for processing your personal information:

a) Consent

  • Sending marketing communications via email and Discord
  • Sharing your information with Customers for their marketing purposes
  • Processing any special categories of personal data where you have given explicit consent

b) Contract Performance

  • Processing enquiries related to our services
  • Providing access to our platform and services
  • Managing your account and subscription

c) Legitimate Interests

  • Sharing platform data with community operators (Customers) for:
    • Community management and operation
    • Service improvement and development
    • Security and fraud prevention
  • Maintaining records of communications
  • Analyzing service usage for platform improvement

6.3 Legitimate Interests Assessment

Where we rely on legitimate interests as a legal basis, we have carried out a balancing test to ensure our processing is necessary and that your fundamental rights do not override these interests. Our legitimate interests include:

  • Ensuring effective operation and management of communities
  • Maintaining platform security and preventing fraud
  • Improving our services based on user interaction
  • Providing seamless integration with third-party platforms like Discord

You have the right to object to processing based on legitimate interests. To exercise this right, please contact us at support@nff.ai.

6.4 Additional Processing Information

  • We only process your personal information for the purposes specified at the time of collection or as otherwise set out in this Privacy Policy
  • If we intend to use your personal information for a new purpose, we will update this Privacy Policy and, where required, seek your consent
  • Community operators (Customers) who receive your data act as separate data controllers and are subject to their own privacy policies

7. Data Sharing and Disclosure

7.1 Processors and Subprocessors

Under the GDPR, a processor is a third party that processes personal data on behalf of a data controller. A subprocessor is a third party engaged by a processor to process personal data on behalf of a data controller. We use trusted partners as processors and subprocessors for various business processes that are critical to providing our services.

Here is our current list of processors and subprocessors:

Entity Service Provided Role Country Address
Amazon Web Services (AWS) Cloud infrastructure, hosting, and data storage Processor US 410 Terry Avenue North, Seattle, WA 98109, United States
Discord Community platform services Processor US 444 De Haro Street #200, San Francisco, CA 94107, United States
Stripe Payment processing Processor US 510 Townsend Street, San Francisco, CA 94103, United States
Google Analytics, cloud infrastructure, advertising Processor US 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States

Data Storage Locations:

  • Primary data storage: AWS (Japan)
  • Secondary data storage: AWS (US – Virginia region)

For any processor or subprocessor changes:

  • We will notify customers of any changes to our processor and subprocessor list
  • We implement appropriate data processing agreements with all processors and subprocessors
  • All processors and subprocessors are contractually bound to maintain at least the same level of data protection as NFF
  • We obtain necessary authorizations from data controllers (our customers) to use subprocessors
  • International data transfers are protected by appropriate safeguards in accordance with GDPR requirements

7.2 International Data Transfers

Your personal information may be stored and processed in countries outside of your home country, including:

Storage Locations

  • Japan
  • United States (Virginia)

When we transfer your personal information internationally, we implement appropriate safeguards in accordance with applicable data protection laws:

Transfers to the United States

We rely on the following legal mechanisms for transfers to the United States:

  • The EU-U.S. Data Privacy Framework (EU-U.S. DPF)
  • The UK Extension to the EU-U.S. DPF
  • The Swiss-U.S. Data Privacy Framework

These frameworks have been approved by the relevant authorities as providing adequate protection for personal data transfers.

Transfers to Japan

Transfers to Japan are covered by the European Commission’s adequacy decision (2019/419), recognizing Japan as providing adequate protection for personal data.

7.3 Data Protection Safeguards

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Data processing agreements with service providers
  • Staff training and security policies

7.4 Additional Information

We require all third parties to respect the security of your personal information and process it in accordance with applicable data protection laws. These third parties are not permitted to use your personal information for their own purposes.

For more information about our data transfer mechanisms or to request a copy of the safeguards we use, please contact us at support@nff.ai.

8. Data Protection Rights

You have certain rights regarding your personal information under applicable data protection laws. Please note that some of these rights may be subject to limitations and conditions under applicable law.

8.1 European Economic Area (GDPR) Rights

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right to Access: You can request a copy of the personal information we hold about you and check that we are lawfully processing it.
  • Right to Rectification: You can request correction of any incomplete or inaccurate personal information we hold about you.
  • Right to Erasure: You can request deletion of your personal information in certain circumstances, for example, where we no longer need it or where you withdraw your consent (where applicable).
  • Right to Restrict Processing: You can request us to suspend the processing of your personal information in certain circumstances, for example, if you want us to establish its accuracy or the reason for processing it.
  • Right to Data Portability: You can request us to transfer your personal information to you or another party in a structured, commonly used, machine-readable format.
  • Right to Object: You can object to the processing of your personal information where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground.
  • Rights Related to Automated Decision Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

8.2 Japan (APPI) Rights

8.2 Japan (APPI) Rights

If you are located in Japan, you have the following rights under the Act on Protection of Personal Information (APPI):

  • Right to Disclosure: You can request disclosure of your personal information that we hold, including the purposes for which it is being used.
  • Right to Correction: You can request correction, addition, or deletion of your personal information if it is incorrect.
  • Right to Suspension of Use: You can request that we stop using your personal information if it is being used beyond the scope of the stated purpose or was obtained unlawfully.
  • Right to Deletion: You can request deletion of your personal information if it is no longer needed for the stated purpose or was obtained unlawfully.
  • Right to Suspension of Third-Party Provision: You can request that we stop providing your personal information to third parties.

