Privacy Policy

We collect the following information to the extent necessary to provide the Service:

• Account information — email address, hashed password, MFA status, sign-up / sign-in timestamps, time zone.
• Vendor credentials — SwitchBot Token / Secret and Nature Remo Access Token, encrypted at rest using AWS KMS.
• Device and sensor information — IDs, names, and types of thermometers / AC units the User registers, time-series temperature and humidity data fetched from the vendors, and history of commands sent to devices.
• Subscription information — Lemon Squeezy customer ID, subscription ID, plan, status, trial / renewal dates. We do not store credit card numbers; they are processed by Lemon Squeezy.
• Access logs and telemetry — IP address, user-agent, request timestamps, request paths, HTTP status, Cognito user ID (sub), API call latency, etc.
• Operational logs — stack traces and related metadata at the time of errors or exceptions. We log only safe fields (user IDs, policy IDs, etc.) and mask sensitive values such as email addresses and vendor tokens.

We use the information we collect for the following purposes:

1. Providing the Service — user authentication, vendor API calls, fetching temperature / humidity, sending AC control commands.
2. Managing subscriptions — billing, contract status checks, renewal notices, cancellation handling.
3. User support and response to violations of the Terms.
4. Service maintenance, operations, and improvement — using statistical information processed into a form that cannot identify a specific individual to detect defects, monitor performance, and improve features.
5. Sending important notices — changes to the Terms, feature additions, maintenance, dormant account deletion notices, etc.
6. Detection of and response to fraudulent use, cyber attacks, and violations of the Terms.
7. Responding to obligations under applicable law.

No use for advertising or marketing: we do not use information that may reveal a User's lifestyle patterns — including temperature / humidity history and device operation history — for advertising delivery, third-party marketing, or any other purpose unrelated to providing the Service.

We do not disclose personal information to third parties without the User's consent, except in the following cases:

• When required by APPI or other applicable laws.
• When necessary to protect the life, body, or property of a person, and obtaining the User's consent is difficult.
• When particularly necessary for the improvement of public health or the sound development of children.
• When it is necessary to cooperate with a national or local government agency, or a party entrusted by such agency, in performing duties prescribed by law.

We entrust portions of the Service's operation to the following providers. We supervise these processors and maintain contracts that ensure appropriate safeguards for personal information:

• Amazon Web Services, Inc. — cloud infrastructure (Tokyo region), including user authentication via Cognito, API execution via Lambda, data storage via DynamoDB, encryption key management via KMS, content delivery via CloudFront, and email delivery via SES.
• Lemon Squeezy, LLC — payment processing (Merchant of Record), including credit card processing and receipt issuance.
• SwitchBot Inc. — when a User connects SwitchBot, we access the vendor API to fetch temperature / humidity data and to send AC control commands.
• Nature, Inc. — when a User connects Nature Remo, we access the vendor API to fetch temperature / humidity data and to send AC control commands.
• Functional Software, Inc. (Sentry) — error monitoring and operational log aggregation. We send only the operational information needed for incident triage — stack traces of exceptions, request timestamps, request paths, user ID (Cognito sub), user-agent, IP address. Email addresses, vendor credentials, and device control payloads are filtered out on the server side and are not sent.

Because we use the providers above, parts of personal information may be processed on servers located in the following countries and regions:

• Japan — primary data storage and processing on Amazon Web Services Tokyo region.
• United States of America — payment processing and customer data management by Lemon Squeezy, and error monitoring / operational log aggregation by Functional Software, Inc. (Sentry).
• People's Republic of China — when a User connects SwitchBot, vendor credentials and device data may be processed in regions served by SwitchBot Inc.'s API.

Users should refer to each provider's privacy policy for details on the personal-information protection systems in these regions. We maintain appropriate contracts with our processors and implement safeguards required by APPI. Japan has been recognized by the European Commission as providing an adequate level of data protection, so transfers of EEA personal data to Japan do not require additional safeguards under GDPR.

