Tokumeika
① Manage ② Chat ③ Decrypt Help
More Audit Pricing Blog About Privacy Terms Commerce Disclosure
Sign In

Privacy Policy

Effective date: March 16, 2026

K.K. Best Path Research (株式会社 Best Path Research) ("we", "us", "our") operates the Tokumeika document anonymization service at www.tokumeika.com (the "Service"). This Privacy Policy explains what personal data we collect, how we use it, how we protect it, and your rights regarding that data.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

The data controller for this Service is:

2. Personal Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Email address (required; used as your login identifier)
  • Password (stored only as a one-way cryptographic hash using the Argon2 algorithm; we never store, transmit, or have access to your plaintext password)
  • First and last name (optional)
  • Language preference (optional; English or Japanese)
  • Timezone (optional; used for displaying dates in your local time)
  • Theme preference (optional; light or dark mode)

We also generate and store:

  • A SHA-256 hash of your canonical email address, used solely to prevent abuse (e.g., repeated free-tier registrations). This hash cannot be reversed to recover your email address.

2.2 Authentication Data

We support two authentication methods:

  • Email and password: Your password is hashed with Argon2 before storage.
  • Google OAuth: If you sign in with Google, we receive your verified email address and basic profile information (name). We request only the profile and email scopes. We do not request access to your Google contacts, calendar, files, or any other Google services.

We also support optional multi-factor authentication (MFA) via time-based one-time passwords (TOTP), recovery codes, and WebAuthn hardware security keys. MFA credentials are stored securely and are never transmitted to third parties.

2.3 Payment Data

All payments are processed by Stripe, Inc. We never store, see, or have access to your credit card number, CVV, expiration date, or billing address. Stripe handles all sensitive payment data in compliance with PCI DSS Level 1, the highest level of payment security certification.

We store only the following Stripe identifiers in our database to manage your subscription:

  • Stripe customer ID
  • Stripe subscription ID
  • Your selected plan and payment status (active or past due)

2.4 Documents You Upload

When you use the Service to anonymize documents, we process and temporarily store:

  • The original uploaded file
  • Text extracted from the document (via OCR or direct extraction)
  • The anonymized output file
  • Cryptographic hashes of input and output files (SHA-256) for integrity verification
  • Processing metadata: detected entity types, redaction steps performed, and timestamps

Encryption: All documents are encrypted at rest using AES-256-GCM with per-document encryption keys. These keys are themselves encrypted (wrapped) using AWS Key Management Service (KMS) with a Customer Managed Key. Text fields stored in our database (extracted text, anonymized text, original filename, and extraction metadata) are also encrypted at the field level using the same per-document key. No document content is stored in plaintext in our database.

Supported file formats: PDF, DOCX, TXT, PPTX, XLSX, HTML, CSV, JSON, XML, EPUB, JPG, PNG, and HEIC.

2.5 Security and Audit Data

We collect the following data to maintain security and provide audit trails:

  • Account events: Login attempts (successful and failed), logouts, password changes, email changes, and MFA enrollment or removal. Each event records your IP address, browser user agent, and timestamp.
  • Document access logs: Each time you or another authorized user views text, downloads a file, decrypts redacted content, or exports an encryption key, we record the user, document, access type, IP address, and timestamp. These records are immutable and cannot be edited or deleted.
  • AI chat usage: For billing purposes, we record token counts, the provider and model used, and the cost of each request. We do not log the content of your chat messages in our usage records.
  • Credit transactions: Amounts, types (monthly allowance, purchase, usage charge, debt write-off), and timestamps for your credit balance.

2.6 Automatically Collected Technical Data

When you access the Service, our servers automatically record:

  • Your IP address
  • Browser type and version (user agent string)
  • Pages requested and timestamps

We do not use any third-party analytics services, advertising networks, tracking pixels, browser fingerprinting, or social media widgets. We do not build behavioral profiles of our users.

