This Privacy & Security Policy (the “Policy”) applies to Locus Blue (ScanX) (the “Company”) in processing the Personal Data (as defined under Section 1), or offering its services, including without limitation, in the European Economic Area (“EEA”) and Japan. The Company complies with General Data Protection Regulation (“GDPR”) as well as the Act on the Protection of Personal Information in Japan (the “JP Act”), and other applicable laws, and the Policy describes how the Company collects and otherwise processes the Personal Data (as specified under Section 1).


“Personal Data” means any information that relates to any user for the Company’s services, direct or indirect, or any other personal data as defined under GDPR. The Company collects and processes the following categories of the Personal Data:

  • Contact Information: user’s name, address, email address;
  • Financial Information: credit card information, bank account information, necessary for the payment;
  • Technical Information: IP address, device information (Browser, OS), data collected about the user’s interaction the Company’s services, such as login activity information (time of last login), Cookies and automated technologies; or
  • User Information and Direct Interactions: text, message, photograph, images, applications, or any data, provided or produced from the user through the services of the Company. Purchase and subscription history of the user (if applicable).

The Company uses the Personal Data in connection with the services the Company provide to the user. The Company only process the Personal Data on the basis of our legitimate interest to provide the services to the user, and below is a description of how the Company uses the Personal Data:

  • To ensure the Company can contact the user in a timely manner;
  • To consider the best way to provide with the Company’s services;
  • To provide the user with sufficient support to fix technical issues;
  • To share beneficial or relevant information with the user in connection with the Company’s services; or
  • To measure the Company’s performance and the quality of the Company’s services, including after services.

The Company takes security, compliance, and the protection of the Personal Data seriously.

The Company will endeavor to maintain or process the Personal Data in an appropriate manner and implement the following strict organizational safeguards and appropriate systems designed to ensure the Personal Data in protected from unauthorized access, use, disclosure, accidental loss, modification or destruction, according to the applicable laws and regulations:

  • InfrastructureThe Personal Data is sent securely to the Company via the HTTPS protocol using the latest recommended ciphers and TLS protocol. All Personal Data is encrypted at rest on the Company’s servers.
  • Physical AccessThe Company hosts its data on Amazon Web Services. However, in cases where the Company (particularly, its administrator) needs physical access to data, access rights will be established and periodically reviewed based on its business needs and external requirements, including contractual obligations, relevant legislative and regulatory requirements, consistency across the Company’s systems.
  • Limited Access PolicyAll critical information/data must limit and enforce access to only the times identified as necessary for the completion of the Company’s business processes. To this end, all user access to, user queries of, and user actions on databases are through programmatic methods, and only database administrators of the Company can directly access or query databases. In addition, all critical information systems and applications must not allow users to have multiple concurrent sessions on the same system.
  • AuditThe Company shall conduct security audits by an appropriate auditor on a regular basis and as needed. The independent security auditor evaluates systems for security best practices and compliance with an established set of security requirements.
  • Login SecurityUsers are required to log in to the Company’s systems to access their user accounts. Logging into the said systems requires the users to authenticate themselves. The authentication method depends on the sensitivity of the information asset, and the authorization level provided by the Company are designed for the individual use of the user receiving the information/data. Authentication data shall not be given to any other party, nor should it be used in any way other than for the fulfillment of the user’s duties.
  • Risk AssessmentTo properly secure and protect the user’s data, a significant amount of design, planning, and implementation expertise is required to ensure that the proper level of controls is designed and implemented. While preparing and conducting a risk assessment, the risk assessment shall identify assets, threats to the assets, vulnerabilities that exist as a result of the threats, and the likelihood of the event.
  • Corporate Risk ManagementThe Company’s officers/executives shall be fully involved in risk management and mitigation decisions including how security processes are communicated throughout the Company. The risk assessment, risk analysis, and risk treatment plan shall be reviewed on a regular basis to ensure that controls are sufficient and effective at treating such risks. Additionally, the Company’s management is committed to maintaining a high level of information security and intends to invest the required information technology resources to enforce its policy in all aspects of the Company’s activities.
  • Retention of Personal DataThe Company keeps the Personal Data for as long as necessary to fulfill the purposes the Company collected it for, including any legal, accounting or regulatory requirements.
  • Other Organizational Systems
    > Regularly training the Company’s personnel on data protection and cybersecurity
    > Limiting the collection and use of the Personal Data to the extent necessary to provide the user with the Company’s services
  • Other Technical Safeguards
    > SSL security –
    To prevent a third party from reading or falsifying important Personal Data, the page related to the user’s Personal Data is protected by SSL.
    > User information –
    User’s Personal Data is kept in a way only the owner of the Personal Data can see it through user authentication.
    > File uploaded –
    The files also the user provided will be kept securely in the systems storage device and can only be accessible for the user through download. Other users are not able to download such files.

The Company will not disclose the Personal Data to any third party, with the exception of the cases as described below:

  • Cases where the Company obtained prior consent from the user;
  • Cases where the Company obtained prior consent from the user;
  • Cases where the Company partly outsources its operation to third party to develop or produce the Company’s services
The Company may outsource, partially or entirely, its processing the Personal Data to third party (in cases where it outsources the management of the Personal Data to appropriate operators). In such case, the Company will contract an agreement as appropriate, such as NDA, and supervise appropriately in order to secure the protection of the Personal Data within the outsourced third party.

The Company may time to time change the Policy as appropriate, by considering the operational requirements and complying with the applicable laws.

The revised Policy will be published on the Company’s website or be notified in any other reasonable way. However, in the case where such revision requires a prior consent from the user, the Company shall obtain such consent as appropriate, in a method which the Company separately stipulates.


Under the GDPR, or the JP Act, the users have the following rights regarding the Personal Data that the Company processes as stated below: right to access the required information, right to rectification of inaccurate Personal Data concerning the user, right to erasure (deletion) of the Personal Data concerning the user without undue delay, right to withdraw consent, right to object.

When the user requests (based on the GDPR, the JP Act, or applicable laws) for disclosure, correction, or cessation of use of the Personal Data, or otherwise permitted use of the said rights by contacting the Company via email or in other designated formats, the Company will respond without delay within a reasonable period of time. However, the Company may not be able to correspond to such request, in the case where the Company must comply with the said applicable laws. In the case of disclosure, the Company will charge the user for certain fee (¥1,000 per a record).

The Company accepts inquiries via email address: