当社サーバー(ekyc.ooak.jp)/OOAK INC. 送信情報:電話番号、SMS認証コード、券面撮影画像(表・裏)、顔写真(自撮り)、ICチップ読取情報(氏名・住所・生年月日・性別・個人番号・カード番号・国籍/地域・有効期限・ICチップ内の顔画像)、OCR抽出項目・認識テキスト、認証トークン/利用目的:本人確認の実施・結果返却、券面/ICチップ/顔写真の照合、SMS認証、API認証
OOAK INC. (the “Company,” “we”) handles the personal information and Specific Personal Information (Individual Number / “My Number”) of users of the identity-verification app “Flash Verify” (the “App”) as set out below.
1. Business Operator
Operator: OOAK INC.
Address: Deia Life Otsuka 1F, 2-17-77 Kita-Otsuka, Toshima-ku, Tokyo 170-0004, Japan
Inquiries / personal-information contact: https://ekyc.ooak.jp/support (or info@ooak.jp)
2. Information We Collect
The App collects the following to the extent necessary for identity verification (eKYC):
Information printed on the document: name, address, date of birth, sex, nationality/region, residence status, period of stay, expiry date, card number
Individual Number (My Number) *Specific Personal Information
Facial photograph and captured images of the document, and the facial image read from the IC chip (biometric information)
Phone number (SMS authentication)
Registration ID / account identifier issued by us
Technical data associated with IC-chip reading and photography
Methods of collection: NFC IC-chip reading, camera capture, and user input.
Preventing impersonation and forgery by comparing the document, the IC chip, and the facial photograph (the captured selfie is compared against the facial image stored in the IC chip to confirm that the person is the rightful holder of the document)
Verification procedures under the Act on Prevention of Transfer of Criminal Proceeds and other laws
Incidental inquiry handling, fraud prevention, and security assurance
We do not use any information, including facial images, for advertising, marketing, third-party analytics, profiling, or machine-learning training. We do not track users’ behavior outside the App.
4. Handling of the Individual Number (Specific Personal Information)
We collect, use, and store the Individual Number only within the scope permitted by the My Number Act (Act on the Use of Numbers to Identify a Specific Individual), and apply the statutory security control measures. Except where permitted by law, we do not use or provide it beyond the purpose of use.
5. Provision to Third Parties / Outsourcing
Except as required by law, we do not provide personal information to third parties without the user’s consent.
We outsource part of our operations to the following providers and supervise them appropriately:
Face matching: Amazon Rekognition (facial-image similarity assessment)
Cloud storage: Amazon Web Services (Amazon S3, Tokyo region ap-northeast-1)
SMS delivery: NTT Communications (NTT CPaaS)
Amazon Rekognition’s face comparison (CompareFaces) is stateless and does not retain the images.
We contractually obligate our processors to maintain confidentiality and security.
6. Retention Period and Deletion
Identity-verification data including facial images, and the identity-verification records, are retained for up to the retention period prescribed by the Act on Prevention of Transfer of Criminal Proceeds (7 years after the end of the transaction), and are deleted by a secure method once they are no longer needed or after that period.
Information that is no longer necessary to achieve the verification purpose is deleted or anonymized regardless of the above period.
Deletion requests are accepted at the point of contact in Section 10.
6-2. Handling of Face Data (Biometric Information)
Face data collected: (1) a facial photograph (selfie) of the user captured with the camera; (2) the facial image recorded on the IC chip.
Whether stored: Face data is stored in encrypted form (it is not stored indefinitely).
Why it is stored: to compare the captured selfie with the facial image in the IC chip and confirm they are the same person (impersonation prevention), and to create and retain the identity-verification record required by the Act on Prevention of Transfer of Criminal Proceeds.
Retention period and the reason for it: Face data is retained for up to the period during which the Act on Prevention of Transfer of Criminal Proceeds requires identity-verification records to be kept (7 years after the end of the transaction), and is deleted by a secure method once it is no longer needed or after that period. The 7-year period is because that Act sets the retention period for identity-verification records at “7 years after the end of the transaction.” Deletion requests are accepted at the contact in Section 10 at any time.
Third parties with whom it is shared: Amazon Web Services (AWS) — specifically Amazon Rekognition for face matching and Amazon S3 (Tokyo region, ap-northeast-1) for encrypted storage. Face data is not provided to any other third party.
Why it is shared: to perform face matching (Amazon Rekognition) and to securely store the identity-verification record (Amazon S3).
Storage by third parties:
Amazon Rekognition’s face comparison (CompareFaces API) is stateless and does not store or retain facial images (it processes them only transiently for the comparison).
Amazon S3 stores the facial images in encrypted form as our processor (data handler), on our instructions. Retention and deletion follow our policy above (deletion 7 years after the end of the transaction); AWS does not store or use the face data for its own purposes. AWS’s security and privacy handling follow the AWS data processing terms.
7. Security Management Measures
All communications are encrypted with TLS.
Sensitive information such as the Individual Number and facial images is encrypted when stored.
We implement security measures including access control and log management.
8. App Permissions
NFC: reading the IC chip (My Number Card / Residence Card)
Camera: capturing the document and the facial photograph
9. Third-Party Tracking
The App does not use any third-party advertising or tracking SDKs and does not track users across other companies’ services.
10. Requests for Disclosure, Correction, Suspension of Use, or Deletion
Requests for the disclosure, correction, suspension of use, or deletion of retained personal data are accepted at the following point of contact.
Contact: https://ekyc.ooak.jp/support (or info@ooak.jp)
11. Amendments
We may amend this Policy as necessary. Material changes will be announced in the App or on this page.
13. Disclosure Regarding External Transmission of Information (Telecommunications Business Act)
When providing its identity-verification (eKYC) service, the App transmits information relating to the user from the user’s device. In line with the intent of Article 27-12 of the Telecommunications Business Act (rules on external transmission of information), this section discloses the content of the information transmitted, the party handling it, and the purpose. The App uses no third-party SDKs for advertising, analytics, or tracking. Transmissions to external parties (AWS and the SMS delivery provider) are made via the Company’s servers; the device does not transmit directly to those parties.
Company server (ekyc.ooak.jp) / OOAK INC. Information: phone number, SMS one-time code, document images (front/back), selfie, IC-chip data (name, address, date of birth, sex, Individual Number, card number, nationality/region, expiry date, IC-chip facial image), OCR fields and recognized text, authentication token / Purpose: performing verification and returning the result; comparing document / IC chip / facial photograph; SMS authentication; API authentication
Amazon S3 (Tokyo region ap-northeast-1) / Amazon Web Services Japan G.K. (via Company servers) Information: document images, selfie, IC-chip facial image / Purpose: encrypted image storage
Amazon Rekognition (Tokyo region ap-northeast-1) / Amazon Web Services Japan G.K. (via Company servers) Information: selfie, IC-chip facial image / Purpose: 1:1 face comparison (identity confirmation)
SMS delivery (NTT CPaaS) / NTT Communications (via Company servers) Information: phone number, SMS body containing the one-time code / Purpose: SMS delivery of the one-time code
All of the above transmissions are performed to provide the identity-verification service; if they are stopped, the service cannot be provided (no transmission is made for advertising or tracking). Inquiries: https://ekyc.ooak.jp/support.