ANA Business Jet Inc. Privacy Policy

Chapter 1. Our Handling of Personal Information of All Customers

1. Purpose of the Privacy Policy

(1) The purpose of the Privacy Policy is to ensure the protection of customers' personal information and to provide customers with ongoing security and trust.

2. Scope of application

The Privacy Policy will apply when customers and other individuals use our services and products.

3. Handling of Personal Information

(1) Acquisition and purpose of use of personal information

When acquiring personal information from customers, we will clarify the purpose for which the information is being acquired, and will acquire the information in an appropriate and fair manner to the extent necessary to achieve that purpose.
However, even within the intended scope, it will not use customers’ personal information in a way that may encourage or induce illegal or improper conduct.
The personal information we obtain from customers is necessary to provide our services to them, such as name, date of birth, telephone number, email address, travel plans, passport information, credit card information, ANA Mileage Club membership information, weight and blood type etc.
We utilize personal information obtained from its customers for the following purposes.

• Provision and contact regarding services/products.
• Arrangement of transportation, accommodation, etc. for services and receipt of such services.
• Products, notices of various events and campaigns, implementation of questionnaires concerning service and products.
• Development of new services/products, etc.
• Responses to inquiries, requests, complaints, consultations, etc.
• Sales analysis, research and analysis

※In addition to the above-mentioned purposes, personal information will be utilized for the purposes described in "4. Data sharing.(2)"

(2)Disclosure to third parties

We will not disclose or provide personal customer information to any third parties except under the following circumstances. Note that provision of information to business entrusted companies and data sharing partners are not deemed to constitute disclosure or provision to third parties.

1. Customer consent has been obtained.
2. Disclosure or provision is required within the scope allowed by laws or regulations.
3. Disclosure is required to protect human life, health, or property in cases where obtaining customer consent is difficult.
4. Disclosure is required to cooperate with the public affairs of national or local governments, and when obtaining customer consent is likely to hinder the administration of public affairs.
5. Disclosure or provision of information as statistical data (in a format that does not disclose the customer's identity).

4. Data sharing

We shall share personal customer information as follows.

(1) Scope of Data Sharing

ANA Group companies

(2) Purpose of use by the user

1. For provision of air transportation services, travel services including tours and hotels, and other products/services handled by the Company or companies that share data
2. For sending of direct mail and information on products/services, and distribution of questionnaires to customers, etc. by the Company or companies that share data
3. For sales analysis, other research/studies, and development of new products/services, etc. by the Company or companies that share data
4. For delivery and transfer of data to each company in charge, when we receive inquiries, application for use or other offers from customers regarding products/services provided by the Company or companies that share data
5. For appropriate and smooth fulfillment of other transactions with customers by the Company or companies that share data
6. For business management/internal management by the ANA Group

(3) Items of personal information to be shared

name, date of birth, telephone number, email address, travel plans, passport information, credit card information, ANA Mileage Club membership information , etc.

(4) Name, address, and representative of the party responsible for management of personal information

ANA HOLDINGS INC.
Shiodome City Center, 1-5-2, Higashi-Shimbashi, Minato-ku, Tokyo, Japan 105-7140
Koji Shibata,
President & Chief Executive Officer

5.Business entrustment

From time to time, we may entrust its business operations to third parties to which personal information may also be disclosed to the extent required. In these cases, we will implement all appropriate measures with such third parties to safeguard the confidentiality of customer data, including establishing agreements on the handling of such personal information.

6. Transfer to outside of Japan

We may transfer their personal information (name, passport number, and travel details, etc.) to outside of Japan. The countries or regions to which customers’ personal information is transferred may not have a system for personal information protection equivalent to Japan’s.
If we will provide customers' personal information to third parties such as business operators outside of Japan, including companies to whom we have entrusted business and our data sharing partners, we will do so with the consent of the customer except in the following cases:

1. The third party is in a country stipulated by law as a country that has a personal information protection system that is of an equivalent level to Japan; or
2. The third party has established the necessary system to continuously take measures equivalent to the measures that should be taken by Japanese business operators handling personal information.
   In the case of 2., we will take necessary and appropriate measures to ensure the continuous implementation of such equivalent measures by the third party.

7. Implementation of Safety Measures

We implement information security measures to ensure the accuracy and safety of our customers' personal information. Personal information is stored in a secure environment that is inaccessible to general users, and is protected against unauthorized access, loss, destruction, falsification, leakage, etc. of personal information. In addition, if the results of internal audits, examples of security incidents at other companies, or requests from customers indicate that information security measures need to be improved, we will promptly take corrective action.

