ITOCHU Corporation (hereinafter referred to as the “Company”, “we”, or “us”) sets forth the following privacy policy (hereinafter referred to as the "Policy") with regards to the handling of Personal Data (as defined below) of the users (hereinafter referred to as the "Users") of the services (hereinafter referred to as the "Services") provided via the Natural Rubber Traceability System (hereinafter referred to as "Itochu Traceability System").

The purpose of this Policy is to inform you (the Users) as to how the Company conducts the Personal Data processing, including but not limited to the management, collection, use, analysis, transfer, storage, disclosure, and removal of Personal Data relating to Users. In Singapore, such activities are subject to the Personal Data Protection Act (No. 26 of 2012) (the “PDPA”). In Indonesia, such activities are subject to Law No. 11 of 2008 on Electronic Information and Transaction as amended by Law No. 19 of 2016, Government Regulation No. 71 of 2019 on Implementation of Electronic Transaction and System, Minister of Communication and Informatics Regulation No. 5 of 2020 on Private Electronic System Providers as amended by Minister of Communication and Informatics Regulation No. 10 of 2021 and Minister of Communication Informatics Regulation No. 20 of 2016 on Personal Data Protection on Electronic System (collectively referred to as “Indonesian Data Protection Laws”). We conduct our business in compliance with the PDPA and Indonesian Data Protection Laws and have implemented various measures to ensure that any Personal Data relating to you remains safe and secure.

By using Itochu Traceability System, interacting with us, submitting information to us, or taking any other action indicating your intent to do so, Users hereby declare that he/she has been duly notified and informed on the terms of this Policy, as well as agree and consent to the Company and our affiliates and other related persons, whether overseas or otherwise (including but not limited to affiliates in Singapore and Indonesia and any of our or their agents, representatives or authorised service providers or any other persons acting on our or their behalf) – among others collecting, using and disclosing your Personal Data in the manner set forth in this Policy.

For the avoidance of doubt, this Policy supplements but does not supersede or replace any other consents which Users may have previously provided to us, or which Users may specifically provide us.

Article 1 (Personal Data)

1.1 The term "Personal Data" means any data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which we have or are likely to have access, including data in our records as may be updated from time to time, both directly and indirectly through an electronic system and a non-electronic system. Personal Data may include information such as name, date of birth, address, telephone number, contact information, e-mail address, bank account data, ID information (including KTP number), or other description contained in such information that can be used to identify a specific living individual (personal identification information).

Article 2 (Method of Collecting Personal Data)

2.1. We may collect Personal Data from or about you as may be necessary for the Purpose of Use (as defined in Article 3.1 below) such as your name, date of birth, address, telephone number, e-mail address, bank account number, KTP number, etc. when you register to use Itochu Traceability System or when you submit your Personal Data to us for any other reason related to your use of Itochu Traceability System, including but not limited to when you contact us for enquiries or to request for assistance. In addition, all information on Itochu Traceability System (i.e., transaction records and settlement information, including Personal Data of Users) may be recorded for the Purpose of Use.

2.2 We may collect or use Personal Data, or disclose existing Personal Data for secondary purposes that differ from the Purpose of Use. If we intend to rely on deemed consent by notification for such secondary purposes, we will notify you of the proposed collection, use or disclosure of this Personal Data through appropriate mode(s) of communication. Before relying on deemed consent by notification, we will assess and determine that the collection, use and disclosure of the Personal Data will not likely have an adverse effect on you. You will be given a reasonable period to inform us if you wish to opt-out of the collection, use and disclosure of your Personal Data for such purposes. After the lapse of the opt-out period, you may notify us that you no longer wish to consent to the purposes for which your consent was deemed by notification by withdrawing your consent for the collection, use or disclosure of your Personal Data in relation to those purposes.

2.3 In compliance with the PDPA, we may collect, use or disclose the Personal Data of the Users in Singapore without his/her consent for the legitimate interests of us or another person. In relying on the legitimate interests exception of the PDPA, we will assess the likely adverse effects on the individual and determine that the legitimate interests outweigh any adverse effect.

2.4 We may collect your Personal Data from third parties (including, but not limited to, agents, contractors, partners, payment service providers, government data sources, financial providers, credit agencies, etc.).

2.5. Users shall register and submit Personal Data that is accurate and not misleading, and we may conduct the necessary procedures in order to verify the Personal Data provided by Users, either as part of the user verification process or as required by law.

2.6. If a user elects not to provide his/her Personal Data, we may not be able to provide the User with access to the Services.

Article 3 (Purpose of Collecting and Using Personal Data)

3.1 The purposes for which we collect and use Personal Data (hereinafter referred to as the "Purpose of Use") are as follows:

(a) for the provision and operation of the Services;
(b) to answer inquiries from Users (including identity confirmation/data verification);
(c) to send e-mails to Users informing them of new features, updates, campaigns and other services that we offer;
(d) for maintenance, important notices, etc., as necessary;
(e) for the purpose of identifying or investigating Users who have violated the terms of use of the Services or who intend to use the Services for unauthorized or unjust purposes;
(f) to comply with legal and regulatory requirements, including requests from law enforcement agencies;
(g) to execute and investigate financial transactions such as payments to Users when distributing incentives;
(h) for further development and improvement of the Services;
(i) for research, analysis, and development, including surveys of user behavior;
(j) for any other purposes which we notify you of at the time of obtaining your consent; and
(k) for purposes reasonably related to the above-mentioned purposes of use.

3.2 We will not use Personal Data relating to you for purposes which we are not permitted to or required under the PDPA or Indonesian Data Protection Laws or any other applicable laws.

Article 4 (Change of Purpose of Use)

4.1 Where we change the Purpose of Use of Personal Data for purposes which we have not informed you or have not obtained your consent, we will notify you or make public on Itochu Traceability System such purposes and obtain your fresh consent for use and disclosure for the new purpose.

4.2 Where (a) the new purposes are within the scope of the Purpose of Use for which you had originally been informed, (b) consent can be deemed to be given by you in accordance with the PDPA and Indonesian Data Protection Laws, or (c) where the purpose falls within the exceptions from consent pursuant to the PDPA, we will not obtain fresh consent from you.
Itochu Traceability System

Article 5 (Provision of Personal Data to a Third Party)

5.1 We will not provide Personal Data to any third party without obtaining the prior consent of the User(s) save for the cases below and/or where such provision is permitted by the PDPA or other laws and regulations (for Users in Singapore only):

(a) when it is necessary for the protection of the life, health, or property of a person and it is difficult to obtain the consent of the person;
(b) cases in which it is particularly necessary for the improvement of public health or the promotion of the sound upbringing of children and in which it is difficult to obtain the consent of the person;
(c) where Personal Data is disclosed to companies affiliated with the Company, and such affiliates may in turn disclose your Personal Data to third-party service providers engaged by such affiliates (i) to store your Personal Data outside Singapore for us and/or our group companies, and/or (ii) in connection with, or which is necessary for, the provision of the Services;
(d) where Personal Data is disclosed to our partners, vendors, agents, contractors or third-party service providers who provide services to us such as IT or technical services;
(e) in the event of an actual or prospective business asset transaction (such as any merger, acquisition, or asset sale), any business partner, investor, assignee, or transferee for the purposes of facilitating such a transaction;
(f) where required to be disclosed to any relevant government regulators, statutory boards or authorities or law enforcement agencies by any laws, rules, guidelines and regulations or schemes imposed by any governmental bodies and authorities; and
(g) any other persons to whom disclosure is reasonable for the Purpose of Use.

5.2 Personal Data shall only be disclosed to the above-mentioned parties for the Purpose of Use (save for pursuant to Articles 5.1(a), (b), (e) and (f)). We will not disclose Personal Data relating to you for purposes which we are not permitted to or required under the PDPA, Indonesian Data Protection Laws, or any other applicable laws.

5.3 In some cases, we may encrypt, anonymize, and aggregate Personal Data before disclosing it. Anonymizing means stripping the information of personally identifiable features. Aggregating means presenting the information in groups or segments (e.g. age groups).

