Privacy Policy

How Takumo collects, uses, stores and protects personal information (Japan / APPI) 

Version 2.0 · Effective date: 06/07/2026 · Applies to Takumo Pro and Takumo Traveler 

Registered office: 5-16-1-103 Omorikita, Ota-ku, Tokyo 143-0016 · Principal place of business: Level 12, YANMAR TOKYO, 2-1-1 Yaesu, Chuo-ku, Tokyo 104-0028 
Corporate number (法人番号) 4010801036849 · Qualified-invoice number (適格請求書) T4010801036849 · Representative Director: Martin Fluck · info@takumo.jp · takumo.jp 


Takumo K.K. (Takumo株式会社) (“Takumo”, “we”, “us”, “our”) is committed to protecting the personal information of everyone whose data we process. This Privacy Policy explains how we collect, use, store, share and protect personal information in connection with Takumo Pro and the Takumo Traveler guest application. 
We comply with Japan’s Act on the Protection of Personal Information (個人情報の保護に関する法律, “APPI”). Questions can be sent to privacy@takumo.jp. 

Company name Takumo K.K. (Takumo株式会社); corporate number 4010801036849 
Registered address 5-16-1-103 Omorikita, Ota-ku, Tokyo 143-0016, Japan 
Principal place of business  Level 12, YANMAR TOKYO, 2-1-1 Yaesu, Chuo-ku, Tokyo 104-0028, Japan 
Personal-data manager (個人情報保護管理者)  Keelan Michelsons
Privacy contact  privacy@takumo.jp · takumo.jp/privacy 

3.1 Guests (via Takumo Traveler and Takumo Pro

  • Name; delivery/destination address; email and/or mobile number for notifications. 
  • Shipment information, item description, count, weight, dimensions, special-handling notes, pickup/destination and dates. 
  • Carrier tracking reference; booking reference and QR code; digital-wallet pass data (name, dates, reference, pass token). 
  • Language preference; the prohibited-goods / carrier-liability consent recorded at booking. 

Guest data is provided directly by the Guest when self-booking in Takumo Traveler, and/or by the hotel

3.2 Hotel staff / account users (Takumo Pro)  

  • Account credentials (username, email, encrypted password), role (Admin/Receptionist). 
  • Authentication and audit logs (login time, IP, device) for security; usage activity. 
  • Billing contact details. Card data is processed by Stripe and is not stored by Takumo. 

3.3 Technical information (both platforms) 

  • IP address, browser/OS/device information, usage logs and errors. 
  • Session cookies for authentication; reCAPTCHA data for bot-protection on public forms (see Section 11). 

We use personal information only to: create and process luggage-forwarding bookings and transmit them to the selected carrier; retrieve and display tracking; send shipment notifications; authenticate users and prevent fraud/abuse; provide support; issue invoices and take subscription payment (hotels only, via Stripe); and meet legal record-keeping obligations. 

We do not use personal information for profiling, targeted advertising, or to train artificial-intelligence or machine-learning models, and we do not permit our service providers to train their models on it. Guest data is used only to provide the luggage-forwarding service and is never repurposed for marketing. 

Under APPI we specify our purposes of use (利用目的) and process personal information within them: to perform the service the hotel has contracted for; to operate and secure the platform and support users; to comply with legal obligations (e.g. tax/commercial record-keeping); and, only where we send optional communications to hotel contacts, on the basis of consent that can be withdrawn at any time. 

6.1 Our primary hosting and database are in Japan on Amazon Web Services (AWS) Tokyo (ap-northeast-1), across multiple Availability Zones. A within-Japan disaster-recovery region (Osaka, ap-northeast-3) is being implemented. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).  


6.2 Cross-border processing (APPI Article 28). Some features use global service providers that may process limited personal data outside Japan, namely: transactional email (Twilio SendGrid), push and real-time notifications (Google Firebase), digital-wallet passes (Apple, Google), address validation and bot-protection (Google), payment for hotel billing (Stripe), and support tooling (Zoho). Where a provider processes personal data in a foreign country, we do so in accordance with APPI Article 28, including, where required, obtaining prior consent after providing information about the destination country and the recipient’s protective measures, or ensuring the recipient maintains a standard equivalent to APPI. 