• Vendor credentials (SwitchBot Token / Secret, Nature Remo Access Token) are stored with encryption via AWS KMS. The encryption context includes the User ID and field name, preventing reuse of one ciphertext for another User or another field.
• Decryption of vendor credentials is possible only by the Lambda function that executes AC control. The API Lambdas have encrypt-only permissions and cannot decrypt.
• User authentication uses Amazon Cognito, with optional TOTP-based multi-factor authentication. Passwords are hashed by Cognito and we never receive them in plaintext.
• All traffic is protected by TLS. HSTS, HTTP→HTTPS redirect, and other security headers are progressively rolled out.
• Access to cloud resources handling personal information is restricted via IAM under the principle of least privilege, and operational logs are monitored.
• Telemetry such as access logs is configured with a 30-day retention so that it is not retained long-term.

• Raw measurement data — raw temperature / humidity samples collected at 10-minute intervals are retained for up to 365 days and then automatically deleted.
• Aggregated chart data — daily / monthly / yearly aggregates are retained while the account is active so that long-term charts can be shown on the dashboard.
• Account, integration, and rule settings — retained while the account is active. Vendor credentials (SwitchBot Token / Secret, Nature Remo Access Token) are stored encrypted.
• Operational logs and control history — retained for up to 30 days for the purposes of incident investigation and abuse detection.
• Automatic deletion of dormant accounts — free accounts (not subscribed, post-trial, or cancelled) without sign-in for 180 days will be automatically deleted, after prior notice to the registered email address (30 days and 7 days before deletion). Signing in during this period resets the counter.
• User-initiated account deletion — deleting your account from the account screen promptly erases all data described above. Subscription and receipt information held by Lemon Squeezy is governed by Lemon Squeezy's own retention policy.

The Service uses the minimum necessary cookies and localStorage (origins: unawair.com, auth.unawair.com) to maintain authentication sessions. We currently do not use marketing cookies or third-party tracking cookies. If we adopt access analytics for service improvement in the future, we will update this Policy and disclose the change.

Note that Amazon Associates links (e.g., amazon.co.jp) may set cookies on Amazon's side. Please refer to Amazon's privacy policy for details.

Amazon links on pages such as the "Compatible Devices" page include Amazon Associates affiliate links. We may receive a referral fee for purchases made through these links. Cookies may be set on Amazon's side when affiliate links are used. Amazon or each seller handles the sale, delivery, and support of products; we do not act as an intermediary, seller, or stock manager.

• Users may request disclosure, correction, addition, deletion, suspension of use, or suspension of third-party disclosure of their personal information that we hold.
• Users can themselves change their email address, modify registered settings, and delete their account from the account screen. For other requests, please contact us at the address below.
• From the “Data Export” section of the account screen, Users may download their temperature history, area configuration, integration settings, and device information as a CSV file at 10-minute granularity. For billing information, please refer to the links in the receipt emails you received from Lemon Squeezy. For other disclosure or portability requests, please contact us at the address below.
• We may ask for information to verify your identity in connection with such requests.

The Service is designed primarily for Users in Japan, but is available to Users in other jurisdictions where SwitchBot or Nature Remo hardware can be operated. This Policy does not individually guarantee the additional rights and obligations arising under foreign personal-information protection regimes such as the EU General Data Protection Regulation ("GDPR"), the UK Data Protection Act, or the California Consumer Privacy Act ("CCPA"). We will, however, respond in good faith and within a reasonable scope to requests for disclosure, deletion, and other rights exercised under such laws. Please contact us at the address in section 15.

When a minor uses the Service, they must do so with the consent of their parental authority or other legal representative. We treat registration as confirmation that parental consent has been obtained.

We acquire personal information through the User's inputs on the Service, through API calls to integrated providers (Lemon Squeezy, SwitchBot, Nature Remo, etc.), and automatically through use of the Service (access logs, etc.).

We may revise this Policy as necessary. The revised Policy takes effect when posted on our website. For material changes, we will notify Users by email or via an in-service announcement.

For questions regarding this Policy or requests for disclosure, correction, or deletion, please contact us at:

• Business name: appbatake (sole proprietor)
• Privacy administrator: Tomohisa Ota
• Address: 〒170-0013
  BIG Office Plaza Ikebukuro 1206,
  2-62-8 Higashi-Ikebukuro, Toshima-ku, Tokyo, Japan
• Email: support@appbatake.com