Privacy policy
Established: December 1, 2023
Last revised: May 21, 2026
This amendment was published on April 21, 2026 and comes into force on May 21, 2026.
1. Introduction
The Japan Working Holiday Association (hereinafter referred to as ``the association'') collects various information about you (hereinafter referred to as ``personal data'') in order to operate the working holiday system and carry out various procedures. Doing.
The Association considers the information entrusted to it to be one of its most important assets, and treats its protection and management with utmost care as the most important aspect of the Association's activities. Specifically, we have established a privacy policy as below, thoroughly disseminating it to all employees and related parties, and are committed to the appropriate handling and management of your personal data.
2. Scope of this privacy policy
This privacy policy applies to all personal data managed by our association, regardless of country or region.
[Privacy policy language]
This privacy policy may be translated and posted in languages other than Japanese, but in
the
event of any discrepancy or inconsistency between the Japanese version and the other
language
version, the Japanese version shall prevail.
Please note: this English version has been prepared with the assistance of machine translation. For the authoritative and legally binding text, please refer to the Japanese version.
3. Personal data to be obtained
Our association acquires the following personal data by lawful and fair methods.
・Personal data provided by customers
・Personal data related to the use of each service of our association (hereinafter referred to as
"related services")
・Personal data held within our association group and partner companies that share
information
・In addition to the above, personal data legally acquired by our association, including from
third parties
[If you cannot provide the relevant information]
Of this information, if you are unable to provide such information regarding various information
and services that require registration or provision of information in order to use our
association or provide related services, we will not be able to provide our association or
related services. You may not be able to use all or part of the.
[Specific examples of personal data]
Examples of the personal data we collect include the following:
・Email address and phone number required for account registration
・Contents of your cooperation in the questionnaire
・Documents provided for identity verification
・Customer profile information (including icon image, display name, etc.)
・Browsing history and device information of websites and smartphone apps
・Personal data that falls under the Act on the Protection of Personal Information (personal
identification code, name, date of birth, etc.)
4. Compliance with laws and regulations
We comply with the Act on the Protection of Personal Information (Personal Information Protection Act), other related laws and regulations, and guidelines from related government agencies, and manage personal information lawfully.
5. Purpose of use of personal data
Personal data will be strictly managed with the purpose of use clearly limited as follows. In
addition, in order to proceed smoothly with our operations, we may outsource some of our
operations and provide necessary personal data to this subcontractor, but we will only provide
personal data to the extent that we have received prior consent from the customer. The
Association will conduct appropriate supervision, including conclusion of contracts regarding
the handling of personal information, with these subcontractors.
・Providing information on events such as seminars and language courses, information on products
and services, and promotional materials
・When conducting seminars, courses, etc., presentation of reservation person and participant
information to the organizer of the seminar/course, etc.
・Maintenance and support for services and systems provided by our association
・Marketing and research related to various businesses, and responses to customer inquiries
・Displaying advertisements and providing information on media managed by the association, such
as web pages, smartphone apps, and emails
・Study abroad services and related services
・Business related to study abroad trust business
・Providing information to job seekers and recruiting companies and related operations in
employment placement business and employment dispatch business
・Processing, analysis, summarization, translation, document-drafting assistance and other work-efficiency operations on personal data using artificial intelligence (AI) technology (including processing by AI systems running on an in-house local environment)
・Use as training data for the development, improvement, fine-tuning, etc. of AI models (including machine-learning models and generative AI) within the Association
・Provision of personal data to Approved External AI (external AI services designated by the Association in a separate whitelist, available for business use) for processing equivalent to that described above
・In order to appropriately and smoothly carry out transactions and contracts with
customers.
6. Disclaimer regarding use of personal data
In the following cases, personal data may be provided to a third party without the customer's
consent.
・When based on laws and regulations
・When it is difficult to obtain the consent of the person in order to protect the life, body, or
property of the person
・When our association and our customers provide information, when we outsource mail delivery
services or information distribution, and when we provide personal data to organizations deemed
necessary
7. Policy regarding information of minors
Our association values the privacy of minors and recognizes the need to protect them in particular, and has established the following policy.
[Prohibition of intentional information collection]
Our association does not intentionally collect personal data from minors. If it becomes
necessary to collect personal data from a minor, we will always obtain the consent of the
minor's guardian.
[Parental consent]
We will obtain explicit parental consent when storing information about minors. This includes
ensuring that minors fully understand the purpose and scope of use of their personal data and
obtaining their consent.