5.4 In the event that we transfer Personal Data of Users in Singapore overseas, we will ensure that the recipient overseas organisations will provide a standard of protection to Personal Data so transferred that is comparable to the protection in accordance with the PDPA or otherwise in accordance with the PDPA or applicable laws. With regards to overseas transfer of Personal Data of Users in Indonesia, in accordance with the provision under Article 22 of the Minister of Communication and Informatics Regulation No. 20 of 2016, we will:

(i) make necessary coordination with the relevant Ministry or authorized official, in the form of:

(a) report on the plan for transmission/transfer of Personal Data containing the following information: name, destination country, the name of recipient, date of transmission/transfer, and reason/purpose of transmission/transfer;
(b) request of advocacy (if required); and
(c) report on the result of the implementation of the transfer activity.

(ii) take into account the applicable laws and regulations regarding the cross-border transfer of Personal Data.

Article 6 (Accuracy, Access, and Correction of Personal Data)

6.1 You represent that the Personal Data that you provide to us is accurate and complete. Your failure to provide accurate and complete Personal Data may result in our inability to provide you with, or delay in our provision of, the Services.

6.2 When you provide us with any Personal Data relating to a third party (including your spouse, children, parents and/or employees), you represent to us that you have obtained the consent of the third party to provide us with their Personal Data unless otherwise provided in the PDPA and/or Indonesian Data Protection Laws.

6.3 If you discover that any of your Personal Data in our possession is incorrect, you must immediately change it via Itochu Traceability System.

6.4 If there is any Personal Data relating to you that you are unable to update and which you wish to make corrections to, you may contact our Data Protection Officer (whose details are set out below) and we will be happy to help you as best as we can.

6.5 If you wish to access the Personal Data that we have relating to you, inquire about the way in which Personal Data relating to you has been used or disclosed by us in the past year, or wish to withdraw your consent to our use of such Personal Data, you may contact our Data Protection Officer (whose details are set out below) and we will seek to attend to your request as best as we reasonably can. Please note that:

(a) in order for us to provide any personal data we will need to verify your identity and may request further information about your request;
(b) we may refuse access to your Personal Data if it would affect the privacy rights of other persons or if it breaches any confidentiality that attaches to that information;
(c) we may also refuse your request where we are legally permitted to do so and give you such reasons;
(d) you should be aware that we may take a reasonable time to process your application for access as we may need to retrieve information from storage and review the information in order to determine what information may be provided;
(e) please also note that if you withdraw your consent to our use and/or disclosure of Personal Data relating to you, we may not be in a position to continue providing our Services to you or perform on any contract we have with you; and
(f) we may have to charge you a reasonable administrative fee for retrieving Personal Data relating to you.

Article 7 (Security of Personal Data)

7.1. To protect your Personal Data from unauthorized access, collection, use, disclosure, processing, copying, alteration, disposal, loss, misuse, modification, or similar risks, we have implemented the following administrative, physical, and technical measures:

(a) Restriction of access to Personal Data;
(b) Technical measures to prevent unauthorized access to Itochu Traceability System;
(c) Use of 128-bit SSL (Secure Sockets Layer) encryption technology; and
(d) Other security measures required by law.

7.2. However, transfer and electronic storage methods over the Internet are not completely secure. Although security cannot be guaranteed, we strive to protect Personal Data and regularly review and enhance information security measures.

7.3 Please note that to the fullest extent permitted by law, we will not be held liable or responsible for any loss, misuse or alteration of Personal Data that may be caused by third parties.

Article 8 (Retention of Personal Data)

8.1 We will retain your Personal Data only for such time as may be required or permitted in connection with the law or its Purpose of Use.

8.2 In the event that retention of Personal Data is no longer necessary for any business or legal purposes or when the purpose for which the Personal Data was collected is no longer being served by the retention of the Personal Data, we will remove, destroy or anonymise the Personal Data.

Article 9 (Suspension of Use of Personal Data, etc.)

9.1. In the event that a User ceases to use the Services and removes his/her Personal Data from Itochu Traceability System, or in the event of reasonable grounds for presupposing that such Personal Data is no longer necessary for legal or business purposes, we will cease to retain the Personal Data of the User.

