Last Revised: February 20, 2026

Epigenetic AI Inc. (hereinafter referred to as the Company) establishes the following privacy policy (hereinafter referred to as this Policy) regarding the handling of personal information within the services provided by the Company (hereinafter referred to as the Services), and shall handle personal information appropriately in accordance with this Policy.

1. Company Information

   • Company Name: Epigenetic AI Inc.
   • Location: Atagoyama PREX 10F, 3-25-31 Nishi-Shinbashi, Minato-ku, Tokyo
   • Contact Information: privacy@epigeneticai.co.jp

2. Scope of Application

   This Policy applies to personal information and personal related information acquired and used by the Company in connection with the Services. It does not apply to services managed or provided by third parties other than the Company.

3. Acquisition of Personal Information

   When acquiring personal information, the Company shall strive to clarify necessary matters in advance—such as the items of personal information to be handled, the purpose of use, and contact information—and obtain the consent of the individual. In addition, when acquiring personal information from a third party, if laws and regulations impose an obligation to confirm and create a record upon such receipt of third-party provision, the Company shall properly fulfill these obligations.

4. Purpose of Use

   The Company shall acquire and use the obtained personal information within the scope of the following purposes of use (hereinafter referred to as the Purposes of Use)

   1. ① To provide the Services; to perform procedures such as identity verification, account management, and authentication related to the Services.
   2. ② To respond to inquiries and send communications regarding maintenance, important notices, etc.
   3. ③ To ensure security, prevent fraud, conduct audits/recording, and respond in accordance with laws and regulations.
   4. ④ To improve quality, evaluate safety, and develop algorithms (implemented after taking necessary legal measures, such as statisticalization or pseudonymized processing).

   ※If the Purposes of Use are changed, it shall be done within a scope reasonably recognized as being relevant to the original purposes.

5. Provision to Third Parties

   Except in the following cases, the Company will not provide personal information handled by the Company to a third party without obtaining the prior consent of the individual

   1. ① Cases in which the provision of personal data is based on laws and regulations.
   2. ② Cases in which the provision of personal data is necessary for the protection of the life, body, or property of an individual and in which it is difficult to obtain the consent of the person.
   3. ③ Cases in which the provision of personal data is specially necessary for improving public health or promoting the sound growth of children and in which it is difficult to obtain the consent of the person.
   4. ④ Cases in which the provision of personal data is necessary for cooperating with a state organ, a local government, or an individual or a business operator entrusted by one in executing the affairs prescribed by laws and regulations and in which obtaining the consent of the person are likely to impede the execution of the affairs.
   5. ⑤ Other cases permitted by laws and regulations.
   • Outsourcing: The Company may provide information to the minimum extent necessary under the supervision of the Company in accordance with Section 7.

6. Personal Related Information (Cookies, etc.)

   The website related to the Services managed by the Company may use Cookies and similar technologies to improve convenience, ensure security, and analyze usage status. If these are provided to a third party and it is anticipated that the third party will acquire them as personal data, the Company will take necessary legal measures, such as confirming that the individual's consent has been obtained. Details are described in the External Transmission Policy / Cookie Policy.

7. Supervision of Contractors (Domestic)

   The Company may outsource the handling of personal information to domestic vendors and data centers within the scope necessary to provide the Services. When outsourcing, the Company will mandate by contract purpose limitations, confidentiality, security management, restrictions on sub-contracting, notification and reporting in the event of an accident, and audits/corrections, and will conduct regular evaluations and audits.

8. Joint Use (When Applicable)

   When engaging in the joint use of personal information, the Company will announce in advance the scope of the joint users, the items and acquisition methods of the personal information to be jointly used, the purpose of use by the joint users, and the person responsible for the management of the jointly used information (posted separately on the Company's website).