8. Compliance with Laws and Regulations

In order to ensure the protection of personal information, we comply with laws, guidelines presented by the regulatory authorities (Ministry of Land, Infrastructure, Transport and Tourism, etc.) and other norms related to the handling of personal information.

9.Request about handling of Personal Information

If we receive a request from a customer, submitted in the manner specified, for the disclosure, correction, deletion, addition, discontinuance of use, erasure, or information provision concerning the personal information protection measures referred to in “6. Transfer to outside of Japan” and “7. Implementation of Safety Measures ” with regard to the customer’s personal information stored in a database held by us, the request will be handled according to the laws and regulations as follows, within a reasonable timeframe and scope, after confirming that the request was submitted by the customer themselves.

1. We will respond to your request for the purpose of use or disclosure of personal information.
2. Correction, deletion, or addition of personal information will be undertaken wherever possible after due review of the request.
3. Upon request, we will stop using or erase personal information or stop providing personal information to third parties.
   However, please note that such requests may impede the provision of services in accordance to their wishes. A customer request may be rejected partially or entirely if compliance with such request would endanger the life, health, or property of the customer or a third party; seriously impact our business operations; or result in a violation of laws or regulations.
4. We will provide the following information on personal information protection measures in accordance with the content of the request:
   1) The contents of the security management measures taken when we are entrusted with customers' personal information; and
   2) The contents of measures taken when we provide customers' personal information to a third party outside of Japan (when item 2. of "Transfer to outside of Japan" is applicable).

10.Submission of request for disclosure, etc.

(1) Requests as described in the preceding paragraph regarding personal information that is the subject of information disclosure, as well as any other complaints or inquiries regarding personal information, should be directed to the following reception desk.

①Reception desk

To make a request for disclosure, etc., please send the prescribed request form with the necessary documents attached by postal mail to the following address.

Personal Information Handling Desk, ANA Business Jet Inc.
Cross Office 1-18-6 Nishi Shimbashi, Minato-ku, Tokyo 105-0003, Japan

If you have any questions or need further assistance or inquiries, please contact us by mail at the above address or by e-mail at the address below.
Personal Information Handling Desk, ANA Business Jet Inc.
info@anabj.co.jp

(2) Documents and Fees for Requests for Disclosure, etc.

To make a “Request for Disclosure, etc.,” please fill out the following request form and send it by mail, enclosing documents for identification. Please note that we will not be able to respond to requests for disclosure, etc., if any items are not filled out.
Please download the request form from the link below.

①Application form prescribed by the Company

• Notice of Purpose of Use Request Form
• Disclosure Request Form
• Correction of Information Request Form
• Discontinuance of Use of Information Request Form

②Fees

A fee of 1,000 yen per application will be charged.

③Method for submitting request

Please send the required documents by postal mail to the address below.
Personal Information Handling Desk, ANA Business Jet Inc.
Cross Office 1-18-6 Nishi Shimbashi, Minato-ku, Tokyo 105-0003, Japan.

11.Modification of the Privacy Policy

We may make modifications to this Privacy Policy. If modifications are made, details will be posted on our website (www.anabj.co.jp/ ).

Chapter 2. Handling of personal information of EEA and UK residents by ANA Business Jet Inc

This Chapter 2 provides additional information about the handling of personal information of customers and other individuals in the European Economic Area (“EEA”) and/or the United Kingdom (“UK”) in accordance with EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK Data Protection Act 2018 (“DPA 2018”) and other national and international data protection and privacy laws (together, “Data Protection Laws”).

Please note that the UK’s laws are similar to those in the EEA, and customers from both jurisdictions have very similar rights. Accordingly, references to the GDPR in this Chapter should also be read as references to corresponding UK law.

In the event that any provisions of this Chapter 2 contradict those of Chapter 1, the provisions of this Chapter 2 shall prevail.

1. Introduction

A guardian’s consent or permission must be obtained in the event that a customer under the age of 16 uses our service and consents to this Privacy Policy. The data subject’s consent to this Privacy Policy must be obtained in the event that a person such as family member applies for our service on behalf of the data subject.

