Privacy Policy
ship Inc. ("we", "us", "our") establishes this Privacy Policy for the handling of user information, including personal information, in connection with our AI phone reception service "kaketoku" (the "Service") and our website.
Effective date: July 6, 2026
1. Data Controller
| Item | Detail |
|---|
| Company | ship Inc. (株式会社ship) |
| Address | 8F Nishigotanda Place, 3-12-14 Nishigotanda, Shinagawa-ku, Tokyo 141-0031, Japan |
| Representative | Takumi Suminaga, CEO |
2. Information We Collect
2.1 Customer (tenant) and staff information
- Contract and billing information: company name, contact person's name, email address, phone number, title
- Service account information: name, email address, assigned role
- Inquiry and support records
2.2 Call-related information (processed on behalf of our customers)
To support our customers' call-center operations, the Service processes the following on our customers' instructions. Under Japan's Act on the Protection of Personal Information, we process this information as a processor entrusted by the customer and do not use it for our own purposes:
- Call metadata: caller/callee phone numbers, date/time, duration, call status
- Call recordings (audio)
- Call transcripts and AI-generated summaries / structured data
- Customer-registered contact and case data (CRM data)
- Documents registered by the customer as an AI knowledge base
2.3 Information obtained through third-party integrations (including Zoom)
When a customer connects the Service to an external service such as Zoom, we obtain information only within the scope of permissions (OAuth scopes) the customer's administrator approves:
- Zoom integration: identity of the approving administrator account (name, email address, account ID); the list of phone numbers held by the customer's Zoom account; and each number's assignee details (assignee name, extension number, queue name, etc.).
- The Zoom permissions we request are read-only phone-number management scopes. We do not access meeting content, call audio on Zoom's side, chat messages, or recordings held in Zoom.
2.4 Automatically collected information
- Access logs, including audit logs (IP address, browser/User-Agent, timestamps, actions performed)
- Information collected via cookies and similar technologies (§9)
3. Purposes of Use
- Providing, operating, and maintaining the Service (AI first-response, transcription, summarization, handoff to human operators, third-party integrations)
- Identity verification, authentication, and account management
- Billing and usage aggregation
- Responding to inquiries and support requests
- Improving quality, fixing defects, and ensuring security (including detection and prevention of unauthorized access)
- Addressing violations of our Terms of Service
- Sending important notices about the Service
- Complying with laws and regulations
We do not use information processed on customers' behalf (recordings, transcripts, CRM data) for any purpose other than providing the Service. We do not use customer data to train our own or any third party's AI models.
4. Disclosure to Third Parties
We do not provide personal data to third parties except: (1) with the individual's consent; (2) as required by law; (3) where necessary to protect life, body, or property and consent is difficult to obtain; or (4) where cooperation with government authorities is required and obtaining consent would impede it.
We do not sell or rent information obtained from Zoom or any other integrated service to third parties.
5. Subprocessors
We entrust processing to the following services, to the extent necessary to provide the Service, under data processing agreements (DPAs) or equivalent terms:
| Subprocessor | Purpose | Data involved |
|---|
| Google Cloud (Google LLC) | Infrastructure — primary data stored in the Tokyo region | Call records, transcripts, CRM data, recordings |
| Twilio Inc. | Telephony (PSTN) connectivity | Call audio (as carrier), phone numbers, call status |
| External AI service providers | Speech recognition, conversational AI, speech synthesis, summarization | Call audio and transcripts — under Zero Data Retention (ZDR) and no-training contractual terms |
| Zoom Video Communications, Inc. | Handoff to operators; phone-number catalog integration | Phone numbers, assignee information |
| Resend | Email delivery of call summaries | Recipient email addresses, call summaries |
| Svix | Webhook delivery to customer endpoints | CRM change events |
| Clerk Inc. | User authentication and identity management | Staff account data only — no call content is ever shared with Clerk |
6. International Transfers
Primary data assets (call records, transcripts, customer databases) are stored in Japan (Google Cloud Tokyo region). Some subprocessors above (Twilio, Clerk, Zoom, Resend, Svix, external AI providers) may process data in the United States or other countries. In accordance with Japanese law, we confirm the data-protection regimes of the relevant countries, contractually require equivalent safeguards, and provide related information upon request.
7. Security Measures
ship Inc. holds ISO/IEC 27001 (ISMS) certification and applies the following measures within that management system:
- Organizational: designated security officers, documented handling rules, annual internal audits, supervision of subprocessors
- Personnel: at least annual security training; confidentiality obligations
- Physical: office access zoning; anti-theft controls for devices and media
- Technical: encryption in transit (TLS 1.2+), encryption at rest (AES-256), envelope encryption of integration credentials with Google Cloud KMS, least-privilege access control with MFA support, tenant isolation enforced by database row-level security, audit logging, and vulnerability assessments
- Environmental awareness: assessment of the legal regimes of countries where subprocessors process personal data
8. Retention and Deletion
- Call records, transcripts, and CRM data are retained according to the retention period configured by each customer and deleted after that period or upon contract termination.
- Call recordings are automatically deleted after a defined period by storage lifecycle policy.
- Zoom data: if a customer disconnects the Zoom integration, we delete the stored OAuth credentials and revoke the app's access on Zoom's side. Synced phone-number catalog data is deleted upon customer request.
- Information subject to statutory retention obligations is kept for the legally required period.
9. Cookies
Our website and the Service use cookies and similar technologies to maintain login sessions, ensure security, and understand usage. You can disable cookies in your browser settings; some features of the Service may become unavailable as a result.
10. Your Rights
Individuals (or their representatives) may request notification of purposes of use, disclosure, correction, addition, deletion, suspension of use, erasure, or suspension of third-party provision of their personal data held by us. Contact us at the address in §12; we will verify identity as required by law and respond without undue delay.
For information we process on behalf of a customer (recordings, transcripts, CRM data), we may direct your request to the customer acting as controller.
11. Changes to This Policy
We may revise this Policy in response to legal or business changes. Material changes will be announced on our website or by other appropriate means.
12. Contact
ship Inc. — Personal Information Inquiry Desk 8F Nishigotanda Place, 3-12-14 Nishigotanda, Shinagawa-ku, Tokyo 141-0031, Japan Email: support@kaketoku.com