FifthKeys

Why Choose Us

How It Works

FAQ

FifthKeys Privacy Policy

Effective Date: January 21, 2025 – Version 2.1
Beyondbrain Incorp.

Table of Contents

  1. Introduction & Scope
  2. Definitions
  3. Information We Collect
  4. Use of Information
  5. Data Sharing & Disclosure
  6. Data Security
  7. Data Retention
  8. User Rights
  9. Changes to This Privacy Policy
  10. Governing Law
  11. Contact Information

1. Introduction & Scope

1.1 Overview

This Privacy Policy ("Policy") outlines how Beyondbrain Incorp. ("Company," "we," "us," or "our") collects, uses, and safeguards personal and non-personal data through our AI-driven hospitality platform, FifthKeys ("Service"). Designed for hotel operators to manage guest services and provide basic AI-enhanced insights, FifthKeys offers practical features—such as suggesting room preferences based on limited historical data—while ensuring privacy and legal compliance.

As a seed-stage company, we are committed to transparency and data protection, adhering to applicable privacy laws including, but not limited to:

  • General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) for EU data subjects;
  • California Consumer Privacy Act (CCPA) (Cal. Civ. Code § 1798.100 et seq.) for California residents;
  • And other relevant privacy laws.

This Policy is designed to evolve alongside our company, reflecting our current capabilities while laying the groundwork for future enhancements.

1.2 Scope of Application

This Policy applies to all individuals and entities interacting with FifthKeys, including:

  • Hotel Operators: Property managers, staff, or authorized representatives managing bookings and guest interactions.
  • Guests: Individuals staying at properties that utilize FifthKeys, whose preference data (e.g., room type, check-in time) is used to improve their experience.

Data collected by third parties not acting on our behalf (e.g., independent hotel websites or booking platforms) is not covered by this Policy.

1.3 Commitment to Privacy

We embrace the principles of data minimization, purpose limitation, and user control. Even as a growing startup, we have established foundational measures to protect your data and uphold your privacy rights, ensuring our practices align with applicable regulations.

2. Definitions

For clarity and consistency, the following terms are defined throughout this Policy:

  • Personal Data: Any information that identifies or can be used to identify an individual (e.g., name, email, phone number, IP address).
  • Sensitive Personal Data: A subset of Personal Data requiring enhanced protection, including details about racial or ethnic origin, political opinions, religious beliefs, health, biometrics, or financial information.
  • Anonymized Data: Data stripped of personal identifiers to prevent re-identification (e.g., aggregated guest preference statistics).
  • Service Providers: Third-party entities engaged to process data on our behalf (e.g., cloud hosting, payment processing, customer support).
  • Data Subject: An individual whose Personal Data is processed by us.
  • Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • Data Controller: The entity determining the purposes and means of data processing (Beyondbrain Incorp.).
  • Data Processor: A third party that processes Personal Data on behalf of the Data Controller.

3. Information We Collect

3.1 Categories of Data Collected

3.1.1 Personal Information

  • Examples: Full name, email address, phone number, job title (e.g., "Front Desk Manager").
  • How It's Collected: Directly provided by users during registration, check-in, or other secure interactions on our platform.

3.1.2 Guest Preference Data

  • Examples:
    • Room preferences (e.g., "king bed, non-smoking")
    • Check-in/check-out time preferences (e.g., "early check-in after 12 PM")
    • Feedback on previous stays (e.g., "preferred quiet rooms")
  • Note: Where feasible, this data is anonymized by replacing personal identifiers with unique codes.

3.1.3 Technical Data

  • Examples:
    • IP address, device type, operating system, browser type/version, and session cookies.
  • Purpose: To ensure compatibility, monitor security, and analyze usage patterns.

3.2 Sensitive Data

We only collect Sensitive Personal Data when absolutely necessary. Such data might include health details or biometric information—collected only after obtaining explicit consent and applying enhanced safeguards like robust encryption and restricted access.

3.3 Collection Methods

Data is gathered through:

  • Direct Submission: Via registration forms, booking interfaces, guest surveys, and email communications.
  • Automated Means: Through technologies like session cookies and server logs that capture technical data during your interactions with our Service.

