Legal

Privacy Policy

How we handle personal information

Effective: May 12, 2026 (v1)

Reference translation only. The Japanese version of this Privacy Policy is the legally controlling text. This English version is provided for the convenience of non-Japanese readers. In the event of any inconsistency or conflict between the Japanese and English versions, the Japanese version prevails. The authoritative text is available at /ja/privacy.html.

Article 1 (General Provisions)

ExecutiveSearch.AI K.K. (hereinafter, the “Company”; registered office: Ebisu Prime Square Tower 4F, 1-1-39 Hiroo, Shibuya-ku, Tokyo 150-0012, Japan) establishes this Privacy Policy (the “Policy”) in connection with the protection of personal information processed in relation to the AI talent-identification platform “Headhunt.AI” (the “Service”) operated by the Company, in compliance with the Act on the Protection of Personal Information (the “APPI”), the Employment Security Act, the Act on the Promotion of Research, Development, and Utilization of Technologies Related to Artificial Intelligence (Act No. 53 of 2025; the “AI Promotion Act”), and other applicable laws, regulations, and guidelines.

Article 2 (Personal Information Handler)

Name: ExecutiveSearch.AI K.K.

Representative: ホインスキーケネスチャールズ, Representative Director

Parent company: Monstarlab Inc. (TSE: 5255)

Specified Recruitment Information Provider notification receipt number (特定募集情報等提供事業届出受理番号): Filed; the receipt number will be entered here once issued.

Personal Information Protection Manager: Representative Director

Article 3 (Definitions)

In this Policy, the following terms have the meanings set forth below:

(1) “Personal Information” means information as defined in Article 2, Paragraph 1 of the APPI.

(2) “Personal Data” means data as defined in Article 16, Paragraph 3 of the APPI.

(3) “User” means a corporation or sole proprietor that has entered into a service agreement for the Service.

(4) “Candidate Information” means occupation-related information, including personal information, of individuals that the Company lawfully obtains and stores in the Service’s database.

(5) “User Information” means personal information about a User.

(6) “ATS-Integration Data” means data that a User has the Service process on its behalf through the Service’s ATS-integration feature.

(7) “User Personnel” means an account user of the Service designated by a User.

Article 4 (Acquisition of Candidate Information)

1. The Company acquires Candidate Information pursuant to commercial license agreements with third-party data providers that lawfully conduct their business.

2. The Company does not directly obtain personal information from candidates themselves (except where a candidate contacts the Company directly).

3. Categories of information contained in Candidate Information:

(a) Name

(b) Current and prior employer and position

(c) Employment history

(d) Educational history

(e) AI-inferred information (estimated age, estimated compensation level, estimated language proficiency, etc.)

(f) Public profile URL

4. The Company does not acquire or hold special-care-required personal information (race, creed, social status, medical history, and similar categories).

Article 5 (Purposes of Use)

1. Purposes of use of Candidate Information:

(a) Building the database used in the Service

(b) Providing information to Users from the database

(c) Performing AI scoring within the Service (fit assessment against job requirements)

(d) Identifying and presenting candidates to Users (including use in Users’ recruiting activities, HR-related business, or legitimate sales and marketing activities such as identifying decision-makers)

(e) Automated generation of scout email content

(f) Algorithm improvement and quality control of the Service

(g) Creation of statistical data (in a form that does not identify individuals)

(h) Responding to legal and regulatory requirements

2. Purposes of use of User Information:

(a) Account management and authentication

(b) Billing and payment management for service fees

(c) Providing notices and support related to the Service

(d) Analyzing usage and improving the Service

(e) Responding to legal and regulatory requirements

3. When the Company changes the purposes of use of personal information acquired, the change will be made within the scope that is reasonably recognized as being relevant to the pre-change purposes, and the post-change purposes will be made public.

