Privacy Policy

Popaz Co. ("we", "us", "our") operates Kickoff Calendar (https://kickoff.guide, the "Service"). We treat the protection of personal data as a serious responsibility and aim to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Japan's Act on the Protection of Personal Information (APPI), and other applicable laws. This Privacy Policy explains what we collect and how we handle it.

1. Information we collect

We collect only what we need to operate the Service, in line with applicable law:

• Email address (used for magic-link authentication)
• Your favorite teams and selected leagues
• Preferences such as reminder times, theme, language, timezone, and (where applicable) streaming preferences
• Payment-related metadata (processed by an external payment processor — we do not store card numbers ourselves)
• The unique token used to issue your calendar subscription URL
• Access logs, IP address, and browser metadata (used for abuse prevention and aggregate analytics)
• Acquisition and referral data (referring site, the first page you landed on, the page you viewed immediately before signing up, campaign parameters such as UTM tags, and device type) and your navigation within the Service — used for product improvement and aggregate analytics

2. How we use it

We use the information above only for the purposes below, except where you have consented to additional uses or where the law permits another basis:

• Operating the Service (calendar feed generation and delivery)
• Magic-link authentication and account management
• Subscription billing and contract performance
• Replying to inquiries and support requests
• Sending operational emails (service announcements, feature updates, renewal / cancellation notices)
• Aggregate usage analytics and service-quality improvements
• Detecting and responding to abuse, unauthorized access, or terms violations
• Compliance with legal obligations

3. Disclosure to third parties

We do not disclose your personal data to third parties without your prior consent, except in the following situations:

• Where required by law
• To protect a person's life, body, or property, where consent cannot reasonably be obtained
• For public health or child welfare reasons of particular importance, where consent cannot reasonably be obtained
• To cooperate with a government or municipal authority carrying out a statutory duty

We may also engage trusted third-party vendors to operate parts of the Service on our behalf. Each such vendor is bound by a confidentiality and data-protection agreement, and we supervise them to ensure appropriate security measures. Specific vendor names will be disclosed promptly on request.

4. International transfers

Some of the third-party vendors mentioned above are based outside Japan, which means your personal data may be transferred internationally — primarily to the United States and the EU. We rely on Standard Contractual Clauses (SCCs) or equivalent safeguards under GDPR for these transfers.

5. Security measures

We take reasonable technical and organizational measures to prevent the leakage, loss, or damage of personal data, in line with applicable law and the guidelines of Japan's Personal Information Protection Commission. Details of specific measures will be shared on request, to the extent that doing so does not undermine those measures.

6. Cookies and analytics

We use a minimal set of cookies plus cookieless analytics. See the Cookie Policy for details. You can manage cookies via the on-site banner or through your browser settings.

For product improvement and aggregate analytics we also record, via our own first-party mechanism, acquisition data such as your referring source, the first page you landed on and campaign parameters, along with how you navigated the Service before signing up. This data is not shared with third-party advertising networks and is not used to identify you personally.

7. Your rights

You can edit or delete your personal data yourself at any time from the Settings screen (/app/settings). Deleting your account immediately invalidates your subscription URL — your subscribed calendars empty themselves on the next fetch.

For other rights (access, restriction, data portability, etc.) under GDPR / CCPA / APPI, please reach us via the contact page. After verifying your identity, we'll respond within a reasonable timeframe (typically within 14 days).

8. Retention

• Account data and preferences: kept until you delete your account, then erased promptly
• Payment history: retained up to 7 years to comply with tax law (consumption tax / electronic books-of-account preservation)
• Support email history: retained up to 3 years

9. Minors

The Service is open to anyone, but if you are under 18, you should use it only with the consent of a parent or legal guardian. If we receive a consent withdrawal from a parent or guardian, we will delete the affected user's personal data promptly.

10. Changes to this policy

We may update this policy as the Service evolves or as the law requires. For material changes we'll notify you in-product or by email. Updated policies take effect when posted on the Service.

11. Contact

Questions about this policy, our handling of personal data, or rights requests can be sent through the contact page. For business / company details, see the Specified Commercial Transactions Act notice (Japanese only — required for Japan).

Operator

Popaz Co. (株式会社 Popaz)

Privacy lead

Hiroaki Ishii, Representative Director

12. Business plan — venue data

This section applies to venue operators (venue users) who subscribe to the Business plan.

12.1 Data collected from venue users

We collect the following information to operate the Business plan:

• Venue name and trade name
• Address and geo-coordinates (for map display and area search)
• Venue photos and logo
• Opening hours and regular closing days
• Phone number and reservation links (e.g. external booking platforms)
• Self-declared viewing license status (confirmation that an appropriate commercial viewing contract is held)
• Scheduled match selections
• Payment metadata (processed by an external payment processor — we do not store card numbers)

12.2 What is public vs. internal-only

The following information is published on the venue page (/venues/[slug]):

• Venue name, tagline, and description
• Address and map location
• Opening hours and phone number (if the venue user chooses to display them)
• Scheduled matches
• Venue photos and logo

The following information is held internally only and is never published:

• Viewing license self-declaration records
• Payment-related information and payment processor customer IDs
• The venue user's email address (used only for billing notices and support)
• Internal account status flags

12.3 How we use venue data

We use venue data only for the following purposes:

• Generating and publishing the venue page
• Auto-generating SNS-ready OGP images
• Venue search and filtering within Kickoff Calendar
• Business plan billing and contract management
• Service quality maintenance and improvement
• Detecting and responding to abuse or terms violations

12.4 Your rights over venue data

Venue users can edit or update their venue information at any time from the Business dashboard (/business/dashboard). Deleting your account immediately makes the venue page non-public, and venue data is erased promptly — except for payment history, which we are required to retain for up to 7 years under applicable tax law.

For other rights (access, restriction, data portability, etc.), please contact us via the contact page. After verifying your identity, we will respond within a reasonable timeframe (typically within 14 days).

Effective: 27 April 2026
Last updated: 9 May 2026