3.4 Data Minimization

We focus on collecting only the data essential for the functionality of FifthKeys, aligning with best practices and regulatory principles such as those set out in GDPR (Article 5(1)(c)) and CCPA (§ 1798.100(b)).

4. Use of Information

4.1 Purposes for Processing

Your data is processed for clearly defined, lawful purposes, including:

4.1.1 Service Delivery

  • Examples:
    • Using guest preferences to assign optimal room types (e.g., allocating a quiet room based on previous requests).
    • Processing operator data to streamline booking workflows and verify access credentials.
  • How It Works: Basic AI tools analyze historical data to generate useful suggestions without engaging in extensive profiling.

4.1.2 Communications

  • Examples:
    • Sending booking confirmations (e.g., "Your reservation for January 25, 2025, at Hotel Alpha is confirmed.")
    • Answering common guest inquiries efficiently.
  • How It Works: Automated responses are triggered by specific events to enhance communication efficiency.

4.1.3 Analytics and Improvement

  • Examples:
    • Analyzing anonymized data to discern trends such as peak booking times or popular room types.
    • Monitoring technical data to optimize platform performance.
  • How It Works: Aggregated and anonymized data drives informed development and service enhancements.

4.1.4 Legal Compliance and Security

  • Examples:
    • Retaining booking records for tax or audit compliance.
    • Monitoring IP addresses to detect and prevent unauthorized access or fraud.
  • How It Works: Data is processed strictly within the bounds of legal obligations and to protect our Service and users.

4.2 Legal Basis for Processing

Our processing activities are supported by the following legal bases under GDPR (Article 6) and CCPA:

  • Consent (GDPR Art. 6(1)(a)): For optional services such as marketing communications.
  • Contractual Necessity (GDPR Art. 6(1)(b)): To meet the obligations of our service agreements.
  • Legal Obligation (GDPR Art. 6(1)(c)): To comply with applicable laws.
  • Legitimate Interests (GDPR Art. 6(1)(f)): For essential operational purposes that do not override your rights.

4.3 Limitations

Given our current scale, we do not engage in advanced profiling or automated decision-making that significantly impacts Data Subjects, ensuring our AI features remain focused solely on enhancing convenience.

5. Data Sharing & Disclosure

5.1 Categories of Recipients

5.1.1 Service Providers

  • Examples: Cloud hosting services (e.g., AWS, Google Cloud), payment processors (e.g., Stripe, PayPal), and customer support platforms (e.g., Zendesk).
  • Safeguards:
    • We choose providers with proven security certifications (e.g., ISO 27001, SOC 2 Type II).
    • We enforce data processing agreements that require adherence to our strict security and confidentiality standards.

5.1.2 Legal Authorities

  • Examples: Disclosures made in response to valid subpoenas, court orders, or law enforcement requests, and financial data provided for tax audits.
  • Process: All requests are carefully reviewed by legal advisors to ensure proportional and lawful disclosure. We will notify affected users where legally permissible.

5.1.3 Business Transfers

  • Examples: Data sharing during mergers, acquisitions, or investment due diligence.
  • Safeguards: Data shared is strictly limited to what is necessary, with recipients bound by confidentiality agreements.

5.2 No Sale of Data

We do not sell, rent, or lease your Personal Data. All data sharing is strictly confined to operational needs or legal compliance.

5.3 International Transfers

For data transfers outside your jurisdiction (e.g., to U.S.-based cloud servers), we implement safeguards such as:

  • Standard Contractual Clauses (SCCs) as mandated by the European Commission;
  • Binding Corporate Rules (BCRs) for intra-group transfers; and
  • Adequacy Decisions where applicable.

We ensure that all international transfers comply with GDPR Chapter V and CCPA requirements.

6. Data Security

6.1 Security Measures

We employ both technical and organizational safeguards proportionate to our current scale:

  • Encryption:
    • Data at rest is secured with AES-256 encryption.
    • Data in transit is protected using TLS 1.3.
  • Access Controls:
    • Access to Personal Data is limited to essential personnel via strong password policies and two-factor authentication (2FA).
    • Role-based access controls (RBAC) ensure data is only accessible to those who need it.
  • Regular Reviews:
    • Quarterly security assessments—including penetration tests and vulnerability scans—help us identify and remediate potential risks.
  • Employee Training:
    • Staff undergo regular data protection training, covering topics such as GDPR, CCPA, phishing awareness, and secure data handling practices.