[Collecting unconfirmed information]
The website managed by our association (hereinafter referred to as "this website") does not have
a function to automatically identify whether a user is a minor. Therefore, this does not apply
to website access history or other information where it is difficult to confirm that the user is
a minor. This includes general website usage data and information collected through cookies.
[What to do when information about minors is discovered]
If we discover that we have stored information about a minor, we will promptly delete that
information unless we have obtained parental consent.
However, this excludes cases where it is deemed necessary to preserve the information for
explanations to parents, etc., cases where there is a request for cooperation from an
investigative agency, or cases where there is a legal requirement.
[AI use of minors' personal data]
When the personal data of minors is subject to AI use as provided in Article 17, the Association uses such data on an In-house Local LLM or an Approved External AI, based on the comprehensive consent obtained from the guardian (legal representative) at the time of application. Individual consent will not be obtained each time AI is used; however, if processing beyond the scope of the stated purpose of use becomes necessary, the Association will obtain separate, explicit consent from the guardian.
Inputting the personal data of minors into any external AI service other than an Approved External AI (i.e., into "Other External AI") will never be performed under any circumstances.
8. Information sharing and disclosure policy
The Association shares information within the Association group and with partner companies in order to make the most of the information obtained from customers and provide better services. This includes the following companies:
Travel and Travel Co., Ltd. One Rank Co., Ltd.
We share information with these companies only to provide you with more relevant services and
products or to meet our legal obligations. The information shared is kept to the minimum
necessary and strict security measures are in place to protect your privacy.
Sharing of customer information will be done in accordance with the provisions of our
association's privacy policy and with the best interests of the customer in mind. You have the
right at any time to submit comments regarding this information sharing or to refuse to share
your information. If you have any questions or concerns about information sharing, please
contact our Privacy Policy Contact.
9. Utilization of customer information
The browsing history and information obtained through cookies are used to provide you with more appropriate services and products. This includes providing personalized advertising and content, developing new services to meet your needs, and improving your user experience.
Such information may also be subject to AI use as provided in Article 17 (including internal AI model training and analysis by the Association).
10. Use of cookies and tracking technologies
Our website uses cookies and tracking technologies to provide you with a better browsing experience and to improve our services. Cookies are small data files that websites temporarily store information on your computer or mobile device. This allows our website to remember your visit and provide you with a more personalized experience on your next visit.
[Collected information]
・Customer browsing history
・Pages visited
・Clicked link
・Login information
・Other navigation data
[Purpose of use]
・Improve website performance and usability
・Providing advertisements and content suitable for customers
・Market analysis and research
・Behavioural analysis and service improvement using AI technology
[Customer options]
You have choices regarding the use of cookies. Through your browser settings, you can refuse the
use of cookies or receive notification when a cookie is set. However, please note that some
features of our website may not function properly if you disable cookies.
Please note that if you use the website of our association and related services without
disabling cookies in your browser, you will be deemed to have consented to the use of tracking
technology.
11. Personal data retention period
Our association has adopted the following policy regarding the retention of personal data:
[Definition of retention period]
For the duration of our relationship: We will continue to retain personal data for the duration
of our relationship with our customers. This includes maintaining an active account, providing
services, and providing customer support.
After the relationship ends: If the relationship with the customer ends, we retain personal data
for a period of 7 years. This period is in place to cover contractual obligations, legal
liability, and future claims and audits.
[Handling of AI training data]
Personal data used as training data for AI models pursuant to Article 17 will, as a general rule, be pseudonymized or anonymized prior to use. Information that has been internalized into a trained model shall fall outside the scope of the general retention period, but if a customer requests deletion, we will take reasonable measures (such as re-training or output filtering) to remove the identifiability of that information in the relevant model.
[Exceptions]
Special requirements:
In certain circumstances, such as contractual arrangements, immigration requirements, tax
billing or audit requirements, we may need to retain data beyond the standard retention periods
listed above. These requirements are determined based on applicable laws and regulations.
[Secure processing of data]
The Association guarantees that data that has expired will be safely and appropriately deleted
or anonymized.
12. International management and transfer of data
In order to ensure efficient management and protection of personal data, our association stores
and processes personal data on servers and data centers located in the following countries and
regions.
・Japan
・United States
・Singapore
・Australia
This includes backing up your personal data. Data management in these regions is done to ensure
high standards of security and privacy protection and complies with national data protection
laws.
[Provision to third parties located in foreign countries]
For the purposes of AI use as provided in Article 17, the Association may provide personal data to third parties located in foreign countries (such as providers of Approved External AI). In such cases, the Association will ensure a lawful cross-border transfer by one of the following methods, in accordance with Article 28 of the Act on the Protection of Personal Information.