2. The controller of personal information

The controller of your personal information is ANA Business Jet Inc.
We protects personal information which is collected and used by controllers (who make decisions about how and why your personal information is used) and processors (who act on the controller’s written instructions) on the basis of Data Protection Laws.

3. Our lawful basis for processing personal information

We protects your personal information by ensuring that it can only be used to the extent necessary for specific purposes (as set out in Part 3 of Chapter 1 of this Privacy Policy) and by requiring that there is a lawful basis for each processing activity on the basis of Data Protection Laws.
We may process customer personal data on one or more of the following lawful bases:

1. When your consent is obtained to the processing (Article 6(1)(a) GDPR)
   Consent will usually only be relied upon for promotional and marketing related processing, or in some cases, in relation to sensitive personal data.
2. When processing is necessary in order to perform or take steps to enter into a contract (Article 6(1)(b) GDPR).
   This is typically why we process customer information which is essential to providing our services.
3. We need to process the information to comply with a lawful obligation (Article 6(1)(c)). This includes the requirement to share personal information with customs and immigration authorities or law enforcement, as well our legal duties towards its staff and customers.
4. The information is required to protect your, or a third party’s, vital interests (Article 6(1)(d)), for example in the event of a medical emergency.
5. It is in our or a third party’s legitimate interests to process the personal data, and these interests are not overridden by your rights under Data Protection Laws (Article 6(1)(f) GDPR). This includes the use of personal information necessary to operate ANA’s business and also to maintain, develop and improve its products and services and provide the best possible customer experience.

4. Request about processing of personal information

(1)Data Protection Laws provide you with the following legal rights:

1. Request for disclosure: You can request copies of your personal information and details of how we process it.
2. Request for correction or updating: Corrections or updates to personal information will be undertaken wherever possible after due review of the request.
3. Request for erasure: You may request that we delete all or part of the personal information we hold about you. We will consider your request and, where the information is no longer required or the law does not permit us to continue to retain it, we will delete it.
4. Transferring your personal information: You can request a copy of your personal information in a structured, common, machine-readable format. This only applies to personal information which we obtain from you and process on the basis of your consent or in order to perform a contract, and which is processed by automated means.
5. Objecting to processing: You can object to processing which is carried out on the basis of our or a third party’s legitimate interests or for the purpose of direct marketing. We will stop processing your information unless we have a strong reason to continue which overrides your objection. If your objection is to direct marketing, we will always stop.
6. Restricting how your personal information is processed. You can limit how we process your personal information in certain circumstances. Where this applies, any processing of your personal information (other than storing it) will only be lawful with your consent or where required for legal claims, protecting certain rights or important public interest reasons.
7. The right to withdraw consent. If we are relying on consent to process your personal information, you have the right to withdraw that consent at any time.

Please note, the rights set out above are not absolute and do not apply in every situation. There are also legal exemptions which apply in some situations and mean a request may be refused. Of course, if a request is refused we will inform you of the reasons for this when we respond.

Records of requests made to us will be retained so that we can ensure we have complied with our legal obligations.

(2) Method for submitting request

You can exercise your rights free of charge (except in the case of unreasonable, excessive or repeated requests in which case we may charge a fee or refuse the request). The method for submitting a request under this article shall be in accordance with the method described in Chapter 1.” 10.Submission of request for disclosure, etc.”
The request form in this case is as follows

• Notice of Purpose of Use Request Form
• Disclosure Request Form
• Correction of Information Request Form
• Discontinuance of Use of Information Request Form
• Consent Withdrawal Request Form
• Data Portability Request Form
• Objection Request Form

(3) Responding to a request

We will respond without delay and usually within one month. We may, in some cases, ask for identification or (if you are making the request on behalf of a third party) proof of your authority to submit a request. If your request is particularly complex or you have made a number of requests, it may take longer to provide a detailed response. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.

If you are not satisfied with our response to a data protection request or if you think your personal information has been mishandled, then you have the right to complain to a supervisory authority. Please see Part 9 of this Chapter 2 (“Lodging a complaint with an authority”) for further details.

5. Data sharing which is necessary to provide products or services

Our products and services are provided with the assistance of other companies and organizations and often we will need to share personal information with third parties in order to run its business. These third parties include:

(1) Other companies in the ANA Group

(2) Organizations with which we are legally required to share personal information

including: government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.

(3) Service providers

including: subcontractor handling our flights, airports and airlines who we partner with, various service providers, providers with whom we have a marketing partnership, etc.
Where we instruct companies, contractors or service providers to process data on its behalf, then it will ensure that it does so pursuant to a contract which meets the requirements of applicable Data Protection Laws.