6.3 For a cross-border shipment requested by the Guest, the minimum data needed is transmitted to the destination carrier to complete delivery. 

Data category Retention Basis 
Active bookings Duration + 90 days Contractual necessity 
Completed bookings 2 years Carrier liability / tax 
Cancelled bookings 1 year Dispute resolution 
Guest personal data (PII) Relationship + 2 years, then anonymised/deleted Service delivery / APPI minimisation 
Wallet-pass data Until the Guest opts out Guest consent 
Invoices 7 years Japan tax law 
Waybill records (operational, non-identifying after anonymisation) 7 years Commercial record-keeping 
Audit logs 5 years Compliance 
Application logs 30 days (auto-expire) Operations 
Support correspondence 3 years after resolution Support / dispute 

We share personal data with the providers below only as needed to deliver the service. Carriers and PMS providers are engaged where the hotel selects them. We require each to protect the data, process it on our instructions, and comply with law. We do not sell personal data. 

ProviderPurpose Data location 
Amazon Web Services Japan Hosting & database Japan (Tokyo; Osaka DR planned) 
Yamato Transport (B2Cloud / Tracking) Carrier, label & tracking Japan 
Sagawa Express; Japan Post Carrier Japan 
Ship&Co (Interport K.K.) Carrier API aggregation Japan 
Oracle (Opera Cloud), Mews, RoomBoss, Cloudbeds PMS reservation sync (if hotel uses) Global / overseas 
Stripe, Inc. Hotel billing / card processing Overseas (US) 
Apple Inc.; Google LLC Digital-wallet passes Overseas (US) 
Google (Firebase FCM/RTDB) Push & real-time notifications Overseas (US/global) 
Twilio SendGrid Transactional email Overseas (US) 
Google (Address Validation, reCAPTCHA) Address validation; bot-protection Overseas (US/global) 
Zoho Corporation Support desk (Zoho Desk) Overseas (US/India) 
SATO CORPORATION Printer hardware support Japan 

You may request disclosure (開示) of the personal data we hold, correction (訂正) of inaccurate data, suspension of use (利用停止) in the circumstances APPI allows, and deletion (消去), subject to legal retention (e.g. invoices/waybills during the statutory period). Where processing relies on consent, you may withdraw it. Contact privacy@takumo.jp or your hotel; we respond without undue delay (遅滞なく) and in any event within a reasonable period.

We maintain appropriate technical and organisational measures, including: TLS 1.2+ in transit and AES-256 at rest; bcrypt password hashing; role-based access and tenant isolation (row-level security by hotel/branch); configurable multi-factor authentication for staff; immutable audit logging; WAF and rate-limiting; structured logging with PII redaction; and regular vulnerability scanning and penetration testing. We are working towards ISO 27001 / SOC 2 and manage compliance through Vanta. 

If a personal-data breach occurs that is reportable under APPI, we will report to the Personal Information Protection Commission (PPC), a prompt preliminary report (速報) and a full report (確報) within the APPI timeframe, and notify affected individuals as required. 

Takumo Pro and Takumo Traveler use session cookies to authenticate logged-in users. Public forms use Google reCAPTCHA for bot-protection, which may set cookies and collect device/usage data under Google’s privacy terms. We do not use advertising or cross-site tracking cookies.  

We may update this Policy to reflect changes in our practices or the law. We will notify hotel customers of material changes via the platform or email with at least 30 days’ notice, and notify Guests via a notice in Takumo Traveler. The effective date is shown at the top. 

Privacy Officer, Takumo K.K. (Takumo株式会社), Level 12, YANMAR TOKYO, 2-1-1 Yaesu, Chuo-ku, Tokyo 104-0028, privacy@takumo.jp, takumo.jp/privacy. If you are not satisfied with our response, you may contact the Personal Information Protection Commission (個人情報保護委員会) at ppc.go.jp.  

Takumo K.K. (Takumo株式会社) · Registered office 5-16-1-103 Omorikita, Ota-ku, Tokyo 143-0016 · privacy@takumo.jp · takumo.jp 

Version 2.0 · Effective 06/07/2026. © 2026 Takumo K.K. All rights reserved.