1. Data Controller
[Company Name]
[Address]
[Contact Email]
2. Legal Basis for Processing (GDPR Art. 6)
We process personal data under the following legal bases:
- Contract performance — to provide and operate the approval workflow service you signed up for
- Legitimate interest — for security monitoring, fraud prevention, and service improvement
- Consent — for optional data processing activities, which you can withdraw at any time
- Legal obligation — to comply with applicable laws and regulations
3. Purpose of Data Collection
We collect and use personal information for the following purposes:
- Providing and operating the approval workflow service
- User authentication and account management
- Sending notifications related to approval requests
- Security monitoring and session management
- Improving our services and providing customer support
4. Types of Personal Data Collected
- Email address
- Name
- Organization name
- Approval request content and decisions
- IP address and access logs
- Browser/user-agent information (for session management)
5. Third-Party Processors
We share personal data only with the service providers necessary to operate Shodaku.
All processors are bound by data processing agreements in accordance with GDPR Article 28.
- With your consent
- When required by law
- Service providers listed on our Subprocessors page
6. Your Rights
Under the EU General Data Protection Regulation (GDPR), Japan's Act on the Protection
of Personal Information (APPI), and other applicable data protection laws, you have the following rights:
- Right of access (GDPR Art. 15) — request a copy of your personal data
- Right to rectification (GDPR Art. 16) — correct inaccurate data via your account settings
- Right to erasure (GDPR Art. 17) — delete your account and all associated data
- Right to data portability (GDPR Art. 20) — export all your data in machine-readable JSON format
- Right to restrict processing (GDPR Art. 18) — request limitation of data processing
- Right to withdraw consent (GDPR Art. 7) — withdraw consent at any time through your account settings
To exercise these rights, use the tools in your Account page
(profile editing, data export, consent management, account deletion)
or contact us at the address above.
7. International Data Transfers
Shodaku operates across the US and Europe. Personal data may be transferred to and processed in
the United States, where our hosting infrastructure is located. We rely on Cloudflare's global
network, which provides data processing in accordance with applicable data protection standards.
8. Data Retention
We retain personal data for as long as your account is active. Upon account deletion,
your personal data is removed, including all requests, decisions, and group memberships.
Audit logs are retained for up to 2 years for compliance and security purposes, after which
they are automatically purged.
9. Security Measures
We implement technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS)
- Encrypted storage for sensitive credentials
- Passwordless authentication (magic links)
- Role-based access controls
- Comprehensive audit logging
- Session management with device visibility
- Security headers (X-Frame-Options, CSP, etc.)
10. Consent
By creating an account on Shodaku, you consent to the collection and use of your
personal information as described in this policy. You may withdraw consent at any time
through your account settings.
11. Contact & Complaints
If you have questions about this policy or wish to make a complaint, please contact us at the
address above. EU residents also have the right to lodge a complaint with their local
data protection supervisory authority.