・Obtaining prior explicit consent from the customer
・Where the third-party recipient has continuously established a system that takes measures equivalent to those required of a personal-information handling business operator in Japan (e.g. a Data Processing Agreement (DPA), SOC 2 or ISO 27001 certification, contractual guarantees of non-use for training, etc.), providing the data lawfully based on such a system
In either case, the Association will publish the following information on a dedicated page within the Privacy Center and keep it up to date.
・The name of the foreign country in which the third-party recipient is located (e.g. the United States of America)
・An overview of the personal-information protection regime in that foreign country (in accordance with the list of foreign regimes published by the Personal Information Protection Commission)
・An overview of the measures taken by the third-party recipient to protect personal information (non-use-for-training contracts, encryption, access control, SOC 2 and other certifications, etc.)
[Security of data transfer]
Your personal data will also be protected during international transfers using appropriate
security measures and encryption techniques. When moving data between these countries, we adhere
to strict procedures and regulations to maintain data privacy and security.
[Customer Rights and Choices]
You can contact us at any time regarding how we use your personal data and where we process it.
You also have the right to access, correct or delete your personal data.
If you have any questions or concerns regarding international data transfers, please feel free
to contact us at our Privacy Policy Contact Us.
13. Procedures for accessing and correcting personal data
We will assist you in accessing and, if necessary, correcting your personal data.
[Access to personal data]
Access Request: You can access your personal data at any time. If you would like access, please
contact us using the details below.
Providing information:
After receiving your request for access, we will provide you with a copy of your personal data
within a reasonable period of time. The information we provide includes the types of personal
data we hold about you, the purposes for which the information is used, and the third parties
with whom it is shared.
Fees: Generally, this information is provided free of charge, but if you wish to have your personal information sent by mail, you will be responsible for the postage costs.
We may also charge a reasonable fee if your request is clearly unreasonable or excessively repetitive.
[Correction of personal data]
Correction request:
If you discover errors in your personal data or if the information is out of date, you can
correct it. If you wish to make corrections, please contact the Privacy Policy Inquiry Desk.
Implementation of corrections: After receiving a request for correction, the Association will
conduct the necessary checks and promptly correct the information. We will notify you when the
modification is complete.
Request to cease AI use: You may request that all or part of the AI use of your personal data as provided in Article 17 (in particular, provision to Approved External AI and use as training data) be ceased. Upon receipt of such a request, the Association will take reasonable measures to exclude the relevant personal data from AI processing thereafter.
Limitations and Denials: We reserve the right to deny amendment requests under certain
circumstances. For example, where the request violates a legal obligation or affects the rights
and freedoms of other individuals.
14. Regarding changes to the privacy policy
We may update this privacy policy from time to time in order to better serve our customers and to comply with legal requirements. We will respond to changes to the privacy policy as follows.
[Minor changes]
Minor changes to the privacy policy will be made without prior notice. This includes adjusting
the wording and updating non-essential content. We encourage you to periodically review this
page for the latest Privacy Policy.
[Important changes]
If there are any material changes to our privacy policy, we will notify you in advance before
implementing the change. Announcements may be made through notices on the website, email, or
other means of communication.
Material changes may include changes to how we use personal data, changes to our data sharing
policies, changes to data retention periods, and changes that affect your rights.
In addition, if important changes are made, we will obtain consent from the customer again as
necessary.
[Special provisions regarding changes to the purpose of use]
Where the Association changes the purpose of use within the scope of Article 17, Paragraph 2 of the Act on the Protection of Personal Information (i.e. where the revised purpose is reasonably recognized as having relevance to a reasonable extent with the purpose prior to the change), the Association may substitute publication of the revised purpose on this website for notification to the customer. If no objection is raised by the customer within thirty (30) days from such publication, the customer shall be deemed to have consented to the revised purpose of use.
[Explicit consent regarding provision to foreign third parties, etc.]
With respect to provision to third parties located in foreign countries as provided in Article 28 of the Act on the Protection of Personal Information (excluding cases where the exception based on the establishment of a conforming system applies), provision to third parties as provided in Article 27, Paragraph 1 of the same Act (where this does not fall under outsourcing), and changes to the handling of special care-required personal information, the Association will not adopt the notification-and-deemed-consent method by publication described in the preceding paragraph, but will obtain explicit consent from the customer separately. Such consent will be obtained through a consent-acquisition screen on the member's MyPage, a consent-acquisition form by e-mail, or by written means.
15. Response policy in the event of a data breach
We treat the security of your data as a top priority. In the unlikely event that a data breach occurs, we will respond promptly and appropriately in accordance with the guidelines of the Information-technology Promotion Agency (IPA) and the Personal Information Protection Commission, Japan's specialized organizations for information security measures.