6. Marketing communications

We send out marketing communications from time to time to notify interested persons of news and provide details of products and services which may be of interest to them. We will only do this if the recipient has consented to receive marketing or if they are an existing customer who purchased products or services from us and were given the opportunity to opt-out from marketing at the time but chose not to do so.

7. Where your personal information is stored and transferred

We are located in Japan and many of the service providers and other organizations with whom we share your personal information will be located in jurisdictions outside the EEA and UK. It should be noted that Japan has been recognized by the European Commission as providing adequate protection for personal information.

When transferring personal information to third parties we will ensure that it complies with the requirements of Data Protection Laws, including the onward transfer requirements of the EU-Japan adequacy decision and related Japanese laws. However, you should be aware that recipients outside the EEA and UK may be subject to national laws which do not necessarily provide equivalent protection for your personal data. If you would like more information regarding where your personal information is stored and transferred please contact ANA using the details set out in Part 10 of this Chapter 1 (“Submission of request for disclosure, etc.”).

8. Retention of personal information

We retain customers’ personal information until the purpose of use is achieved. Particularly, we have set the retention period for personal information as follows. For most other personal information, the appropriate retention period will be determined based on the nature of the information and the purpose for having it by reference to legal and accounting requirements and our business needs.

(1) Passengers’ personal information

Until the completion of transportation and related work in our company.

(2) Other personal information

The shortest required period for the purpose to which customers have consented.

9. Lodging a complaint with an authority

Customers have the right to lodge a complaint on the processing of their personal information with the data protection authority having jurisdiction over their residence.

(1) EEA residents: Please contact your national supervisory authority, details of which can be found on the European Data Protection Board’s website (https://edpb.europa.eu/about-edpb/board/members_en )

(2) UK residents: Please contact the Information Commissioner’s Office (www.ico.org.uk )

10. The contact information of the controller and our Data Protection Officer.

Controller: ANA Business Jet Inc.
Address: Cross Office 1-18-6 Nishi Shimbashi, Minato-ku, Tokyo 105-0003, Japan
info@anabj.co.jp

Chapter 3. Handling of personal information of China residents by ANA Business Jet Inc

Besides Chapter 1, Chapter 3 also applies to the handling of personal information of persons residing in the People's Republic of China (hereinafter, "China") based on China's Personal Information Protection Law and related regulations (hereinafter, “PIPL etc.”). In the event that any provisions of this chapter contradict those of chapter 1, the provisions of this chapter shall prevail.

1. Introduction

A guardian's consent or permission must be obtained in the event that a customer under the age of 18 uses our service and consents to this Privacy Policy. In the event that a person such as a family member applies for our service on behalf of the data subject, the consent of the data subject (when he/she is under the age of 14, his/her guardian) to this Privacy Policy must be obtained.

2. Collection of sensitive personal information

For the purpose of use, ANA may handle personal information that can be classified as sensitive personal information under PIPL etc., such as information about one’s passport, health condition, payment, or accommodations.
Since sensitive personal information can negatively affect the interests of customers if it is leaked or used unlawfully (for example, it is likely that individual dignity will be damaged or that personal safety and asset security will be put at risk), ANA will carefully manage such information and handle it in a lawful manner.

3. Retention period for personal information

We will retain the customer's personal information until the purpose of use is achieved. In particular, we set the retention period for personal information as follows.

(1) Passengers’ personal information

Until the completion of transportation and related work in our company.

(2) Other personal information

The shortest required period for the purpose to which customers have consented.

4. Technology and measure to protect customers’ personal information

(1) We take security measures to protect customers' personal information from leakage, alteration or loss. Specifically, we take the following measures to protect customers' personal information.

1. We establish and implement an internal management system and operational rules relating to the protection of personal information.
2. We conduct classification management for personal information.
3. We develop website with https and sets SSL encryption to secure important customers' data (credit card information, etc.) communication between the customers' web browser and the server.
4. We use encryption technology for protecting personal information.
5. We allocate access rights reasonably and controls access, so that access by unauthorized persons to personal information will be prevented.
6. In order to raise employee awareness of the importance of protecting personal information, we provide education and training on security and privacy protection.
7. We establish emergency responses for personal information incidents and prepare for their implementation.