Article 6 (AI Processing and Data Storage)

1. The Service performs AI-based scoring and analytical processing on Candidate Information and ATS-Integration Data, and generates scout email content. The Service is a tool that searches and scores Candidate Information based on job information and search criteria entered by Users; it is an information-provision service intended to support User decision-making. All final decisions regarding candidate selection and hiring are made by the User itself; the Company does not broker the formation of employment relationships between candidates and Users.

2. Personal Data is, as a rule, stored on servers located in Japan (the Asia-Pacific (Tokyo) region of Amazon Web Services, Inc.). When AI processing is executed, portions of Personal Data are transmitted to the processing infrastructure of the subcontractors listed in Paragraph 3. Transmitted data is, pursuant to data processing agreements (DPAs) with each subcontractor, deleted within a short period after processing is complete, and is not used to train any subcontractor’s AI models. For further detail on this paragraph, please refer to Article 9, Paragraph 2 (Awareness of External Conditions).

3. The Company entrusts the following subcontractors with data processing for AI scoring:

(a) OpenAI, Inc. (San Francisco, California, USA) — AI-model-based scoring, analytical processing, and scout email generation

(b) Google LLC (Mountain View, California, USA) — AI-model-based scoring, analytical processing, and scout email generation

(c) Cohere Inc. (Toronto, Ontario, Canada / also with a presence in California, USA) — AI-model-based scoring, analytical processing, and scout email generation

(d) Amazon Web Services, Inc. (a US corporation; per the Company’s configuration, data storage and processing are conducted in its Asia-Pacific (Tokyo) region) — data storage and infrastructure

4. The Company exercises necessary and appropriate supervision over the above subcontractors in accordance with Article 25 of the APPI. Through the DPAs or service terms with each subcontractor, the following are ensured:

(a) AI-processing subcontractors (OpenAI, Google, Cohere) do not use data received from the Company to train their own AI models.

(b) Only the data necessary for processing is transmitted.

(c) Data transmitted to subcontractors is deleted within a short period after processing is complete.

5. In accordance with the purpose of the AI Promotion Act, the Company strives for the appropriate use of AI technology and works to ensure fairness through periodic verification so that AI algorithms do not engage in unjust discrimination based on protected attributes.

Article 7 (Provision to Third Parties)

1. The Company provides Candidate Information to Users pursuant to service agreements for the Service. Details of third-party provision to Users are set forth in Article 17.

2. Other than as set forth in the preceding paragraph, the Company will not provide Personal Data to third parties, except in the following cases:

(a) Where the Company entrusts all or part of the handling of Personal Data to the extent necessary to achieve the purposes of use

(b) Where Personal Data is provided in connection with the succession of business due to a merger or other event

(c) Where it is necessary to cooperate with a national agency, local government, or a person entrusted by them in performing duties prescribed by law, and obtaining the consent of the data subject would impede the performance of such duties

(d) Other cases permitted under the APPI or other laws and regulations

Article 8 (ATS-Integration Data)

1. Users that use the ATS-integration feature may link their own data to the Service.

2. The Company handles ATS-Integration Data in the position of a consignee acting on behalf of the User. The User is responsible for the handling of ATS-Integration Data, and the Company will process such data only within the scope of the following entrusted purposes:

(a) Performing AI scoring

(b) Supporting search and analysis of the User’s database

(c) Converting and structuring data based on User instructions

3. The Company stores ATS-Integration Data in a manner that is logically and physically segregated by User, and does not commingle it with the data of other Users.

4. Upon termination of a service agreement, the Company will delete ATS-Integration Data within a reasonable period (as a rule, 30 days). Users should complete any data export before termination of the agreement.

Article 9 (Security Control Measures)

1. The Company takes necessary and appropriate measures to prevent leakage, loss, or damage of Personal Data and to otherwise ensure security control. For details of the security control measures taken by the Company, please contact the contact point set out in Article 16.