[Correspondence procedure]
Breach Confirmation and Assessment: If we suspect a data breach, we immediately conduct an
internal investigation to confirm the breach. Assess the scale and impact of the breach and plan
necessary countermeasures.
Report to relevant authorities: Report the details of the infringement to the Personal
Information Protection Commission and receive guidance.
Victim Notification:
If a data breach may affect your personal data, we will promptly notify victims. The
notification will include details of the breach, the type of data affected, the actions taken,
and any actions you should take.
Increased preventive measures: Review and strengthen your security posture to prevent future
breaches.
[Customer response]
If you become aware of a data breach, please immediately report it to the Privacy Policy Inquiry
Desk below and follow our instructions.
16. Relationships with third party service providers
We work with trusted third party service providers to provide certain services and features.
These service providers may process your personal data for the following purposes:
[Data processing by third parties]
Service provision:
We provide specific services and functions based on requests from our association. Examples
include cloud-based data storage, customer support, implementation of marketing campaigns, translation, summarization and analysis using AI technology, and so on.
Data protection: These third parties will take appropriate security measures to keep your data
safe and protected from unauthorized access, disclosure, loss or destruction.
[Selection criteria for Approved External AI]
The Association selects Approved External AI (whitelisted service providers) to which AI processing is outsourced based on the following criteria.
・The input data must not be used to re-train the provider's AI models (zero data retention or training opt-out must be contractually guaranteed)
・The provider must hold appropriate information-security certifications (such as SOC 2 Type II or ISO/IEC 27001)
・The provider must implement data-protection measures at a level equal to or greater than that required by the Act on the Protection of Personal Information
・The region of data processing and the retention period must be contractually specified
・An obligation to notify in the event of an incident must be contractually specified
[Selection criteria and supervision]
We rigorously select third-party service providers to ensure that your data is treated
appropriately and in compliance with applicable data protection legislation. We also have data
protection agreements in place with these providers and regularly audit their data processing
activities.
[Sharing with third parties]
Your personal data will be shared with third parties only for the purposes listed above. It will
not be shared for any other purpose.
17. Policy regarding the use of AI (Artificial Intelligence)
The Association uses artificial-intelligence (AI) technology for the purposes of improving operational efficiency, enhancing the quality of services offered to customers and advancing the management of the Association. When using AI, the Association will handle your personal data appropriately in accordance with the following policy.
[Basic principles of AI use]
When handling your personal data with AI, the Association establishes the following basic principles.
・Principle: The personal data of customers shall be used only with an "In-house Local LLM" or an "Approved External AI" (those designated by the Association in a separate whitelist).
・Absolute prohibition: Under no circumstances will the Association input the personal data of customers into "Other External AI".
[Types of AI use]
The Association engages in the following three types of AI use.
①In-house Local LLM: Using AI systems that operate within a closed network environment managed by the Association, the Association performs translation, summarization, document-drafting assistance, classification, analysis and similar tasks on personal data. The data is not transmitted outside and remains under the control of the Association.
②Outsourced use of Approved External AI: The Association uses external AI services designated in a separate whitelist (services that are available for business use and that contractually guarantee non-use for training and appropriate data-protection measures) in the form of business outsourcing for translation, summarization, document-drafting assistance and similar tasks. The list of Approved External AI is maintained on a dedicated page within the Privacy Center on the Association's website.
③Use as training data for AI models: The Association may use personal data it holds as training data for the internal development and improvement (including fine-tuning) of AI models. As a general rule, such data will be pseudonymized or anonymized prior to use.
[AI-use decision by data category]
The Association determines the permissibility of AI use for each category of personal data it handles, based on the following matrix. "Approved External AI" refers to external AI services designated by the Association in a separate whitelist, available for business use.