(2) We will take all reasonable and practicable steps to ensure that no irrelevant personal information is collected. We will only retain customers' personal information for the shortest period of time required to achieve the purposes stated in this Privacy Policy, unless an extension of the retention period is permitted by law.

(3) In the event of a personal information incident, we will promptly inform customers of the relevant circumstances of the incident in accordance with the requirements of PIPL, etc. and report to the regulatory authorities.

5. Request about handling of Personal Information

In the event that we receive a request regarding the personal information it holds of a customer who is a resident of China, the request will be handled in a reasonable timeframe and scope in accordance with PIPL, etc. and Chapter 1 “Article 9 Request about handling of Personal Information”. In responding to the request, we may confirm that it was submitted by the customer himself/herself.

(1) Request for withdrawal of consent

If the handling of the customer’s personal information is based on his/her consent, the customer has the right to withdraw such consent.
Personal information items designated by the customer will be deleted in accordance with the customer's request, wherever possible and appropriate.
However, please note that such deletion may prevent customers from being provided with services that they had utilized, or may impede the provision of services in accordance with their wishes.

(2) Request for interpretation/explanation of Privacy Policy

Customers have the right to ask for the interpretation/explanation of this Privacy Policy.

(3) Methods for submission of requests

The method for submitting a request under this article shall be in accordance with the method described in Chapter 1.” 10.Submission of request for disclosure, etc.”

6. Provision to third parties and transfer outside China

When we provide personal information of customers to third parties (including the cases of provision due to shared use and business entrustment that involves the transfer of such information outside China), it will do so in accordance with PIPL, etc.

7. Change of purposes of use of personal data

In the case of a change to the purposes of use of personal information, we will announce the revised Privacy Policy in advance on our website (www.anabj.co.jp/ ) and we will use personal information in accordance with the new purposes of use of personal information after obtaining consent from customers.

8. Basic information of Controller of personal information

ANA Business Jet Inc.
Address: Cross Office 1-18-6 Nishi Shimbashi, Minato-ku, Tokyo 105-0003, Japan

Chapter 4. Handling of personal information of California residents by ANA Business Jet Inc

Last updated on July 1, 2024

Besides Chapter 1, Chapter 4 also shall be applied to the handling of personal information of persons residing in California, United States of America based on the California Consumer Privacy Act of 2018 as amended under the California Privacy Rights Act of 2020 (hereinafter “CCPA”). In the event that any provisions of this chapter contradict those of chapter 1, the provisions of this chapter shall prevail.

The terms used in this chapter are based on the definitions provided in CCPA. For example, the term “sale” means our selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to a third party for monetary or other valuable consideration. The term “sharing” means our sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. However, if we conclude an appropriate agreement concerning the handling of personal information with a third party, the activities mentioned above are not regarded as “sale” from the perspective of CCPA.

1.Acquisition and use of personal information

Personal information collected by us in the preceding 12 months or likely to be collected in the future is classified as defined in the following table. We use such information for the purposes set forth in Chapter 1, Article 3 (Purpose of using personal information). It will acquire such personal information directly from customers.

Type of personal information collected	Example of personal information
Identifiers (name or symbol, etc. used to uniquely identify a particular subject)	The customer's name, address, telephone number, email address, passport information, and ANA Mileage Club Membership Information etc.
Additional data subject to the California Customer Records statute (personal information categories in Cal. Civ. Code Sec. 1798.80(e))	Credit card information, etc.
Characteristics of protected classifications under California or federal law	The customer's dietary restrictions, etc.
Commercial information	ANA Mileage Club membership information, credit card expiration dates, credit card usage history and related information, itineraries, etc.
Internet or other electronic network activity information	Information such as that on how customers use our website and mobile application, including details on cookies, advertising identifiers (IDFA/GAID), location information, unique device identifiers, details on OS and browser type, etc., and website activity logs
Professional or employment-related information	Employment information (company name, division/department the customer belongs to, title, address, telephone number, fax number) and related information
Sensitive personal information	Passport information, information on physical condition or disease of the customer relevant to his/her boarding, the customer's dietary restrictions, the necessity to arrange for a wheelchair, and location information, etc.

2. The disclosure of personal information

(1) Sale of personal information

We will not sell customers' personal information (including personal information concerning minors) to any third parties, and has not sold the same in the past 12 months.