9.2. Where a User requests the suspension of use or deletion of his/her Personal Data (hereinafter referred to as "Suspension of Use") because such Personal Data has been used beyond the scope of the Purpose of Use or has been obtained through fraudulent means, we will promptly conduct an investigation.

9.3 The User should address their request in writing to our Data Protection Officer (whose details are set out below), and you should include as much detail as you can about the Personal Data affected, and the circumstances that you believe the Personal Data has been used beyond the scope of the Purpose of Use or has been obtained through fraudulent means.

9.4 In the event it is deemed necessary to comply with a User’s Suspension of Use request based on the results of the investigation set forth in the preceding clause, the Company shall promptly suspend its use of such Personal Data.

9.5 We promptly will notify the User of decision to or not to implement any Suspension of Use of his/her Personal Data in accordance with the provisions of the preceding clause.

9.6 In the event that there is a significant cost associated with a Suspension of Use, or in the event that it is difficult to implement a Suspension of Use, if any alternative measures are necessary to protect the rights and interests of Users, the Company shall take such alternative measures and the User shall be duly notified.

Article 10 (Collection of Computer Data)

10.1. We may use cookies, web beacons, or other similar technology in connection with the use of the Services by the Users.

10.2. If you access Itochu Traceability System through your computer, a mobile device, or other device that can connect to the Internet, our server may automatically record data, such as technical data and usage data, that it sends and receives between your browser and our server.

10.3. This data is collected for analysis and evaluation and will be used to help improve the convenience of the Services.

10.4 Most internet browsers allow you to disable cookies associated with these technologies (or otherwise turn off the processing of cookies) - in most cases, you will still be able to navigate Itochu Traceability System fully, but other functionality may be impaired. Please note that you may delete cookies from your browser after using Itochu Traceability System.

10.5 We assume no responsibility for the data protection practices, content or security of any third parties whose websites we link to on our website. We recommend that you review each third-party website’s data protection and privacy policy before disclosing any data on that website.

Article 11 (Breach of Personal Data)

11.1 In the event of a data breach of your Personal Data (“Breach”), we will promptly conduct an assessment of whether the Breach is notifiable to the Personal Data Protection Commission (“PDPC”) in accordance with the PDPA. If the Breach is notifiable to the PDPC, we will also notify you of the occurrence of the Breach in accordance with the PDPA. Especially for the Breach relating to the Users in Indonesia, a written notification will also be given to the relevant User immediately, at the latest 14 (fourteen) days since the occurrence of such Breach. In such a case, Users (in Indonesia) hereby agree and consent to receive the notification from us in the form of electronic notification.

Article 12 (Data Portability)

12.1 In the event that you wish to transfer any of your Personal Data that is in our possession or control to another organisation, please submit a request in writing to our Data Protection Officer (whose details are set out below) and we will assist as best as we can to transmit such Personal Data to the other organisation in a commonly used machine-readable format.

Article 13 (Change of Privacy Policy)

13.1 The contents of this Policy may be changed without notice to the Users, except for matters otherwise provided by laws or ordinances or in this Policy. Unless otherwise specified by us, the revised Privacy Policy shall become effective upon its publication on Itochu Traceability System. Subject to any rights you may have at law, you agree to be bound by the prevailing terms of this Policy as may be updated by the Company from time to time.

Article 14 (Contact Information)

14.1 We have designated a Data Protection Officer to be responsible for ensuring that we comply with the PDPA. Please contact our Data Protection Officer as follows:

Inquiries about the system are as follows
Address: 5-1, Kita-Aoyama 2-chome, Minato-ku, Tokyo 107-8077, Japan
Company Name: ITOCHU Corporation
Departments in charge: Logistics & Material Distribution Department, General Product & Realty company
E-mail address: tokrr-tracy@itochu.co.jp

14.2 For inquiries regarding this policy or concerns about our commitment to your privacy, please contact the Data Protection Officer.

ACCORDINGLY, this Policy is agreed by and bound to you who is using the Itochu Traceability System and/or registered as the Users of the Itochu Traceability System.

*****