2. Awareness of External Conditions: In connection with providing the Service, the Company entrusts the handling of Personal Data to the foreign-located entities listed below. Because Personal Data will accordingly be handled in those foreign countries, as part of the security control measures required under Article 23 of the APPI, the Company has identified the personal-information-protection systems in those countries and has taken necessary and appropriate measures. Pursuant to Article 32, Paragraph 1, Item 4 of the APPI and Article 10, Item 1 of its Enforcement Order, the details of those measures are published below:

(a) OpenAI, Inc. (San Francisco, California, USA) — AI-model-based scoring, analytical processing, and scout email generation

(b) Google LLC (Mountain View, California, USA) — AI-model-based scoring, analytical processing, and scout email generation

(c) Cohere Inc. (Toronto, Ontario, Canada / also with a presence in California, USA) — AI-model-based scoring, analytical processing, and scout email generation

(d) Amazon Web Services, Inc. (a US corporation; per the Company’s configuration, data storage and processing are conducted in its Asia-Pacific (Tokyo) region) — data storage and infrastructure

[Personal-Information-Protection Systems in Foreign Jurisdictions]

The personal-information-protection systems in the countries where the above subcontractors are located are as follows:

· United States: There is no comprehensive federal personal-information-protection law; however, state-level personal-information-protection regimes are in place. In particular, in California, the California Consumer Privacy Act (the “CCPA,” including its successor law the CPRA) prescribes consumer rights regarding personal information and business obligations. Other states such as Virginia and Colorado have also enacted comprehensive state personal-information-protection laws. Information on the US regime provided by Japan’s Personal Information Protection Commission is available at the following link:
https://www.ppc.go.jp/enforcement/infoprovision/laws/offshore_report_america/

· Canada: At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the collection, use, and disclosure of personal information in commercial activities.

These regimes differ from the APPI in scope, covered parties, enforcement structure, and similar respects, but each builds a comprehensive system for the protection of data-subject rights and for business accountability.

Information on the Canadian regime provided by Japan’s Personal Information Protection Commission is available at the following link:
https://www.ppc.go.jp/enforcement/infoprovision/laws/offshore_report_canada/

[Protective Measures Taken by the Company]

The Company has entered into data processing agreements (DPAs) with the above subcontractors and ensures contractual protective measures including the following:

· AI-processing subcontractors (OpenAI, Google, Cohere) do not use Personal Data received from the Company to train their own AI models.

· Only the data necessary for processing is transmitted (data-minimization principle).

· Data transmitted to subcontractors is deleted within a short period after processing is complete.

· Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 equivalent).

· Where the Company has the option, Japan-located regions are used preferentially.

· Incident notification obligations.

Article 10 (Supervision of Subcontractors)

1. To the extent necessary to achieve the purposes of use, the Company may entrust all or part of the handling of Personal Data to external service providers. The principal subcontractors are as set forth in Article 6, Paragraph 3.

2. Subcontractors are selected from operators with sufficient personal-information-protection capabilities, and are contractually obligated to maintain security controls.

3. The Company exercises necessary and appropriate supervision over subcontractors’ handling of data.

Article 11 (Cookies and External Transmission)

1. The Service uses session cookies for login authentication. These are technically necessary to maintain authenticated state.

2. The Company does not use cookies or external-transmission technologies for the purposes of tracking, access analytics, advertising, or other profiling.

3. Cookies may be disabled through browser settings; however, doing so will prevent login to the Service.

Article 12 (Requests for Disclosure and Related Rights)

1. Candidates whose information is held and User Personnel may, in accordance with the APPI, make the following requests with respect to their own Personal Data held by the Company:

(a) Notification of the purpose of use of retained Personal Data

(b) Disclosure of retained Personal Data

(c) Correction, addition, or deletion of the contents of retained Personal Data

(d) Cessation of use or erasure of retained Personal Data

(e) Cessation of provision of Personal Data to third parties

2. Requests should be sent to the contact point set out in Article 16. After verifying the requester’s identity, the Company will respond without undue delay.