8.3 How to Exercise Your Rights

To exercise any of these rights:

  1. Contact us at support@nff.ai
  2. Provide sufficient information to identify yourself
  3. Specify which right you want to exercise and the information to which your request relates

We will respond to your request within:

  • One month for GDPR requests (may be extended by two further months for complex requests)
  • Two weeks for APPI requests (may be extended by additional two weeks in certain circumstances)

8.4 Additional Information

  • We may need to request specific information from you to help us confirm your identity
  • There is no fee for exercising your rights, but we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive
  • If we decide not to take action on your request, we will inform you of the reasons and your right to lodge a complaint with the relevant supervisory authority

9. Data Security

9.1 Technical Security Measures

  • Encryption of data in transit and at rest using industry-standard AWS encryption technologies
  • Secure data storage on enterprise-grade infrastructure provided by Amazon Web Services (AWS), which is fully GDPR-compliant (for more information, visit: https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/)
  • Access control and authentication systems
  • Regular security assessments and updates
  • Continuous monitoring systems for detecting unauthorized access
  • Regular backup procedures with encrypted storage

9.2 Organizational Measures

  • Employee training on data security
  • Regular security assessments
  • Documented security procedures and policies
  • Access controls based on the principle of least privilege
  • Regular audits of access logs and security controls

9.3 Data Retention and Disposal

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including for legal, regulatory, accounting, or reporting requirements. When determining retention periods, we consider:

  • The amount, nature, and sensitivity of the information
  • The potential risk of harm from unauthorized use or disclosure
  • The purposes for which we process the information
  • Whether we can achieve those purposes through other means

When personal information is no longer necessary, we securely delete or anonymize it according to industry standards and applicable laws.

9.4 Data Deletion Procedures

When you request deletion of your personal data:

  1. We will remove your personal information from our active databases within 30 days of your request
  2. Your data will be permanently deleted from our systems using secure deletion methods
  3. We will ensure deletion of your data from all backups within 90 days
  4. You will receive confirmation once the deletion is complete

9.5 Data Breach Procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

  1. We will notify the relevant supervisory authority and affected individuals within 72 hours of becoming aware of the breach
  2. The notification will include:
    • The nature of the breach
    • Likely consequences
    • Measures taken or proposed to address the breach
    • Contact information for our Data Protection Officer
  3. We will document all breaches, including the facts, effects, and remedial actions taken

9.6 Infrastructure Security

Our technical infrastructure includes:

  • Encrypted storage using AWS industry-standard encryption technologies
  • Secure backup systems with encryption at rest
  • Regular security patches and updates
  • Monitoring and alerting systems
  • Disaster recovery procedures

All these measures are regularly reviewed and updated to ensure continued effectiveness and compliance with current security standards and regulations.

10. Cookies and Tracking Technologies

Types of Cookies We Use

Our website uses the following types of cookies:

  • Essential Cookies: Required for basic website functionality
  • Analytics Cookies: Help us understand how visitors use our website
  • Functional Cookies: Remember your preferences and settings
  • Third-Party Cookies: Set by third-party services we use

Cookie Purposes

We use cookies to:

  • Ensure proper website functionality
  • Analyze website traffic and usage patterns
  • Remember your preferences
  • Provide enhanced features

Managing Cookie Preferences

Most web browsers allow you to control cookies through their settings preferences. You can:

  • Delete all cookies
  • Block new cookies
  • Allow or block specific types of cookies

Third-Party Cookies

Third-party services on our website may set their own cookies. We do not control these cookies. Please refer to the respective privacy policies of these third parties for more information.

11. Children’s Privacy

Our services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information.

If you believe we might have any information from or about a child under 13, please contact us at support@nff.ai.

12. Updates to This Policy

We may update this Privacy Policy from time to time. The current version will be posted on our website with its effective date. Your continued use of our services after any changes to this Privacy Policy constitutes acceptance of such changes.

13. Contact Information

For any questions about this Privacy Policy or our privacy practices:

Email: support@nff.ai

Address:
3-1-36 Minami-Aoyama 6F
Minato, Tokyo 107-0062
Japan

Supervisory Authorities

You have the right to lodge a complaint with your local data protection authority:

  • For EU/EEA residents: Contact your national data protection authority
  • For Japanese residents: Contact the Personal Information Protection Commission (PPC)