9. Overseas Transfer (Provision to Third Parties in Foreign Countries)

   The Company may provide personal data to third parties located in foreign countries (cloud service providers, contractors, business partners, etc.) within the scope necessary for the provision, operation, maintenance, and security measures of the Services. When providing such data, the Company will implement appropriate protective measures as follows:

   1. Implementation of Protective Measures via Contract, etc. (Equivalent Measures):
      The Company will mandate the recipient by contract to limit the purpose, prohibit re-provision, maintain confidentiality, implement security management measures, notify and cooperate in the event of a leak, restrict sub-contracting, cooperate with data subject requests, and accept audits/corrections.
   2. Continuous Monitoring and Regular Evaluation:
      The Company will continuously monitor the operational status of the recipient's protective measures and the institutional status of the destination country/region, conducting regular checks (documentary confirmation, evidence review, etc.) at least once a year. Temporary evaluations and corrections (temporary suspension of provision, contract correction, alternative measures, etc.) will be implemented as necessary.
   3. Provision of Information to the Individual:
      Upon request from the individual, the Company will provide in an easy-to-understand manner the name of the destination country/region, an overview of the personal information protection system in that country/region, a summary of the protective measures taken by the recipient, and the method and frequency (once a year) of the Company's continuous monitoring and evaluation. When providing information based on the individual's consent, this information will be provided in advance at the time consent is obtained.
   4. Limitation of Items and Purposes of Provision:
      Regarding the provision of personal information overseas, the Company will keep the items provided to the minimum necessary, clarify the purpose of provision, and conduct the provision under appropriate management. The items provided, destination, purpose of use, and details of protective measures will be appropriately notified or publicly announced to the individual in accordance with the law.
   5. Response to the Exercise of Rights:
      Inquiries, requests for information provision, and requests to stop the transfer regarding overseas transfers will be accepted at the contact point in Section 1 and handled appropriately.

10. Security Management Measures (Domestic Storage)

    The personal information handled by the Company will be stored in domestic data centers/clouds in Japan. To prevent the leakage, loss, or damage of personal information and to ensure its secure management, the Company will take necessary and appropriate measures, including the following:

    • Organizational: Development of regulations, authority management, contractor management, log audits, internal audits.
    • Personnel: Confidentiality agreements, role-based training, pledges, revocation of authority upon resignation.
    • Physical: Entry/exit management, media management, disaster/BCP (Business Continuity Plan) measures.
    • Technical: Access control, multi-factor authentication, encryption (storage/transmission), tamper detection, vulnerability management, backups.

    (The implementation and operation will be continuously reviewed in accordance with practical guidelines in the medical field.)

11. Retention Period

    Unless otherwise stipulated by law, the Company will not retain personal information beyond the period necessary to achieve the Purposes of Use. Information that is no longer needed will be deleted and erased in an irrecoverable manner, including backups and logs.

12. Rights of the Individual (Requests for Disclosure, etc.)

    The individual may request the notification of the purpose of use, disclosure, correction/addition/deletion, suspension of use/erasure, and disclosure of third-party provision records regarding the retained personal data held by the Company.

    • Application Desk: The contact desk in Section 1
    • Identity Verification: Identity verification documents required
    • Fees: Free of charge
    • Response Method: In writing or via electronic means

13. Personal Information of Minors

    Information of minors (under 18 years of age) will be acquired, used, and provided to third parties only after obtaining the consent of a parent or guardian.

14. Response in the Event of Leakage, etc.

    In the event of a leakage, loss, or damage that may harm the rights and interests of individuals, the Company will promptly report to the competent authorities and notify the individuals concerned. If necessary, the Company will take measures such as publicizing the incident and establishing a consultation desk.

15. Continuous Improvement

    The Company will continuously review and improve its personal information protection system and security management measures through internal audits, education, training, and inspections.

16. Changes to this Policy

    The Company may change this Policy in response to legal amendments or changes in service content. In the event of a change, it will be posted on the website managed by the Company. Please thoroughly check the contents of the latest Policy posted on the website.

    
    

Established:October 14, 2025