3. The Company may decline to respond in whole or in part in the following cases:

(a) Where the requester’s identity cannot be verified

(b) Where statutory requirements are not satisfied, or where an exclusion applies

(c) Where compliance would risk harm to the life, body, property, or other rights or interests of the data subject or any third party

4. A fee equivalent to actual costs may be charged for disclosure requests.

Article 13 (Data Retention Periods)

1. Candidate Information: The Company retains Candidate Information for the period necessary to provide the Service. Where a candidate requests deletion, the Company will respond within a reasonable period.

2. User Information: Retained for the duration of the service agreement and for any period thereafter required by law.

3. ATS-Integration Data: Retained for the duration of the service agreement and deleted after termination in accordance with Article 8, Paragraph 4.

4. Data retention at AI-processing subcontractors: Automatically deleted within the period set forth in each subcontractor’s service terms (a short period after processing is complete).

Article 14 (Incident Response)

1. If a leakage, loss, damage, or other security incident involving Personal Data occurs or is reasonably suspected, the Company will promptly investigate the facts and take measures to prevent escalation of harm.

2. Where reporting obligations under the APPI are triggered, the Company will report to the Personal Information Protection Commission and notify affected individuals within the prescribed timeframes.

3. Security incidents involving ATS-Integration Data will also be promptly notified to the applicable User.

Article 15 (Changes to this Policy)

1. The Company may change this Policy where there is a legal amendment, a change in business, or other reasonable cause.

2. Material changes will be announced on the Company’s website in advance.

3. The revised Policy becomes effective from the time it is posted on the Company’s website.

Article 16 (Contact Point)

Inquiries, complaints, and requests for disclosure or other rights concerning the handling of personal information should be directed to the contact point below.

ExecutiveSearch.AI K.K. — Personal Information Protection Manager

Ebisu Prime Square Tower 4F
1-1-39 Hiroo, Shibuya-ku
Tokyo 150-0012, Japan

Email: privacy-complaints@executivesearch.ai

Article 17 (Public Disclosures Relating to Opt-Out Provision)

1. Name, address, and representative of the Company

Name: ExecutiveSearch.AI K.K.

Address: Ebisu Prime Square Tower 4F, 1-1-39 Hiroo, Shibuya-ku, Tokyo 150-0012, Japan

Representative: ホインスキーケネスチャールズ, Representative Director

2. The fact that provision to third parties is a purpose of use

(a) Building the database used in the Service

(b) Providing information to Users from the database

(c) Performing AI scoring within the Service (fit assessment against job requirements)

(d) Identifying and presenting candidates to Users (including use in Users’ recruiting activities, HR-related business, or legitimate sales and marketing activities such as identifying decision-makers)

(e) Automated generation of scout email content

3. Recipients of Personal Data

Corporations or other organizations that require information for the purposes of recruiting activities or the provision of services related to recruiting activities, and that have entered into a contract for the Company’s services.

4. Items of Personal Data provided to third parties

(a) Name

(b) Current and prior employer and position

(c) Employment history

(d) Educational history

(e) AI-inferred information (estimated age, estimated compensation level, estimated language proficiency, etc.)

(f) Public profile URL

5. Method of acquisition of Personal Data provided to third parties

Acquired pursuant to commercial license agreements with third-party data providers that lawfully conduct their business.

6. Method of updating Personal Data provided to third parties

For the database created from information acquired by the method described in item 5, each time new information is acquired, consistency with existing information is verified and the database is updated.

7. Method of provision to third parties

Provided via an internet-based service available only to contracted customers of the Company.

8. Channel for requests to cease third-party provision

To request cessation of third-party provision, please contact the inquiry point set out in Article 16.

9. Scheduled commencement date of third-party provision of Personal Data

May 19, 2026.

Supplementary Provisions

This Policy takes effect on May 12, 2026.

In the event of any inconsistency between the Japanese and English versions of this Policy, the Japanese version prevails.