1. Introduction
This Privacy Policy explains how Pub Crawl Kyoto (“we”, “us”, “our”) collects, uses, discloses, and protects personal data when you visit our website https://pubcrawlkyoto.com (the “Website”), contact us, or participate in our pub crawl and nightlife experiences (the “Services”).
Pub Crawl Kyoto is operated by Jens Madsen as an individual business (trading as Pub Crawl Kyoto). It is not a registered company. The Website is operated alongside phototaiken.com, which is run by the same individual.
We process personal data in accordance with applicable Japanese law, including the Act on the Protection of Personal Information (“APPI”), and, where relevant, the EU General Data Protection Regulation (“GDPR”) and other data protection laws in jurisdictions where our guests reside.
2. Data Controller and Contact Details
For the purposes of this Privacy Policy, the data controller is:
Controller name: Jens Madsen (individual operator)
Trading / brand name: Pub Crawl Kyoto
Address: AQUA PALACE 403, 29 Saiintatsumichō, Ukyo Ward, Kyoto 615-0014, Japan
Website: https://pubcrawlkyoto.com
You can contact us regarding privacy or data protection matters at:
Email: [email protected]
Postal address: AQUA PALACE 403, 29 Saiintatsumichō, Ukyo Ward, Kyoto 615-0014, Japan (〒615-0014)
We have not appointed an EU representative or Data Protection Officer (DPO). As a small-scale individual operator, we do not currently engage in the large-scale processing of EU residents’ personal data that would require such an appointment under GDPR Article 27. If that changes, we will update this Policy with the relevant contact details.
3. Scope of This Policy
This Privacy Policy applies to:
- Personal data collected directly through our Website (e.g., when you email or message us, cookies, analytics, server logs).
- Personal data we receive from third‑party booking platforms such as Viator and GetYourGuide when you book our Services.
This Policy does not apply to how Viator, GetYourGuide, or other third‑party platforms process your data on their own websites and apps; their own privacy policies govern such processing.
4. Categories of Personal Data We Collect
4.1 Data You Provide Directly
When you contact us about the Services, you may provide:
- Email and messaging data: your name, email address, phone number (e.g., via WhatsApp or LINE), message content, preferred date/time, and any other details you choose to include.
- Feedback or survey data: information you submit when you respond to surveys, provide feedback, or participate in promotions.
We do not currently operate a contact form or newsletter sign‑up on the Website; inquiries are handled via email and third‑party messaging apps linked from the site.
4.2 Data Collected Automatically (Logs, Cookies, Analytics)
When you visit the Website, we and our service providers may automatically collect:
- IP address, date and time of access, pages visited, browser type, device and operating system information.
- Cookie identifiers and similar technologies used for site functionality, security, preferences, and analytics.
We use the following third‑party services that may process technical or usage data:
- Google Analytics — to understand how visitors use the Website (e.g., pages visited, general traffic patterns). See Google’s Privacy Policy.
- Cloudflare — for website delivery, security, and performance (which may include access logs and security-related cookies). See Cloudflare’s Privacy Policy.
- GetYourGuide — when you view or interact with booking widgets or links embedded on or linked from the Website, GetYourGuide may set its own cookies and collect data under its privacy policy. See GetYourGuide’s Privacy Policy.
4.3 Data Received from Booking Platforms (Viator, GetYourGuide)
When you book our Services through a third‑party platform (such as Viator or GetYourGuide), those platforms act as independent controllers of your booking and payment data under their own terms and privacy policies.
To deliver your booking, we receive from such platforms a subset of your personal data, which may include:
- Your name and contact details (email address, phone number).
- Booking details: date/time, number of participants, language preferences, special requests, and booking ID or voucher reference.
We do not receive your full payment card details from these platforms.
5. Purposes and Legal Bases for Processing
5.1 Purposes of Use (APPI)
Under APPI, we disclose the purposes for which we use personal information, including:
- Responding to inquiries and providing information about our Services.
- Managing bookings transmitted by third‑party platforms and delivering the Services.
- Sending pre‑tour information, changes, and post‑tour communications directly related to your booking.
- Operating, maintaining, and improving the Website, including analytics and security.
- Conducting statistical analysis on aggregate, non‑identifying data to understand interest in our Services.
- Complying with legal obligations, such as tax and accounting requirements.
We do not use your personal information for purposes materially different from those described here without updating this Policy or, where required, obtaining your consent.
5.2 Legal Bases under GDPR (for EU / EEA Residents)
Where GDPR applies, we rely on the following legal bases:
- Performance of a contract: to manage bookings, communicate about your reservation, and deliver the Services you have purchased.
- Legitimate interests: to operate and secure our Website; to understand how visitors use the site; and to maintain records of our business activities, provided these interests are not overridden by your rights and interests.
- Consent: for sending marketing emails or newsletters where required, and for placing non‑essential cookies (e.g., analytics cookies) on your device for EU/EEA visitors where consent is required.
- Legal obligation: to comply with tax, accounting, and other statutory obligations.
6. Cookies and Similar Technologies
We use cookies and similar technologies on the Website. Cookies are small text files stored on your device that help the Website function and allow us to understand how it is used.
6.1 Types of Cookies
- Strictly necessary cookies: required for basic site functionality and security (including cookies set by Cloudflare for protection and delivery).
- Preference cookies: remember your language or display preferences, where applicable.