(2) The sharing of personal information

The types of personal information that we may share with third parties in the future, and the types of personal information that we have shared with third parties in the past 12 months and the types of third parties with whom we have shared personal information during the said period are shown below. We share such personal information with third parties in order to conduct marketing activities (including personalized advertisements), such as provision of information on events and campaigns. We will not share the personal information of a customer with a third party if we have actual knowledge that the customer is a minor.

Type of personal information shared	Example of personal information	Type of third party ANA shared personal information with in the past 12 months
Internet or other electronic network activity information	Information such as how customers use our website and mobile application, including details on cookies, advertising identifiers (IDFA/GAID), location information, unique device identifiers, details on OS and browser type, etc., and website activity logs	―

(3) Disclosure of personal information for business purposes

The types of customers' personal information that we have disclosed in the past 12 months for business purposes and the types of third parties to which such personal information has been disclosed are shown below. We disclose these types of personal information to third parties for the purposes specified in Chapter 1. ("3. Handling of Personal Information ").

Type of personal information disclosed	Example of personal information	Types of third parties to which the personal information has been disclosed in the past 12 months
Identifiers (name or symbol, etc. used to uniquely identify a particular subject)	The customer's name, address, telephone number, email address, passport information, and ANA Mileage Club Membership Information etc.	Subcontractor handling our flights, airports and airlines who we partner with, various service providers, providers with whom we have a marketing partnership, government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.
Additional data subject to the California Customer Records statute (personal information categories in Cal. Civ. Code Sec. 1798.80(e)	Credit card information, etc.	Subcontractor handling our flights, airports and airlines who we partner with, various service providers, providers with whom we have a marketing partnership, government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.
Characteristics of protected classifications under California or federal law	The customer's dietary restrictions, etc.	Subcontractor handling our flights, etc.
Commercial information	ANA Mileage Club membership information, credit card expiration dates, credit card usage history and related information, itineraries, etc.	Subcontractor handling our flights, airports and airlines who we partner with, various service providers, providers with whom we have a marketing partnership, government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.
Internet or other electronic network activity information	Information such as that on how customers use our website and mobile application, including details on cookies, advertising identifiers (IDFA/GAID), location information, unique device identifiers, details on OS and browser type, etc., and website activity logs	Other companies in the ANA Group, various service providers, providers with whom we have a marketing partnership, government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.
Professional or employment-related information	Employment information (company name, division/department the customer belongs to, title, address, telephone number, fax number) and related information	Other companies in the ANA Group, various service providers, providers with whom we have a marketing partnership, government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.
Sensitive personal information	Passport information, information on physical condition or disease of the customer relevant to his/her boarding, the customer's dietary restrictions, the necessity to arrange for a wheelchair, and location information, etc.	Other companies in the ANA Group, various service providers, providers with whom we have a marketing partnership, government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.

3. Sensitive personal information

We do not use or disclose sensitive personal information of customers for any purpose other than certain purposes permitted under the CCPA. We do not collect or process sensitive personal information of customers for the purpose of inferring characteristics about customers.

4. Retention of personal information

ANA retains customers' personal information until the purpose of use is achieved. Particularly, ANA has set the retention period for personal information as follows.
For most other personal information, the appropriate retention period will be determined based on the nature of the information and the purpose for having it by reference to legal and accounting requirements and our business needs.

(1) Passengers’ personal information

Until the completion of transportation and related work in our company.

(2) Other personal information

The shortest required period for the purpose to which customers have consented.

5. Request about handling of personal information

(1)Customers living in California have the following rights concerning their personal information:

1. Right to know
   Customers have the right to make a request to us for the disclosure of the following information regarding their personal information collected/used/disclosed by us within the 12 months before the date of request (hereinafter "Right to know"), up to twice in 12 months.
   • Type of the customer's personal information collected by us
   • Source of the collection of such personal information
   • Business or commercial purposes for the collection of such personal information
   • Type of third party with which such personal information has been shared
   • The customer's specific personal information collected by us
   • Type of the customer's personal information disclosed by us for a business purpose
   • Type of third parties to which each type of such personal information has been disclosed
2. Right to delete
   Customers have the right to make a request to us for the deletion of their certain personal information collected by us (hereinafter "Right to delete").
3. Right to correct
   Customers have the right to request us to correct incorrect personal information held by us (hereinafter the "Right to correct").
4. Right to opt-out of sharing
   Customers have the right to direct us to stop sharing their personal information with a third party (hereinafter the "Right to opt-out of sharing").