3. Cookies

We use only two cookies, both strictly necessary for the Service to function:

CookiePurposeAttributesDuration
sessionid Maintains your authenticated session HttpOnly, Secure, SameSite=Lax 8 hours (sliding; resets on each request)
csrftoken Protects against cross-site request forgery attacks Secure, SameSite=Lax Browser session

Because these cookies are essential for security and authentication (not for tracking or advertising), no consent banner is required under the EU ePrivacy Directive, GDPR, or Japan's Act on the Protection of Personal Information (APPI).

4. How We Use Your Data

We use your personal data for the following purposes and no others:

  • Providing the Service: Uploading, scanning, processing, anonymizing, and delivering your documents; managing your document retention preferences.
  • Account management: Creating and maintaining your account; authenticating your identity; verifying your email address; processing password resets.
  • Billing: Processing payments via Stripe; managing your subscription plan; tracking credit balances and usage.
  • Security: Scanning uploads for malware (ClamAV); preventing unauthorized access; maintaining audit trails; enforcing rate limits; detecting and preventing fraud and abuse.
  • Transactional communications: Sending email verification, password reset emails, document retention reminders (sent 7 days before automatic deletion), and account invitations.
  • AI-assisted refinement: When you use the AI chat feature, sending your conversation and document text to your selected AI provider to generate responses.

We do not use your personal data for advertising, marketing, profiling, automated decision-making, or selling to third parties.

5. Legal Basis for Processing

5.1 Under the EU General Data Protection Regulation (GDPR)

Processing ActivityLegal Basis
Account creation and authenticationPerformance of contract (Art. 6(1)(b))
Document processing and anonymizationPerformance of contract (Art. 6(1)(b))
Payment processing via StripePerformance of contract (Art. 6(1)(b))
Transactional emailsPerformance of contract (Art. 6(1)(b))
Security logging, audit trails, malware scanningLegitimate interest (Art. 6(1)(f))
Abuse prevention (canonical email hash)Legitimate interest (Art. 6(1)(f))

5.2 Under Japan's Act on the Protection of Personal Information (APPI)

We process personal data in accordance with the APPI. We have identified the purposes of use for each category of personal data as described in Section 4, and we do not use personal data beyond those stated purposes. We implement appropriate security management measures as described in Section 8.

6. Third-Party Services and Subprocessors

We share data with the following service providers solely to operate the Service. We do not sell, rent, or otherwise disclose your personal data to any other third party.

ProviderPurposeData SharedServer Location
Amazon Web Services (S3, KMS, CloudTrail) Document storage, encryption key management, and operation audit logging Uploaded files, encrypted document keys, operation metadata Tokyo, Japan (ap-northeast-1)
Heroku (Salesforce) Application hosting, database, and task processing All application data (encrypted at the application level) United States
Stripe, Inc. Payment processing Email address, plan selection (Stripe handles all card data directly) United States
Google LLC OAuth authentication (optional) Email and basic profile, only during the sign-in flow United States
Google Gmail SMTP Transactional email delivery Recipient email address, email subject, and email body United States

6.1 AI Chat Providers

When you use the optional AI chat feature to refine your anonymization results, we send your conversation messages and document text to the AI provider you select from the following:

  • Hugging Face (default provider)
  • OpenAI
  • DeepSeek
  • OpenRouter

You choose which provider to use for each conversation. We send only the extracted document text and your chat messages. We do not send the original file, your email address, or other account information. Each provider's own privacy policy governs their handling of data they receive.

Important: If your document contains personal information that was not fully redacted by the anonymization pipeline, that information may be included in the text sent to the AI provider. We recommend reviewing the anonymized output before using the AI chat feature on documents containing sensitive data.

7. Document Retention and Deletion

You control how long your documents are retained after processing. You may select one of the following retention periods at the time of upload or in your account settings:

  • Delete immediately after processing (0 hours)
  • 1 hour
  • 24 hours
  • 30 days (default)
  • 1 year

If you belong to an organization, your organization's administrator may set a mandatory retention policy that overrides your personal preference.

When a document's retention period expires, the following actions are performed automatically:

  1. The original uploaded file and the anonymized output file are permanently deleted from storage.
  2. All extracted text, anonymized text, original filename, and processing metadata are permanently scrubbed from the database.
  3. The document's encryption key is permanently destroyed, making any previously exported encrypted data unrecoverable.
  4. Any AI chat messages that referenced the document are replaced with a placeholder ("[Document purged]").

