Skip to main content
Back to Home

Privacy Policy

Version 2.6 — Last updated: May 14, 2026

This Privacy Policy is governed by the Act on the Protection of Personal Information (APPI) of Japan.

1. Introduction

Deltalyze ("Company") considers the protection of personal information of users of the AI coaching service "Navily" ("Service") to be of utmost importance. The Company complies with the Act on the Protection of Personal Information and other related laws, and establishes this Privacy Policy as follows.

Personal Information HandlerDeltalyze
Privacy OfficerDeltalyze
ContactPlease contact us through the support page (contact form) of the Service

2. Information We Collect

2.1 Account Information

  • Email address
  • Name (optional)
  • Profile picture (optional)
  • Job title and company name (optional, used for learning personalization)

2.2 Learning Data

  • Onboarding responses (learning goals, interests, available time, etc.)
  • Learning progress (material completion status, chapter completion dates)
  • AI chat history (questions and responses)
  • Audio files (TTS-generated audio of AI chat responses, stored in Supabase Storage)
  • Skill information
  • Analysis results (learning type, self-determination tendency, goal clarity)

2.3 Information from External Authentication Services

The Service provides login through the following external authentication services. When a user logs in through an external authentication service, the following information is obtained:

  • Google Account Authentication: Email address, name, profile picture URL
  • LINE Account Authentication: LINE User ID, display name, profile picture URL

The obtained information is used solely for account creation, login, and profile display, and is managed as account information defined in Section 2.1.

2.4 Technical Data

  • IP address (as legal basis for consent records)
  • Browser information (User-Agent)
  • Cookies (for authentication session management)

2.5 Payment Information

Payment information such as credit card details is managed directly by Stripe, Inc. and is not stored on our servers. We only retain the Stripe Customer ID and Subscription ID provided by Stripe.

3. Purpose of Use

  1. Provision, operation, and improvement of the Service
  2. Generation of AI-personalized learning content
  3. Provision of user support
  4. Analysis of service usage
  5. Billing and payment processing
  6. Campaign and coupon management
  7. Sending learning reminders and notifications via LINE (connected users only)
  8. Analysis and display of user's learning tendencies and personality type ("About You" feature)
  9. Compliance with applicable laws

4. Disclosure to Third Parties

We do not provide personal information to third parties except in the following cases:

  1. When we have the user's consent
  2. When required by law
  3. When necessary to protect life, body, or property
  4. When provided to subcontractors to the extent necessary for Service operation (in such cases, we exercise appropriate supervision over the subcontractors)

5. Integration with External Services

The Service uses the following external services. In accordance with Article 27-12 of the Telecommunications Business Act, we disclose the types of information transmitted from user devices to external parties.

ServiceProviderPurposeInformation Transmitted
SupabaseSupabase Inc.Authentication & DatabaseEmail, auth tokens, learning data
Anthropic Claude APIAnthropic, PBCAI response generationChat input, learning context
StripeStripe, Inc.Payment processingCustomer ID, plan info
VercelVercel Inc.HostingAccess logs (IP, User-Agent)
LINE Messaging APILY CorporationReminders & NotificationsLINE User ID, notification content
Google Analytics 4Google LLCUsage analyticsPage views, events, device info (incl. cookies)
ResendResend Inc.Email deliveryEmail address, email body
Google Gemini APIGoogle LLCText-to-Speech (TTS)AI response text (during TTS requests only)
SlackSlack Technologies, LLCEnterprise notificationsTeam ID, notification messages

Please refer to each service provider's website for their respective privacy policies. Your information may be transmitted to servers outside Japan (primarily in the United States) in connection with the use of external services. The provision of personal data to external services is conducted after confirming that each service provider maintains a system that conforms to the standards for appropriate handling of personal information, in accordance with Article 28 of the Act on the Protection of Personal Information.

5.1 Cross-Border Data Transfer Safeguards

DestinationServiceSafeguards
USSupabase (AWS Tokyo Region)Data stored in Tokyo region. Administrative communication only routes through US. SOC 2 Type II compliant
USAnthropic Claude APITransmitted only during API calls. Non-use for model training is contractually guaranteed
USStripePCI DSS Level 1 compliant. Card information does not pass through our servers
USVercelCDN edge in Tokyo. Builds and logs in US. SOC 2 Type II compliant
USGoogle LLC (GA4 & Gemini)Protected under Google's Data Processing Terms. IP anonymization applied for GA4
USResendEmail transmission only. SOC 2 Type II compliant
JapanLY Corporation (LINE)Processed on domestic servers. Only LINE User ID transmitted
USSlackEnterprise use only. Slack Enterprise Grid compliant

6. Handling of AI Chat Data

  1. AI chat conversation content is stored for the purpose of improving learning support quality.
  2. Conversation content is sent to Anthropic's API but is not used for model training in accordance with Anthropic's data policy.
  3. Users may request deletion of chat data upon account deletion.
  4. TTS-generated audio files are stored in Supabase Storage and are automatically deleted when the corresponding chat message is deleted or when the account is deleted.

6.1 Automated Profiling

We perform automated analysis of your learning data to generate a learning type profile (e.g., practical, transitional, explorer, cautious), identify your primary self-determination tendency (autonomy, competence, relatedness), and assess goal clarity. This profiling is used solely to personalize your learning experience and tutor recommendations. It does not produce legal effects or significantly affect you. If you do not wish to be profiled, please contact support. Disabling profiling may limit some personalization features. You may also request a review of profiling results by contacting support.

7. Data Storage and Security

  1. Data is stored on Supabase (AWS Tokyo Region).
  2. Communications are encrypted using TLS/SSL.
  3. Row Level Security (RLS) policies are applied to the database, allowing users to access only their own data.

7.1 Data Retention Period

  • Account and learning data: Retained until account deletion is requested
  • AI chat history: Retained until account deletion is requested
  • Webhook logs: Retained for 90 days, then automatically deleted
  • After account deletion: Completely deleted including backups within 30 days

8. Response to Data Breaches

In the event of a data breach, loss, or corruption of personal information, the Company shall promptly report to the Personal Information Protection Commission (preliminary report: approximately within 3-5 days; final report: within 30 days, or within 60 days in cases involving intentional unauthorized access) and notify affected users in accordance with Article 26 of the Act on the Protection of Personal Information.

9. User Rights

Users have the following rights under the Act on the Protection of Personal Information:

  1. Right to Access: You may request disclosure of your personal data.
  2. Right to Correction: You may request correction, addition, or deletion of your personal data.
  3. Right to Restrict Processing: You may request cessation of use, erasure, or cessation of third-party provision of your personal data.
  4. Right to Withdraw Consent: You may discontinue use of the Service and withdraw your consent.

9.1 Request Procedures

  • How to request: Please contact us through the contact form on our support page.
  • Identity verification: Identity is verified by sending the request from your registered email address. Additional identity verification documents may be requested depending on the nature of the request.
  • Response time: We will respond within 2 weeks of receiving your request.
  • Fee: Free of charge

10. Use of Cookies

The Service uses cookies for the following purposes:

  • Authentication session management: Cookies necessary for maintaining login status (required)
  • Analytics: Cookies set by Google Analytics 4 (for usage analysis purposes)

We do not use cookies for advertising purposes. If you wish to opt out of Google Analytics 4 data collection, you may disable cookies in your browser settings or use the Google Analytics opt-out browser add-on.

11. Amendments

When amending this Policy, the revised content will be posted on the Service, with notification provided at least 14 days before the effective date. For significant changes, renewed consent will be obtained.

12. Contact

For inquiries regarding the handling of personal information, please contact us through the support page (contact form) of the Service.

13. Additional Information for EEA and UK Residents (GDPR / UK GDPR)

For users residing in the European Economic Area (EEA) or the United Kingdom ("EEA Users"), the following additional information is provided pursuant to the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK GDPR.

13.1 Legal Bases for Processing (Art. 6 GDPR)

  • Performance of a contract (Art. 6(1)(b)): Account management, subscription delivery, AI coaching features.
  • Consent (Art. 6(1)(a)): Analytics cookies, marketing communications, optional hearing/profiling features.
  • Legitimate interests (Art. 6(1)(f)): Fraud prevention, security, statistical analysis to improve the Service.
  • Legal obligation (Art. 6(1)(c)): Accounting/tax record retention, lawful requests from authorities.

13.2 Data Subject Rights (Art. 15-22 GDPR)

EEA Users may exercise the following rights against the Company:

  • Right of access (Art. 15): Obtain a copy of personal data held by the Company.
  • Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.
  • Right to erasure / "right to be forgotten" (Art. 17): Request deletion of personal data.
  • Right to restriction of processing (Art. 18): Restrict processing in certain circumstances.
  • Right to data portability (Art. 20): Receive and transmit personal data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests and to direct marketing.
  • Right not to be subject to automated decision-making (Art. 22): Not to be subject to a decision based solely on automated processing producing legal or similarly significant effects. The Company's AI-based learning-type determination and content recommendations are informational and do not produce significant legal effects; however, users may request human review by contacting support.

Rights requests are handled via the support contact form. Upon identity verification, responses are provided within one month as a general rule.

13.3 International Transfers (Art. 44-49 GDPR)

The Company transfers personal data from the EEA/UK to Japan and other third countries.

  • Japan: Adequate level of protection is recognised by the European Commission's adequacy decision (Commission Implementing Decision (EU) 2019/419).
  • United States: Transfers to US-based processors (Anthropic, Stripe, Resend, Vercel, Inngest, etc.) are safeguarded by the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and/or by the use of providers certified under the EU-U.S. Data Privacy Framework (DPF).

13.4 EU Representative and Complaints

If the Company designates an EU representative under Art. 27 GDPR, the contact details will be published in this Policy. Until such designation, services to EEA Users are offered within the exemption under Art. 27(2) (occasional offering, etc.).

EEA Users have the right to lodge a complaint with their local Data Protection Authority (DPA) (Art. 77 GDPR). List of DPAs: EDPB members list

13.5 Automated Decision-Making and Profiling

The AI Coach determines learning types, automatically generates roadmaps, and recommends content based on hearing responses and learning data. These processes are informational and do not produce legal or similarly significant effects. Users who wish to opt out of profiling or request human review may contact support.

14. Processing of Children's Data

The Service is generally intended for users aged 18 or older. Children under 16 (or 13-15 in certain EU member states) must obtain consent from a parent or legal guardian before using the Service (Art. 8 GDPR; guidelines under Japan's Act on the Protection of Personal Information). If we become aware that a child has registered without such consent, we will promptly delete the account.

Terms of ServiceCommercial Transactions
Navily | AI Coach