Privacy Policy
Last updated: April 2026
1. Who We Are
Otaku Japan (otakutrips.com) is an anime pilgrimage trip planning service operated by an individual developer based in Japan. We provide information about anime-related locations and AI-generated travel plan suggestions.
Contact: ko12ma12@icloud.com
2. Information We Collect
2.1 Information You Directly Provide
- Email address (when registering for an API key or contacting us)
- Reviews and ratings you post on anime spots
- Feedback submitted through our contact form
2.2 Information Automatically Collected
- IP address
- Browser type and version
- Pages visited and interaction data
- Session identifiers (anonymous)
- API request logs (endpoint, timestamp, status code)
2.3 Information from Third Parties
- Travelpayouts: affiliate click and conversion data
- Google Maps: map interaction data subject to Google's privacy policy
2.4 Information We Do NOT Collect
- Passwords (authentication is handled via API keys)
- Payment card numbers (handled entirely by Stripe)
- Precise geolocation from your device
- Social media account information
3. How We Use Your Information
| Purpose | Legal Basis (GDPR) | Legal Basis (APPI) |
|---|---|---|
| Provide and maintain our service | Performance of contract (Art. 6(1)(b)) | Necessary for the performance of a contract (Art. 18(1)) |
| Issue and manage API keys | Performance of contract (Art. 6(1)(b)) | Necessary for the performance of a contract (Art. 18(1)) |
| Enforce rate limits and prevent abuse | Legitimate interest (Art. 6(1)(f)) | Necessary for the legitimate interest of the operator (Art. 18(1)) |
| Improve service through aggregated analytics | Legitimate interest (Art. 6(1)(f)) | Utilization purpose publicly announced (Art. 21) |
| Send service-related communications | Performance of contract (Art. 6(1)(b)) | Necessary for the performance of a contract (Art. 18(1)) |
| Display affiliate hotel and travel links | Legitimate interest (Art. 6(1)(f)) | Utilization purpose publicly announced (Art. 21) |
| Generate AI travel plan suggestions | Consent / Performance of contract (Art. 6(1)(a)(b)) | Consent / Necessary for the performance of a contract (Art. 18(1)) |
We do NOT:
- Sell your personal data to third parties
- Use your data for targeted advertising
- Send marketing emails without your explicit consent
4. Third-Party Services and International Data Transfers
We use the following third-party services that may process your data:
| Service | Purpose | Country | Privacy Policy |
|---|---|---|---|
| Supabase | Database hosting and authentication | South Korea | https://supabase.com/privacy |
| Vercel | Web hosting and CDN | United States | https://vercel.com/legal/privacy-policy |
| Stripe | Payment processing | United States | https://stripe.com/privacy |
| Anthropic (Claude API) | AI plan generation | United States | https://www.anthropic.com/privacy |
| Travelpayouts | Hotel and travel affiliate links | EU | https://www.travelpayouts.com/privacy |
| Google Maps | Map display and location data | United States | https://policies.google.com/privacy |
EU/EEA Users: Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the service provider's adequacy decision, to ensure appropriate safeguards for your data.
Japanese Users: In accordance with Article 28 of the Act on the Protection of Personal Information (APPI), we confirm that appropriate measures are in place when providing personal data to third parties in foreign countries. The countries listed above have been identified, and each service provider maintains data protection standards recognized under APPI.
5. Cookies and Tracking
What We Use
- Session identifiers for rate limiting and anonymous usage tracking
- Affiliate tracking parameters in hotel and travel links (Travelpayouts)
- Google Maps cookies as required by the Google Maps Platform
What We Do NOT Use
- Third-party advertising cookies
- Cross-site tracking pixels or beacons
- Persistent login cookies (sessions are anonymous)
EU Cookie Consent: For users in the EU/EEA, we display a cookie consent banner on your first visit. You may withdraw consent at any time by clearing your browser cookies or contacting us.
6. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| API keys | Until deletion requested by user | Manual request via email |
| API request logs | 90 days | Automatic purge |
| Generated travel plans | Indefinite (for sharing) | Manual request via email |
| Community reviews | Indefinite (unless deletion requested) | Manual request via email |
| Email addresses | Until deletion requested by user | Manual request via email |
| Affiliate click logs | 12 months | Automatic purge |
7. Your Rights
7.1 All Users
- Request access to your personal data
- Request correction of inaccurate data
- Request deletion of your data
- Withdraw consent for data processing at any time
7.2 EU/EEA Users — GDPR Rights (Articles 15–22)
- Right of access (Art. 15) — obtain a copy of your personal data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — request deletion (“right to be forgotten”)
- Right to restriction (Art. 18) — limit processing in certain cases
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON)
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right not to be subject to automated decision-making (Art. 22) — including profiling
- Right to lodge a complaint with your local Data Protection Authority
7.3 Japanese Users — APPI Rights (Articles 33–35)
- Right to disclosure (Art. 33) — request disclosure of retained personal data
- Right to correction, addition, or deletion (Art. 34) — request correction of inaccurate data
- Right to cease use or erase (Art. 35) — request cessation of use or deletion when data is no longer needed or was obtained unlawfully
To exercise any of these rights, contact us at ko12ma12@icloud.com. We will respond within 30 days.
8. Data Security
- All data is transmitted over HTTPS (TLS encryption)
- API keys are hashed (SHA-256) before storage — we cannot view your raw key
- Supabase Row-Level Security (RLS) policies restrict data access
- Environment variables and service role keys are never exposed to client-side code
- Rate limiting protects against abuse and brute-force attacks
- Database access is restricted to the application layer only — no public access
9. Data Breach Notification
- EU/EEA Users: In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours in accordance with GDPR Articles 33 and 34. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly.
- Japanese Users: In accordance with the APPI, we will notify the Personal Information Protection Commission and affected individuals when a data breach occurs that meets the reporting threshold.
- All Users: We will post a notice on our website and send email notifications to affected users as promptly as possible.
10. Children's Privacy
Our service is not directed at children under 16 years of age (under 13 in the United States). We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.
11. Google Maps Platform
Our service uses the Google Maps Platform. Your use of Google Maps features is subject to the Google Terms of Service and Google Privacy Policy.
Location data displayed on our maps is sourced from our database of anime-related spots, not from your device. We do not track your physical location or request access to your device's GPS.
12. Affiliate Disclosure
We participate in the Travelpayouts affiliate program and may participate in other affiliate programs. Links to hotels, flights, and travel services on our site may contain affiliate tracking parameters. When you make a purchase through these links, we may earn a commission at no additional cost to you.
Affiliate partnerships do not influence the content of AI-generated travel plans or spot information.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. For material changes, we will display a prominent banner on our website. Your continued use of our service after changes are posted constitutes your acceptance of the updated policy.
14. Contact
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:
- Email: ko12ma12@icloud.com
- Google Form: https://forms.gle/4kC5qRoyUB2tZZ7J7
We will respond to all inquiries within 30 days.