- Analytics cookies: help us understand how visitors use the site (e.g., pages visited, time on site), primarily through Google Analytics.
- Third‑party booking cookies: GetYourGuide (and, if you visit their site via our links, Viator) may set cookies when you interact with booking widgets or complete a reservation on their platforms.
6.2 Cookie Consent and Control
For visitors in the EU/EEA and other jurisdictions where consent is required, we will obtain consent before placing non‑essential cookies (such as analytics cookies) where we are legally required to do so.
You can control cookies via:
- Browser settings (e.g., to delete or block cookies).
- Google Analytics opt‑out: browser add‑on provided by Google.
- Any cookie banner or preference tools we provide on the Website, if implemented.
Please note that disabling cookies may affect some Website functions.
7. Data Sharing and Third‑Party Recipients
We may share personal data with:
- Freelance hosts and guides: who need limited booking information (e.g., names, meeting times, group size) to deliver the Services.
- IT and hosting providers: including Cloudflare (CDN and security), website hosting, email service providers, and Google Analytics, which process personal data as service providers on our behalf.
- Professional advisers: such as accountants or legal advisers, where necessary for compliance.
- Booking Platforms: we exchange booking‑related information with Viator and GetYourGuide as necessary to manage bookings, changes, or cancellations in line with their supplier terms.
We require service providers who process personal data on our behalf to handle it in accordance with applicable laws, maintain appropriate security, and process it only on our documented instructions (GDPR “processor” obligations), where applicable.
We do not sell your personal data to third parties.
8. International Transfers of Personal Data
Our operations are based in Japan, and we may store personal data on servers located in Japan or other countries, depending on our hosting and cloud service providers (including Cloudflare and Google, which may process data globally).
Under APPI: when transferring personal data to a third party in a foreign country, we will use mechanisms recognized by the Personal Information Protection Commission (such as ensuring equivalent protections or obtaining informed consent for cross‑border transfers).
Under GDPR: when personal data of EU/EEA residents is transferred outside the EU/EEA, we will rely on appropriate safeguards (such as adequacy decisions, standard contractual clauses, or other lawful mechanisms).
Information about specific transfer mechanisms and destinations may be provided upon request.
9. Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law.
In general:
- Contact inquiries and email correspondence: retained for a reasonable period (e.g., up to 2 years) after the last interaction, unless required longer.
- Booking records and data received from Booking Platforms: retained for the period required under tax and accounting laws (often several years) and for handling potential claims.
- Analytics data: retained for shorter periods, typically in aggregated or pseudonymized form, where possible, in line with Google Analytics and Cloudflare settings.
We will delete or irreversibly anonymize personal data when it is no longer needed for these purposes, in line with APPI and GDPR guidance.
10. Your Rights
10.1 Rights under APPI (Japan)
Under APPI, individuals generally have rights to:
- Request disclosure of retained personal data.
- Request correction, addition, or deletion of inaccurate or incomplete personal data.
- Request cessation of use or deletion where personal data is handled in violation of APPI or where continued use is no longer necessary.
You can exercise these rights by contacting us using the details in Section 2. We may need to verify your identity before responding.
10.2 Rights under GDPR (EU / EEA)
Where GDPR applies, you have the following rights:
- Right of access: to obtain confirmation whether we process your personal data and receive a copy.
- Right to rectification: to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”): to request deletion of your data in certain circumstances.
- Right to restriction of processing: to request limits on how we use your data in specific situations.
- Right to object: to object to processing based on legitimate interests or for direct marketing.
- Right to data portability: to receive certain data in a structured, commonly used and machine‑readable format and transmit it to another controller.
- Right to lodge a complaint: with a data protection authority in the EU/EEA if you believe your rights have been violated.
To exercise these rights, please contact us as set out in Section 2. We will respond in accordance with applicable law.
11. Security Measures
We take reasonable technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or alteration, consistent with APPI and GDPR expectations.
Measures may include:
- Access controls and role‑based permissions.
- Secure hosting, HTTPS encryption, and Cloudflare security features where appropriate.
- Regular updating of systems and monitoring for suspicious activity.
- Training for staff and freelance hosts who handle booking data.
No method of transmission or storage is completely secure, but we aim to maintain security at a level appropriate to the risks.
12. Children’s Data
Our Services and Website are not intended for individuals under 20 years of age, and we do not knowingly collect personal data from anyone under the legal drinking age in Japan.
If we discover that we have collected personal data from an individual under 20 in connection with the Services, we will delete such data as soon as reasonably practicable, unless retention is required by law.
13. Links to Other Websites
The Website may contain links to third‑party websites or services, including Booking Platforms, venues, messaging apps, and other tourism providers (including phototaiken.com).
We are not responsible for the privacy practices or content of such third‑party sites. When you follow a link to another website, you should read its own privacy policy.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other reasons.
The updated version will be posted on the Website with an updated “Last updated” date. We encourage you to review this Policy periodically. Where required by law, we will notify you of material changes via the Website or by other appropriate means.
15. Contact and Complaints
If you have questions about this Privacy Policy or our handling of your personal data, or if you wish to exercise your rights, please contact us using the details in Section 2.
If you are in the EU/EEA and believe that your rights under GDPR have been violated, you have the right to lodge a complaint with a competent data protection authority, such as the authority in your country of residence or where the alleged infringement occurred.
If you are in Japan and have concerns about our handling of personal information under APPI, you may also consult the Personal Information Protection Commission or other appropriate bodies.