| Data category | In-house Local LLM | Approved External AI | Other External AI |
|---|---|---|---|
| [Information relating to customer individuals] | |||
| My Number | Not permitted (consent cannot be given) | Not permitted (consent cannot be given) | Not permitted (consent cannot be given) |
| Individual identification codes other than My Number (passport number, driver's license number, basic pension number, Residence Card number, National Health Insurance number, Residence Certificate code, etc., as defined in Article 1 of the Enforcement Order of the Act on the Protection of Personal Information) | Permitted under comprehensive consent | Not permitted | Not permitted |
| Financial information (credit-card number, bank-account number, etc.) | Permitted under comprehensive consent | Not permitted | Not permitted |
| Special care-required personal information (medical history, criminal record, race, creed, etc.) | Permitted (consent obtained at time of acquisition) | Permitted under comprehensive consent | Not permitted |
| Personal data of minors | Permitted | Permitted under the guardian's (legal representative's) comprehensive consent | Not permitted |
| Ordinary personal information (name, phone number, e-mail address, contents of consultations, etc.) | Permitted | Permitted | Not permitted |
| Pseudonymized information (data that can be re-identified by matching with other information) | Permitted | Permitted | Not permitted |
| Data in the course of processing (not yet fully processed) | Permitted | Permitted | Not permitted |
| [Publicly available / anonymized information] | |||
| Publicly available information (Association website, press releases, etc.) | Permitted | Permitted | Permitted in exceptional cases |
| Anonymized information (processed to a non-restorable state) | Permitted | Permitted | Permitted in exceptional cases |
| General research / marketing materials (non-confidential) | Permitted | Permitted | Permitted in exceptional cases |
※ "Comprehensive consent" refers to the consent given at the time the customer agrees to the privacy policy upon application, covering AI use within the scope set forth in this policy. The Association does not, as a general rule, obtain separate individual consent each time AI is used.
※ Pursuant to Articles 9, 19 and 20 of the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (the "My Number Act"), the use of My Number for purposes other than the statutory purposes of social security, tax and disaster response is prohibited. Therefore, even with the customer's consent, the Association will not use My Number for AI purposes.
[Customer's request to prohibit AI input]
You may request the Association to prohibit the input of your personal data into AI. Upon receipt of such a request, the Association will take reasonable measures to exclude the relevant personal data from AI processing thereafter.
This request may be filed together with the request to cease AI use provided in Article 13, via the Association's inquiry desk (see Article 19).
[Security management measures for AI use]
The Association implements the following security management measures accompanying the use of AI.
・Access-right management and retention of usage logs
・Defences against attacks such as prompt injection
・Verification of opt-out-for-training settings when using Approved External AI
・Final human confirmation of AI outputs (human-in-the-loop)
・Prohibition of important decisions (recruitment, trust screening, etc.) based solely on automated processing
・Regular AI-ethics and information-security training for employees
[Customer rights]
You may request the cessation of AI use of your own personal data as provided in Article 17, pursuant to the procedure set forth in Article 13. Where explicit consent is required for provision to an Approved External AI (i.e. where the conforming-system exception under Article 12 is not applied), such provision will only be made after a separate consent-acquisition procedure has been carried out in accordance with Article 14.
18. Effective date of the privacy policy
This privacy policy (as amended) was published on April 21, 2026 and formally comes into force on May 21, 2026.
The timing at which the amendments take effect will, depending on the category of customer, be as follows.
・Customers who newly start using the Association's services on or after April 21, 2026: this amended privacy policy will apply immediately from the time of application (the time at which use begins). By using the Association's services, the customer shall be deemed to have consented to the contents of the amended privacy policy.
・Existing customers who have been using the Association's services since on or before April 20, 2026: the amended contents will apply from May 21, 2026 (the effective date). By continuing to use the services on or after the effective date, the customer shall be deemed to have consented to the amended contents. If an objection (such as a request to cease AI use) is received by the day before the effective date (May 20, 2026), such wishes will be respected.
However, matters requiring separate explicit consent as provided in Articles 12 and 14 are excluded from the above deemed-consent mechanism. The change history can be consulted from the Privacy Center.
Change history:
・December 1, 2023 — First edition established
・April 21, 2026 — New AI-use clause added, foreign third-party provision procedure clarified, subcontractor management criteria strengthened (amended version published)
・May 21, 2026 — Amended version formally comes into force
[Privacy Policy Update]
Our association may update this privacy policy as necessary. If changes are made, we will notify
you of the changes by posting a notice on our website or by sending a notification to your
registered email address. We are committed to providing you with sufficient notice of any
material changes to our policy before the changes take effect.
[Customer's responsibility]
It is your responsibility to periodically review this Privacy Policy and become aware of any
changes. By continuing to use the Service after the Policy has been changed, you will be deemed
to have accepted the changed Policy.
19. Contact information regarding personal data and privacy policy
Our association will promptly respond to complaints and inquiries regarding the handling of
personal data. Please use the contact information below to contact us. Please note that we will
respond only after confirming the identity of the person making the inquiry.
[Privacy Policy Inquiry Desk]
[Organization name] Japan Association for Working Holiday Makers
[Location] 4F Cross Office Shinjuku, 7-1-12 Nishi-Shinjuku, Shinjuku-ku, Tokyo, 160-0023
[Email] info@jawhm.or.jp
[Telephone number] +81-50-3355-7148 (English available)