Effective Date: July 7, 2026
Last Updated: July 7, 2026
This Privacy Policy explains how Eudaimonia Universe JAPAN ("Company," "we," "us," or "our") collects, uses, shares, and protects personal information when you use OMUSUBI QUEST — the application, the website at omusubiquest.com, and related services (the "Service").
We know that journaling is deeply personal. Your reflections are private by default, and this Policy is written to be read — please take the time to do so.
Data controller: Eudaimonia Universe JAPAN, 2F, 2-2-15 Hamamatsu-cho, Minato-ku, Tokyo 105-0013, Japan.
Contact: support@omusubi.quest
EU/UK representative (GDPR Art. 27 / UK GDPR Art. 27): DataRep — see Section 12.
1. Scope
This Policy applies to personal information processed in connection with the Service. It does not apply to third-party services that you access through links or integrations (e.g., Stripe's own processing as an independent controller), which are governed by those parties' privacy policies.
2. Information We Collect
2.1 Information you provide
- Account data: name or display name, email address, password (stored in hashed form), date of birth or age confirmation (18+), profile information you choose to add, language and time-zone preferences.
- Journal and reflection content: journal entries, reflections, records of values and insights, cards, and other content you create ("Journal Content"). Journal Content is private by default and visible to others only if you share it.
- Community content: content you choose to share with other users, comments, reactions, and reports you submit.
- Payment data: if you subscribe to a paid plan, payments are processed by Stripe. We do not store your full card number; we receive limited data such as subscription status, transaction amounts, the last four digits of your card, and billing country.
- Communications: messages you send to support, survey responses, and feedback.
2.2 Information collected automatically
- Usage data: features used, level progression, session frequency and duration, interactions with prompts and cards.
- Device and log data: IP address, device type, operating system, browser type, app version, crash logs, and diagnostic data.
- Cookies and similar technologies: see our Cookie Policy.
2.3 Information from third parties
- Invitation data: if another user invites you, we receive the contact detail they provided (e.g., your email) solely to deliver the invitation.
- Authentication providers: if you sign in via a third-party login (if offered), we receive the profile data you authorize.
2.4 Sensitive information
Journal Content may, by its nature, reveal information that is treated as special-category or sensitive data under applicable law (for example, information about your health, emotional state, religious or philosophical beliefs, or other aspects of your inner life). We do not ask you to provide such information, but the Service is designed to let you record whatever matters to you.
- We process such content only to provide the Service to you (storage, display back to you, the AI-assisted features you invoke, and sharing you initiate).
- Where GDPR applies, our processing of such data is based on your explicit consent (Art. 9(2)(a) GDPR), which you give when you choose to enter such content, and which you may withdraw at any time by deleting the content or your account.
- Where the Act on the Protection of Personal Information of Japan ("APPI") applies, we obtain your consent before acquiring special care-required personal information (要配慮個人情報), except where permitted by law.
- We never use sensitive Journal Content for advertising, and we never sell it.
3. How We Use Information (Purposes)
| Purpose | Data used | GDPR legal basis |
|---|---|---|
| Provide, operate, and maintain the Service (including storing and displaying your Journal Content back to you) | Account data, Journal Content, usage data | Contract (Art. 6(1)(b)); explicit consent for special-category data (Art. 9(2)(a)) |
| Provide AI-assisted features you invoke (e.g., surfacing past entries, reflection prompts, organizing values) | Journal Content, usage data | Contract (Art. 6(1)(b)); explicit consent (Art. 9(2)(a)) |
| Operate social features and deliver content you share to the audience you selected | Community content, account data | Contract (Art. 6(1)(b)) |
| Process subscriptions and payments | Payment data, account data | Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) |
| Communicate with you about the Service (transactional notices, security alerts, changes to terms) | Account data | Contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) |
| Send marketing communications (only with your consent; opt out anytime) | Account data | Consent (Art. 6(1)(a)) |
| Maintain safety and security; prevent fraud, spam, and abuse; moderate reported content | Usage data, device data, community content | Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
| Improve and develop the Service, analytics, debugging | Usage data, device data (aggregated or pseudonymized where possible) | Legitimate interests (Art. 6(1)(f)); consent for non-essential cookies |
| Comply with legal obligations and respond to lawful requests | As required | Legal obligation (Art. 6(1)(c)) |
Under the APPI, the above table also constitutes our announcement of the purposes of use (利用目的の公表).
4. AI Processing — What We Do and Do Not Do
- AI features process your Journal Content to serve you: helping you recall, organize, and reflect on what you have written, and generating prompts or summaries at your request.
- AI outputs are suggestions, not advice, and may be inaccurate.
- We do not use your Journal Content to train generalized AI models without your separate, explicit opt-in consent.
- Where we use third-party AI processors, they are bound by contracts prohibiting them from using your content to train their models, and we list them in Section 6.
- We do not make decisions producing legal or similarly significant effects about you based solely on automated processing.
5. How We Share Information
We do not sell your personal information, and we do not share it with third parties for their own advertising.
We share personal information only:
- With other users, at your direction: content you explicitly share is visible to the audience you selected.
- With service providers (processors) who process data on our behalf under contract — hosting and cloud infrastructure (Vercel Inc., USA), database hosting (Supabase Inc., AWS Tokyo region — ap-northeast-1, Japan), payment processing (Stripe), and AI processing (Anthropic PBC and OpenAI, L.L.C., accessed via their APIs under terms that prohibit the use of your content to train their models). We do not currently use third-party analytics or marketing-email providers; if this changes, we will update this Policy first. A current list of subprocessors is available on request.