6.2 Incident Response

In the event of a data breach, we will:

  • Initiate an investigation within 72 hours of detection, as mandated by GDPR Art. 33.
  • Notify affected users and regulatory authorities promptly, if the breach poses a risk to individual rights.
  • Take immediate corrective measures to isolate and remedy the breach.
  • Document the incident and the steps taken to mitigate it, in accordance with GDPR guidelines.

6.3 Limitations

While our current security measures are robust within our resource constraints, we are continually working to enhance our defenses as our company grows.

7. Data Retention

7.1 Retention Periods

We retain data only for as long as necessary to fulfill the purposes outlined in this Policy or as required by law:

  • Personal Data: Typically retained for two years following the termination of your relationship with our Service. Longer retention may be necessary for legal or tax reasons (e.g., six years under Japanese tax law).
  • Anonymized Data: May be retained indefinitely for analysis and service improvement without compromising individual privacy.
  • Technical Logs: Kept for six months to assist in diagnosing issues and monitoring system performance.

Retention practices are reviewed annually to ensure ongoing compliance with applicable regulations.

7.2 Deletion Process

When data is no longer needed, we employ industry-standard deletion methods—such as data overwriting or physical destruction of storage media—to ensure complete removal. Users may also request deletion of their Personal Data, subject to legal obligations.

8. User Rights

8.1 Your Rights

Depending on your jurisdiction, you have the following rights regarding your Personal Data:

8.1.1 GDPR Rights (for EU Data Subjects)

  • Right of Access: Obtain a copy of the Personal Data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your data, where legally permissible.
  • Right to Restrict Processing: Ask us to limit how your data is processed.
  • Right to Data Portability: Request your data in a structured, machine-readable format for transfer to another service.
  • Right to Object: Object to certain processing activities, such as direct marketing.
  • Right to Withdraw Consent: Revoke consent at any time if processing is based on it.

8.1.2 CCPA Rights (for California Residents)

  • Right to Know: Request details about the Personal Information collected, its sources, and its uses.
  • Right to Delete: Request deletion of your Personal Information, subject to applicable exceptions.
  • Right to Opt-Out: Opt-out of the sale of your Personal Information (not applicable as we do not sell data).
  • Right to Non-Discrimination: Exercise your rights without facing any adverse treatment.

8.2 Exercising Your Rights

To exercise your rights, please contact us using the details in Section 11. Your request should include sufficient information to verify your identity and specify the right you wish to exercise. We will respond within the statutory timeframes—30 days for GDPR requests (with possible extensions) and 45 days for CCPA requests.

8.3 Verification

For security purposes, we may require additional verification (such as a copy of a government-issued ID) before processing certain requests.

8.4 Complaints

If you believe your privacy rights have been compromised, you have the right to lodge a complaint with your local supervisory authority (GDPR Art. 77) or with the California Attorney General (CCPA § 1798.199.90).

9. Changes to This Privacy Policy

9.1 Update Process

We may periodically update this Policy to reflect changes in our practices or legal obligations. Significant changes will be communicated via email and a prominent notice on our website at least 30 days prior to taking effect.

9.2 Version History

Archived versions of this Policy are available upon request, ensuring full transparency regarding our evolving privacy practices.

10. Governing Law

This Policy is governed by the laws of Japan, without regard to conflict of law principles. Any disputes arising from this Policy will be subject to the exclusive jurisdiction of the courts in Tokyo, Japan. This clause complies with the extraterritorial requirements of both GDPR and CCPA where applicable.

11. Contact Information

For any questions, concerns, or requests regarding this Policy or our data practices, please contact us at:

  • Email: hello@beyondbrain.com
  • Postal Address: Beyondbrain Incorp., Attention: Privacy Team, 39F, 2 Chome-24-12 Shibuya, Shibuya-ku, Tokyo 150-6139, Japan

Copyright 2025 FifthKey. All right reserved

Privacy PolicyTerms and conditionsDPASecuritySubprocessors