When, among the rights set out above, exercising the right to know, the right to delete or the right to correct, please contact us using any of the following methods. Once we receive such a request, it will be handled according to the related laws and regulations within a reasonable timeframe and manner, after confirming, through the procedures for individual identification described below, that the request was submitted by the customer himself/herself.

When, among the rights set out above, exercising the right to opt-out of sharing, please contact us using any of the following methods or through the link below. Once ANA receives such a request, it will be handled according to the related laws and regulations within a reasonable timeframe and manner.
"Do Not Sell or Share My Personal Information."

(2) Methods for submission of requests

The method for submitting a request under this article shall be in accordance with the method described in Chapter 1.” 10.Submission of request for disclosure, etc.”

As a rule, we will not treat customers who have submitted such requests in a discriminatory manner, such as changing their services. Even so, please note that deletion requests may prevent customers from receiving services which they have been provided with, or may impede the provision of services that are in accordance with their needs.

Established date: July 2, 2018
Revision date: April 1, 2020
Revision date: April 1, 2022
Revision date: July 1, 2024

ANA Business Jet Inc.

Chapter 5. Handling of personal information of Thailand residents

1. Introduction

This Chapter 5 provides additional information about the collection, use, or disclosure (“processing”) of personal information of customers and other individuals in the Kingdom of Thailand (“Thailand”) in accordance with the Personal Data Protection Act of Thailand B.E. 2562 (A.D. 2019) (“PDPA”).

If consent is required for processing of personal information relevant to the use of our services of data subjects who are minors, quasi-incompetents or incompetents under the law of Thailand and cannot lawfully give consent by themselves, consent or permission of the persons exercising parental power, their curators or custodians (as the case may be) must also be obtained. If data subjects are under the age of 10, only consent or permission of the persons exercising parental power must be obtained.

If we are not aware that the data subjects are minors, quasi-incompetent persons or incompetent persons prior to the collection of their personal information, upon learning that we have collected personal information of minors without the consent of persons exercising parental power (when it is required and the minors cannot lawfully give consent by themselves), or from quasi-incompetent persons and incompetent persons without the consent of their legal curator and custodian, we will delete the personal information at the earliest convenience unless we can rely on other legal grounds apart from consent for such processing.

The data subject’s consent to this Privacy Policy must be obtained in the event that a person such as family member or an agent authorized to act on its behalf applies for our service on behalf of the data subject.

In the event that any provisions of this Chapter 5 contradict those of Chapter 1, the provisions of this Chapter 5 shall prevail.

2. The controller of personal information

The controller of your personal information is ANA Business Jet Inc.
We protect personal information which is collected and used by controllers (who make decisions about how and why your personal information is used) and processors (who act on the controller’s written instructions) on the basis of the PDPA.

3. Our lawful basis for processing personal information

We protect your personal information by ensuring that it can only be used to the extent necessary for specific purposes (as set out in Part 3 of Chapter 1 of this Privacy Policy) and by requiring that there is a lawful basis for each processing activity on the basis of the PDPA.
We may process customer personal information on one or more of the following lawful bases:

(1) When your consent is obtained to the processing (Article 19 PDPA)

Consent will usually only be relied upon for promotional and marketing related processing, or in some cases, in relation to sensitive personal information.

(2) When processing is necessary in order to perform or take steps to enter into a contract (Article 24(3) PDPA).

This is typically why we process customer information which is essential to providing our services, including a customer’s identity, contact, payment and travel details, etc.

(3) We need to process the information to comply with a lawful obligation (Article 24(6) PDPA).

This includes the requirement to share personal information with customs and immigration authorities or law enforcement, as well our legal duties towards its staff and customers.

(4) The information is required to protect your, or a third party’s, vital interests (Article 24(2) PDPA), for example in the event of a medical emergency.

(5) It is in our or a third party’s legitimate interests to process the personal information, and these interests are not overridden by your fundamental rights regarding your personal information under the law (Article 24(5) PDPA).

This includes the use of personal information necessary to operate our business and also to maintain, develop and improve its products and services and provide the best possible customer experience to the extent permissible under the PDPA.

4. Request about processing of personal information

(1) The PDPA provides you with the following legal rights:

Request for disclosure: You can request copies of your personal information and details of how we process it.
Request for correction or updating: Corrections or updates to personal information will be undertaken wherever possible after due review of the request.
Request for erasure: You may request that we erase, destroy or anonymize all or part of the personal information we hold about you. We will consider your request and, where the information is no longer required or the law does not permit us to continue to retain it, we will delete it.
Transferring your personal information: You can request a copy of your personal information in a structured, common, machine-readable format. This only applies to personal information which we obtain from you and process on the basis of your consent or in order to perform a contract, and which is processed by automated means.
Objecting to processing: You can object to processing which is carried out on the basis of our or a third party’s legitimate interests or for the purpose of direct marketing. We will stop processing your information unless we have a legitimate reason to continue which overrides your objection. If your objection is to direct marketing, we will always stop.
Restricting how your personal information is processed. You can limit how we process your personal information in certain circumstances. Where this applies, any processing of your personal information (other than storing it) will only be lawful with your consent or where required for legal claims, protecting certain rights or important public interest reasons.
The right to withdraw consent.
If we are relying on consent to process your personal information, you have the right to withdraw that consent at any time.
However, the withdrawal of consent shall not affect the processing of your personal information that you have already given consent legally before it is withdrawn.
Please note, the rights set out above are not absolute and do not apply in every situation. There are also legal exemptions which apply in some situations and mean a request may be refused.
Of course, if a request is refused we will inform you of the reasons for this when we respond.
Records of requests made to us will be retained so that we can ensure we have complied with our legal obligations.

(2) Method for submitting request

You can exercise your rights free of charge (except in the case where expenses may be chargeable under the PDPA). The method for submitting a request under this article shall be in accordance with the method described in Chapter 1.” 10.Submission of request for disclosure, etc.”

(3) Responding to a request

We will respond without delay and usually within thirty (30) days. We may, in some cases, ask for identification or (if you are making the request on behalf of a third party) proof of your authority to submit a request. If your request is particularly complex or you have made a number of requests, it may take longer to provide a detailed response. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.

If you are not satisfied with our response to a data protection request or if you think your personal information has not been processed appropriately, then you have the right to file a complaint with the Personal Data Protection Committee of Thailand. Please see Part 9 of this Chapter 5 (“Lodging a complaint with an authority”) for further details.

5. Data sharing which is necessary to provide products or services

Our products and services are provided with the assistance of other companies and organizations and often we will need to share personal information with third parties in order to run its business. These third parties include:

(1) Other companies in the ANA Group

(2) Organizations with which we are legally required to share personal information

including: government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.

(3) Service providers

including: subcontractor handling our flights, airports and airlines who we partner with, various service providers, providers with whom we have a marketing partnership, etc.
Where we instruct companies, contractors or service providers to process data on its behalf, then it will ensure that it does so pursuant to a contract which meets the requirements of PDPA.

6. Marketing communications

We send out marketing communications from time to time to notify interested persons of news and provide details of products and services which may be of interest to them. We will only do this if the recipient has consented to receive marketing communications.

7. Where your personal information is stored and transferred

We are located in Japan and many of the service providers and other organizations with whom we share your personal information will be located in jurisdictions outside Thailand.
When transferring personal information to third parties, we will ensure that it complies with the requirements of the PDPA and related Japanese laws.
However, you should be aware that recipients outside Thailand may be subject to national laws which do not necessarily provide equivalent protection for your personal information. If you would like more information regarding where your personal information is stored and transferred please contact our using the details set out in Part 10 of this Chapter 1 (“Submission of request for disclosure, etc.”).

8. Retention of personal information

We retain customers’ personal information until the purpose of use is achieved. Particularly, we have set the retention period for personal information as follows. For most other personal information, the appropriate retention period will be determined based on the nature of the information and the purpose for having it by reference to legal and accounting requirements and our business needs.

(1) Passengers’ personal information

Until the completion of transportation and related work in our company.

(2) Other personal information

Required period for the purpose which customers have consented.
Please note that we may retain your personal information for a longer period than mentioned above if it is for the purposes of the establishment, compliance, or exercise of legal claims, the defense of legal claims, or the purpose for compliance with the law.

9. Lodging a complaint with an authority

Customers have the right to lodge a complaint on the processing of their personal information with the Personal Data Protection Committee of Thailand.

10. The contact information of the controller and our Data Protection Officer.

Controller: ANA Business Jet Inc.
Address: Cross Office 1-18-6 Nishi Shimbashi, Minato-ku, Tokyo 105-0003, Japan

Data Protection Officer email: info@anabj.co.jp