- For legal reasons: to comply with applicable law, regulation, legal process, or enforceable governmental request; to enforce our Terms; or to protect the rights, safety, or property of users, the public, or the Company. Where legally permitted, we will notify you of legal demands for your data.
- Business transfers: in connection with a merger, acquisition, or sale of assets, subject to this Policy and notice to you.
- Safety emergencies: where we reasonably believe disclosure is necessary to prevent imminent and serious harm to a person's life or physical safety, to the minimum extent necessary.
- With your consent, in other cases.
6. International Data Transfers
We are based in Japan. The Service is hosted on infrastructure provided by Vercel Inc. (United States) (database storage region: Japan — Supabase on AWS Tokyo, ap-northeast-1), and our AI and payment providers (Anthropic, OpenAI, Stripe) are also US-based, so your data is transferred to and processed in the United States and Japan. Japan and the European Economic Area maintain mutual adequacy arrangements (European Commission adequacy decision for Japan; APPI equivalency for the EEA), which cover transfers between the EEA and Japan.
Where we transfer personal data to countries without an adequacy decision (for example, to service providers in the United States), we use appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum or International Data Transfer Agreement, where UK GDPR applies), together with supplementary measures where needed. Under the APPI, we obtain your consent or use equivalent safeguards for provision of personal data to third parties in foreign countries, and provide required information about the destination country's data-protection framework.
7. Retention
- Journal Content: retained until you delete it or delete your account. When you delete content or your account, it is removed from production systems within 30 days and from backups within 90 days, except where longer retention is required by law.
- Account data: retained while your account is active, then deleted or anonymized within the periods above.
- Payment records: retained as required by tax and accounting law (in Japan, generally 7 years).
- Moderation and safety records: retained for up to 2 years after resolution as needed to enforce our Terms and protect users.
- Aggregated/anonymized data (which no longer identifies you) may be retained without limitation.
8. Security
We implement technical and organizational measures appropriate to the sensitivity of the data, including encryption in transit (TLS) and at rest, access controls and least-privilege access for staff, logging and monitoring, and vendor due diligence. Journal Content is subject to strict internal access controls: staff do not access it except where necessary for support (at your request), safety, security, or legal compliance.
No system is perfectly secure. If a data breach occurs that risks your rights, we will notify the competent authority and affected users as required by applicable law (including APPI breach reporting and GDPR Arts. 33–34).
9. Your Rights
9.1 All users
You can access, correct, export, and delete your Journal Content and account data directly in the app, and you can contact us at support@omusubi.quest to exercise any right below. We respond within the timelines required by applicable law and may need to verify your identity.
9.2 Japan (APPI)
You may request disclosure of your personal data and records of third-party provision, correction, addition or deletion, cessation of use, and cessation of third-party provision, in accordance with the APPI. We will respond without undue delay.
9.3 EEA/UK (GDPR / UK GDPR)
You have the rights of access, rectification, erasure, restriction of processing, data portability, and objection (including to processing based on legitimate interests), and the right to withdraw consent at any time (without affecting prior processing). You also have the right to lodge a complaint with your local supervisory authority. Where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, commonly used, machine-readable format.
9.4 California (CCPA/CPRA) and other US states
You have the rights to know/access, correct, and delete personal information, the right to opt out of "sale" or "sharing" of personal information, and the right to limit use of sensitive personal information. We do not sell or share your personal information as those terms are defined in the CCPA/CPRA, and we do not use sensitive personal information for purposes other than providing the Service. We do not discriminate against you for exercising your rights. You may designate an authorized agent. We honor Global Privacy Control signals where legally required.
9.5 Other jurisdictions
If your local law provides additional rights, we will honor them as required.
10. Children
The Service is intended for adults aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has an account, contact us at support@omusubi.quest and we will delete the account and its data.
11. Death of a User
Requests concerning a deceased user's account may be submitted by legal heirs in accordance with applicable law. We will require documentation and will handle Journal Content with particular care given its private nature.
12. EU and UK Representative (GDPR Article 27)
We have appointed DataRep as our data protection representative in the European Union and the United Kingdom for the purposes of Article 27 GDPR and Article 27 UK GDPR.
If you are located in the EEA or the UK, you may raise questions or exercise your rights in relation to your personal data by contacting DataRep, in addition to contacting us directly:
- Online: submit a request via www.datarep.com/data-request
- By post: write to DataRep at the DataRep location most convenient to you in the EEA or the UK (the current list of DataRep addresses is available at www.datarep.com), marking your envelope for the attention of "DataRep" and clearly referencing Eudaimonia Universe JAPAN / OMUSUBI QUEST.
EU (example office): DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
UK: DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom
Please do not include sensitive content (such as journal entries) in postal correspondence; DataRep will coordinate secure handling with us.
13. Do Not Track and Cookies
For information about cookies and similar technologies, and the choices available to you (including our consent banner where required), see our Cookie Policy.
14. Changes to This Policy
We may update this Policy from time to time. For material changes, we will notify you at least 30 days in advance via the Service or email, and where required by law we will seek your consent. The "Last Updated" date at the top shows the current version.
15. Contact Us
Eudaimonia Universe JAPAN
Attn: Privacy / Personal Information Protection Manager
Address: 2F, 2-2-15 Hamamatsu-cho, Minato-ku, Tokyo 105-0013, Japan
Email: support@omusubi.quest
If you are in the EEA or UK, you may also contact our representative, DataRep (Section 12), or your local data protection authority.