We send a reminder email approximately 7 days before automatic deletion (except for documents set to immediate deletion or 1-hour retention).

You may also manually delete any document at any time from the Documents page.

8. Data Security

We implement the following technical and organizational measures to protect your data:

  • Encryption in transit: All connections are encrypted using TLS. HTTPS is enforced via redirect, and HTTP Strict Transport Security (HSTS) is enabled with preloading.
  • Encryption at rest (storage): All documents stored in AWS S3 are encrypted using AES-256 with AWS KMS Customer Managed Keys (SSE-KMS).
  • Encryption at rest (database): Document text fields are encrypted at the application level using AES-256-GCM with per-document data encryption keys. These keys are wrapped (encrypted) by AWS KMS and stored separately from the data they protect.
  • Password security: Passwords are hashed using Argon2, the winner of the Password Hashing Competition, which provides strong resistance against brute-force and GPU-based attacks.
  • Multi-factor authentication: Users may enable TOTP, recovery codes, or WebAuthn hardware security keys for additional account protection.
  • Malware scanning: Every uploaded file is scanned with ClamAV antivirus before it is accepted for processing. Files that fail the scan are rejected and deleted.
  • Content Security Policy: Strict CSP headers are enforced to prevent cross-site scripting (XSS) and other injection attacks.
  • Rate limiting: All API endpoints are rate-limited to prevent abuse and denial-of-service attacks.
  • Audit trails: Document access events are recorded in immutable, append-only audit logs that cannot be edited or deleted.
  • Session security: Session cookies are HttpOnly (not accessible to JavaScript), Secure (transmitted only over HTTPS), and SameSite=Lax. Sessions expire after 8 hours of inactivity.

9. International Data Transfers

Your documents are stored in Amazon Web Services facilities in Tokyo, Japan (ap-northeast-1 region). Our application servers and database are hosted by Heroku in the United States. Payment processing occurs through Stripe's infrastructure in the United States.

When you use the AI chat feature, your conversation data is sent to the provider you select, which may process data in various jurisdictions.

For transfers of personal data from the European Economic Area (EEA) or the United Kingdom to countries that the European Commission has not recognized as providing adequate protection, we rely on Standard Contractual Clauses (SCCs) incorporated into our agreements with subprocessors, as well as the supplementary measures described in Section 8.

10. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Correct inaccurate personal data. You can update your name, email, and preferences directly in your account Settings.
  • Right to erasure ("right to be forgotten"): Request deletion of your account and personal data. You can initiate this by deactivating your account in Settings.
  • Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to restriction of processing: Request that we limit how we process your data in certain circumstances.
  • Right to object: Object to processing based on our legitimate interest.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time (this does not affect the lawfulness of processing before withdrawal).
  • Right to lodge a complaint: File a complaint with your local data protection authority.

To exercise any of these rights, contact privacy@tokumeika.com. We will respond within 30 days (or within the timeframe required by applicable law).

10.1 Account Deactivation

You may deactivate your account at any time from the Settings page. When you deactivate your account:

  1. Your login is immediately disabled and all active sessions are terminated.
  2. Your Stripe subscription is cancelled (if active).
  3. You are removed from any organization you belong to.
  4. Your email address, name, and password are permanently scrubbed from our records. Your email is replaced with a non-functional placeholder.
  5. A cryptographic hash of your original email is retained solely to prevent abuse (e.g., repeated free-tier registrations). This hash cannot be reversed to recover your email.
  6. Your documents, audit logs, and transaction history are preserved in anonymized form for compliance and audit purposes.

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@tokumeika.com and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Effective date" at the top of this page.
  • Notify registered users by email at least 14 days before the change takes effect.
  • Display a prominent notice on the Service.

Your continued use of the Service after the new effective date constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you may deactivate your account before the effective date.

13. Contact

For any questions, concerns, or requests regarding this Privacy Policy or our data practices: