Privacy Policy|ANA DUTY FREE SHOP
ANA DUTY FREE

Privacy Policy

About security

Enabling visitors to use the site securely
The Site is managed and operated as described below to enable visitors to use the site securely.
Secure Sockets Layer (SSL)

The Site's security certificate can be verified using the SECOM Passport for Web Services of SECOM Trust Systems Co., Ltd. In addition, all personal information and other information transmitted via the Site is protected using SSL encryption, so that visitors can use the Site with peace of mind.

About Secure Sockets Layer (SSL) technology

Regarding the Handling of personal information
We hereby assured that information provided by customers who registered is managed appropriately and will not be provided to third parties in any form that could be used to identify individuals. Even when customers' personal information is, with their consent, provided to third parties, such parties are required to manage it appropriately and securely to the same degree as the Company.

Description of policy on using cookies to collect information on Site use

About cookies

Cookies are files stored on users’ computers when they visit a webpage, used to exchange information between their browsers and the server regarding usage histories, information input, and other information. Site administrators can use cookies to modify the content displayed to individual users when they access the same webpages again. If a user permits the exchange of cookies in the browser settings, then websites may access cookies from the user's browser.

To protect users' privacy, browsers transmit data on cookies only to the individual websites that issued the cookies.

Cookie settings

Users may choose or change their browsers' cookie settings in various ways, such as setting them to accept all cookies, to reject all cookies, or to notify the user when a cookie has been received.Setting methods vary by browser. Check your browser’s Help menu concerning how to change cookie settings.

Please note that if a user chooses to reject all cookies, use of various Internet services may be restricted. For example, you may be unable to access services that require user authentication.

The Site’s uses of cookies

The Site uses cookies for the following purposes:

  1. (1) For login information for services for ANA Duty-Free Shop registered users
  2. (2) For information on pages personalized for customers
  3. (3) For homepage settings information
  4. (4) To transmit appropriate advertising to customers on other companies' websites based on the services they use on the site
  5. (5) To research the site's number of users and traffic

The Site may store and refer to cookies for Site services via third-party subcontractors entrusted with distributing advertising for Site services.

Privacy Policy

ANA Trading Duty Free Co., Ltd., (hereinafter referred to as the Company), considers the personal information entrusted to it by customers through inquiries concerning sales and the Company's business, such as the business of operating DUTY-FREE shops, which is essential to the provision of services that will satisfy customers fully, to be important customer property entrusted to it, and it recognizes that the protection of customer personal information is one of its social responsibilities.The Company has established, and implements and maintains, the following policies on the protection of personal information.Chapter 1 applies to handling of personal information of all customers, while Chapters 2, 3, 4, and 5 describe region-specific information for customers located or residing in the European Economic Area/United Kingdom, the People's Republic of China, the US state of California, or the Kingdom of Thailand, respectively.
Collection and use of personal information
The Company collects personal information only within the extent of clearly defined purposes of collection. The Company uses personal information within an extent that does not deviate from those purposes.
Management and protection of personal information
The Company manages personal information strictly and shall not disclose or provide personal data to any third party without the customer’s consent. It also takes appropriate preventive and corrective measures to prevent unauthorized access to, loss of, damage to, unauthorized alteration of, and leakage of personal information.
Applicable laws etc.
The Company complies strictly with laws, regulations, and other standards applicable to personal information.
Continuous improvement of structure and system for managing personal information protection
The Company shall make continual improvements to its structures and systems on management of protection of personal information.

Chapter1. Regarding the Handling of personal information of all customers

1. Introduction
This Privacy Policy explains how the Company handles the personal information received from customers. Please read this Privacy Policy carefully before providing personal information to the Company or using the services and products of the Company.
Chapter 1 of this Privacy Policy describes the overview of how the Company uses customers' personal information. Other policies may apply to the services and products of the Company, details of which will be provided along with the terms of the relevant service.
2. Scope
This Privacy Policy applies when customers provide personal information to the Company or use the services and products of the Company.
3. Purposes of use of personal information

The Company uses customers' personal information for the following purposes. The Company does not use customers' personal information through methods that could promote or induce unlawful or inappropriate acts, even within of the scope of the purposes of use.

  1. (1) For reservations, sales, shipping, and payment for products, and services offered in shops
  2. (2) Provision of services in ANA Mileage Club
  3. (3) For guidance, provision, and management of other services and products offered by the Company
  4. (4) Research and analysis of the status of the use of other services and products handled by the Company
  5. (5) All business operations incidental and related to (1) and (4) above
  6. (6) To conduct surveys concerning Company services adf products
  7. (7) To develop new services and products.
  8. (8) For announcements, operation, management, and provision of various types of information regarding events and promotional campaigns
  9. (9) For notification of services and products offered by the Company
  10. (10)For announcements, operation, management, and provision of various types of information regarding services, products, events, and promotional campaigns handled by ANA Group member companies, partner companies, and others
  11. (11)For responding to inquiries and requests
  12. *Personal information also may be used for the purposes identified under 7. "Joint use of personal information."
4. Obtaining personal information

The Company will obtain the following personal information by fair and appropriate means for the purpose of achieving the previously mentioned purposes.

  1. (1) Information on an individual, contact information, payment information, etc.
    The customer’s name, address, telephone number, fax number, email address, employment information (company name, department/section the customer belongs to, title, address, telephone number, fax number), mailing address, date of birth, passport information, payment information including details of payment methods, such as credit and debit cards.
  2. (2) Information concerning ANA Mileage Club members and the use of subject services
    ANA Mileage Club membership number, type of membership card, member service eligibility, region, miles, credit card number, credit card expiration date, record of credit card use and related information, whether a wheelchair or other arrangements are needed, flight reservation/cancellation information, boarding, and the use of services, as well as other information as needed
  3. (3) Contents of inquiries and opinions to the Company
    Contents of information, inquiries, requests, and opinions contained in communications with customers (including their cause and resolution), etc.
    *The Company may monitor, record, store, and use communications with customers (by phone, e-mail, etc.) in order to check any instructions given by customers, provide training, prevent any crime, and improve the quality of the Company's customer service.
  4. "(4) IT and system data that include the usage of the Company's website and mobile application
    Information on how customers used the Company's website and mobile application, including cookies and action logs on the website etc."
  5. Company will never obtain and use information of a sensitive nature to the customer (hereinafter, “sensitive information”), such as information on race, beliefs, social standing, history of illness, crime records, and history of having been afflicted by crime, unless required by laws and regulations or by the consent of the customer.
5. Choice by the customer
As a rule, Company obtains personal information by the volition of the customer. Customers may experience disadvantages if they refuse to provide their personal information, such as being unable to make use of the various services provided by Company, or being unable to receive campaign notices and other Company information because a part of the functions of Company’s system become inoperable and thereby unavailable. Please note that customers may change their contact information as well as their decision on whether or not they wish to receive email magazines at any time they wish, in a manner designated separately by Company.
6. Disclosure and provision to third parties

The Company shall not disclose or provide customer personal information to third parties except in the following cases. Also, customers’ personal information including sensitive information will not be disclosed or provided to third parties under any circumstances, unless allowed by laws and regulations or by consent of the customer.

Provision of information to joint users or business entrusted companies are not considered disclosure or provision to third parties.

  1. (1) When the customer has consented to such disclosure or provision in advance;
  2. (2) When its disclosure of provision is required by law or regulations;
  3. (3) When necessary for the purposes of protecting human life, health, or property, and it would be difficult to obtain the consent of the customer;
  4. (4) When it is necessary to cooperate in the performance of official duties by a national or local public agency or similar body, and obtaining the consent of the customer could impede the performance of such duties
  5. (5) When disclosing or providing information in a state in which it is not possible to identify individuals, such as information in the form of statistical data;
  6. (6) When providing information as a result of the succession of business due to a merger, company split, transfer or business, or otherwise
  7. (7) When providing information in accordance with the procedures based on laws and regulations under the condition that the following information is put into a state where customers themselves can easily check through the Company's website and that customers have not indicated their intention to refuse the provision of the information.
  1. 1) To set a third-party provision as a purpose of use
  2. 2) Categories of personal data provided to a third party
  3. 3) Means or methods of a third-party provision
  4. 4) To suspend a third-party provision upon the customer's request
  5. 5) Methods for receiving requests from customers
7. Subcontracting
In providing services and products to customers, the Company may entrust a part of its business operations to subcontractors to which personal information may be provided to the extent required to achieve the purposes of use. In such a case , the Company will implement the appropriate management and supervision of such subcontractors, including concluding agreements with such subcontractors on the handling of customers' personal information.
8. Joint use of personal information

The Company engages in the joint use of customers' personal information as described below.

(Scope of joint users of personal information)
ANA Group member companies
(Purposes of use by joint users)
  1. (1) To provide air transportation services; tours, hotels, and other travel services; and other products and services offered by the Company or the joint user company
  2. (2) To send direct mail, provide information on products and services, and conduct surveys by the Company or the joint user company
  3. (3) For use in sales analysis and other studies and research and in development of new products and services by the Company or the joint user company
  4. (4) To notify the company in charge and handover related information in response to inquiries, applications for use, or other contact from customers regarding products or services provided by the Company or the joint user company
  5. (5) To smoothly execute other appropriate transactions with customers by the Company or the joint user company
  6. (6) For purposes of ANA Group business administration and internal management
(Items of personal information subject to joint use)
ANA Mileage Club member number, customer name, address, telephone number, fax number, email address, employer (company name, section, position, address, telephone number, fax number), shipping address, type of membership card, member service eligibility, region, miles, credit card number, credit card expiration date, record of credit card use and related information, whether a wheelchair or other arrangements are needed, flight reservation/cancellation information, boarding and use of services, content of inquiries, records of use of websites, apps, and related information
(Name, address and name of the representatives of the party responsible for management of personal information.)
ANA Holdings Inc.
Shiodome City Center,
1-5-2 Higashi-Shimbashi, Minato-ku, Tokyo 105-7140
Koji Shibata, Representative Director and President
9. Transfer to outside of Japan
If Company provides customers’ personal information to third party business operators outside of Japan, including subcontractors, Company will take necessary and appropriate measures in keeping with laws and regulations.
10. Management of personal information
The Company shall manage customers’ personal information properly and employ necessary security measures to prevent cases such as leakage, loss, and unauthorized alteration of such information. The Company ensures that the board members and employees are properly trained regarding appropriate handling to safeguard the security of information identifying individual customers. An appropriate retention period for personal information will be established in accordance with the purpose for which such information is used. After the purpose of the information has been achieved, Company will dispose of the information in question by appropriate methods. See "11. Request regarding the handling of personal information" if you wish to confirm details of security measures.
* See "Information security in the ANA Group" concerning information security policies.
11. Request regarding the handling of personal information

When the Company receives a request from a customer in a specified manner for the disclosure, correction, deletion, addition, cessation of the use, or erasure (hereinafter "Disclosure etc.") of the customer's personal information stored in a database held by the Company, or under "9. Transfer to outside of Japan" or provision of information on personal information protection measures under "10. Management of personal information," the Company will handle the request according to laws and regulations as follows within a reasonable timeframe and scope, after confirming that the request was made by the customer themselves.

  1. (1) Requests for disclosure
    The Company will disclose the item or the purpose of use of personal information, or a record of provision to third parties, in accordance with the customer's request.
  2. (2) Requests for correction, partial deletion, or addition
    The Company will correct, delete, or add the contents of personal information to the extent appropriate and possible after due review of the contents of the request.
  3. (3) Requests for cessation of use or removal
    The Company shall, within the extent that is appropriate and feasible, cease the use of the items of personal information specified by the customer in accordance with the content of the request, or remove them if so requested.Before requesting cessation of use or removal of personal information, note that doing so may make it impossible to provide services that had been available for use until then or other services as requested by the customer.
  4. (4) Requests for information on personal information protection measures
    The Company shall provide information on the following matters as requested by the customer.
    1. 1) Details of security measures taken by the Company for personal information from customers
    2. 2) Details of measures taken when the Company provides customers' personal information to third parties outside of Japan (in cases under "9. Transfer to outside of Japan")

Also, the Company may not be able to respond to such a request from the customer if doing so would markedly impede the Company's ordinary business operations or could violate the provisions of laws or regulations.

12. Submission of request for disclosure, etc.

The method of submitting requests for disclosure etc. or notification of the purposes of use of personal information received by the Company from customers and contact information for inquiries are as follows.

Request for disclosure etc.
(1) Contact information for inquiries
Please direct any inquiries regarding customer personal information to the contact point shown on the website used.
Requests for disclosure etc. shall be made through the method described below. Send such a request to the address below, after enclosing in the envelope the Company’s designated form, the necessary documents, the fee, and a return envelope.
(2) Where to send the necessary documents
282-0005 ANA Duty Free Shop Web Site Privacy Dept., ANA Trading Duty Free Co., Ltd.
5F, ANA Narita Sky Center, Narita International Airport, Narita, Chiba Prefecture, Japan
(3) Necessary documents to submit

To request disclosure, enter all necessary information on the following request form (A) and send it by post with the identification documents (B) enclosed. Note that a request for disclosure may not be responded to when the form is incomplete or there is a discrepancy in the necessary documents.
Download request form (A) from the Company website in PDF format.

Click here for request form (A)

(A) The Company’s designated request form
Request for Disclosure etc. of Personal Data
(B) Documents for confirming the requester’s identify as the individual concerned by the personal information or his or her representative
(For a request by the individual concerned by the personal information)
  • Copies of two of the following: a driver’s license, health insurance card, pension booklet, passport, basic resident register card with a face photo, residence card or special permanent resident certificate, physical disability certificate, certificate of registered seal, Individual Number Card (front page only)
(For a requested by a legal representative [parent or guardian])
  • Documents proving that the representative is a legal representative of the user (such as a family register or certificate of residence)
  • Proof of identification of the legal representative (copies of two of the following: a driver’s license, health insurance card, pension booklet, passport, basic residents’ registry card with photo)
(For a request by an authorized representative of the individual concerned by the personal information)
  • A letter of attorney from the user (with the registered seal of the user affixed on the request form for disclosure etc. of the "Retained Personal Data")
  • A seal-registration certificate of the individual concerned
  • Proof of identification of the authorized representative (copies of two of the following: a driver’s license, health insurance card, pension booklet, passport, basic resident register card with a face photo, residence card or special permanent resident certificate, physical disability certificate, certificate of registered seal, Individual Number Card (front page only)
(4) Fee
Customers are required to pay 500 yen for each request for Disclosure etc. Please enclose postal stamps equivalent to the fee when making a request.
(5) Timing of disclosure
The personal information requested shall be sent to the requester by postal mail after receiving and verifying the request form for disclosure.
(6) Other matters
It may take some time before a request for correction, partial deletion, addition, cessation of use, full deletion, etc. is reflected in all services. Please note that in such a case, the timing of reflecting such a request may vary slightly from the timing announced by the Company.
13. Amendments to the Privacy Policy
The Company may amend this Privacy Policy. In such a case, the amended Policy will be posted on the Company website. Please check the content of the amended Policy closely.

Chapter 2. Regarding the Handling of Personal Information of Customers Located in EEA and UK

1. Introduction

Chapter 1 explains regarding the handling of personal information of customers in the European Economic Area (countries in this Area are hereinafter collectively the "EEA") and/or the United Kingdom (hereinafter the "UK") in accordance with EU General Data Protection Regulation 2016/679 (hereinafter "GDPR") and the UK Data Protection Act (hereinafter "DPA 2018"), and other national and international data protection and privacy laws and regulations of the EEA and/or the UK (hereinafter collectively "Data Protection Laws"). Please note that the UK's laws are similar to those in the EEA, and customers from both jurisdictions have very similar rights. Therefore, references to the GDPR in this chapter shall also be read as references to the corresponding UK law.

When a customer under the age of 16 uses the Company's services and others, a customer is required to obtain the guardian's consent or permission to the consent to such use. A customer who uses the Company's services or inputs data on behalf of the data subject shall apply for regarding the handling of personal information by the Company with the consent of the data subject.

In the event that any provisions of this chapter contradict those of Chapter 1, the provisions of this chapter shall prevail.

2. Controller of personal information
The controller of customers personal information shall be the Company. The Company protects personal information that is collected and used by controllers (who make decisions on the method and purpose of the handling of customers personal information) and processors (who act on the controller's written instruction) pursuant to Data Protection Laws.
3.Legal grounds for processing personal information

The Company protects customers personal information by processing such information only to the extent necessary for specific purposes (as set forth in Article 2. (Purposes of use of personal information) of Chapter 2 of this Privacy Policy) pursuant to Data Protection Laws.
The Company processes customers' personal information based on any of the following legal grounds.

  1. (1) When a customer consents to the processing (Article 6 (1)(a) of GDPR)
    Consent will usually only be applied for promotional and marketing related processing, or in some cases, for processing in relation to sensitive personal data.
  2. (2) When processing is necessary in order to perform or take steps to enter into a contract (Article 6 (1)(b) of GDPR)
    This becomes grounds for processing customers' information that is essential to providing services by the Company, including information on customer's identity, contact, payment, and travelling.
  3. (3) When the Company needs to process the information to comply with legal obligations (Article 6 (1)(c) of GDPR)
    This includes sharing personal information with customs, immigration authorities, law enforcement, as well as legal obligations towards customers and the Company's employees.
  4. (4) When the information is required to protect the vital interests of customers or third parties ((Article 6 (1)(d) of GDPR), for example in the event of a medical emergency.
  5. (5) When the processing of personal data is necessary for the legitimate interests of the Company or third parties and these interests are not overridden by customers' rights under Data Protection Laws (Article 6 (1)(f) of GDPR)
    This includes the use of personal information necessary to operate the Company's business and to maintain, develop, and improve the Company's products and services and provide the best possible customer experience.
4. Request Regarding the Handling of personal information

Data Protection Laws allow customers to have the following legal rights.

  1. (1) Request for disclosure
    The customer may request copies of the customer's personal information held by the Company and details of how the Company processes it.
  2. (2) Request for correction or updating
    The Company will correct or update the customer's personal information wherever possible after due review of the request.
  3. (3) Request for deletion
    The customer may request that the Company delete the whole or part of the customer's personal information held by the Company. The Company will consider the request and delete the information where the information is no longer required, or the law does not permit the Company to continue to retain it.
  4. (4) Transferring personal information
    The customer may request a copy of the customer's personal information in a structured, common, machine-readable format. The transfer of personal information only applies to personal information that the Company obtains from the customer and processes on the basis of the customer's consent or in order to perform a contract and that is processed by automated means.
  5. (5) Objecting to processing
    The customer may make an objection to processing aiming for the legitimate interests of the Company or a third party or for direct marketing. The Company will cease processing the customer's information unless the Company can demonstrate compelling legitimate grounds for such processing that override the customer's interests. The Company will cease the processing if the customer's objection is to direct marketing.
  6. (6) Restrictions on the method for using personal information
    The customer may restrict the use of the customer's personal information by the Company under certain circumstances. Where this applies, any processing of the customer's personal information (other than storing it) is carried out legitimately only when the customer's consent is obtained, or when the processing is required for legal claims, protecting certain rights, or important public interest.
  7. (7) Right to withdraw consent
    If the processing of the customer's personal information is based on consent, the customer has the right to withdraw the consent at any time. Please note that the above right is not absolute and does not apply in every situation. There are also legal exemptions that apply to some situations. In such case, the request may be refused. If a request is refused, the Company will inform the customer of reasons therefor when the Company responds. Records of requests made to the Company will be retained so that the Company may ensure that the Company complies with legal obligations.
  1. 1) Making a request or objection
    The customer may exercise the customer's rights free of charge (in the case of an unreasonable, excessive, or repeated request, the Company may charge a fee or refuse the request). The method set forth in Article 12 of Chapter 1 (Submission of request for Disclosure etc. and the contact information for inquiries) shall apply to the method for submitting the request under this Article.
  2. 2) Responding to a request
    The Company will, after receiving the request, verify and respond to the request. The Company may, as necessary, ask for identification or the proof of authority to submit a request (if the customer is making a request on behalf of a third party). If the request is particularly complex or the customer has made a number of requests, it may take longer to provide a detailed response. Please also bear in mind that there are exceptions to the right above and some situations where the customer is unable to exercise the right.
    If the customer is not satisfied with the Company's response to the customer's request or if the customer thinks the customer's personal information has been mishandled, then the customer has the right to complain to a supervisory authority. Please refer to Article 9 of this Chapter 2 (Lodging a complaint with an authority) for further details.
5. Data sharing necessary to provide products and services

The Company's products and services are provided in cooperation with other companies and organizations and may share personal information with these third parties in order to carry out business operations. These third parties include:

  1. (1) ANA Group member companies
  2. (2) Organizations with which the Company is legally required to share personal information
    Government organizations, regulatory and law enforcement authorities, courts, customs, immigration authorities, third-party organizations, etc.
  3. (3) Service Providers, Subcontractors handling ANA flights, airports, and airlines that form partnerships with the Company, various service providers, companies with whom the Company has a marketing partnership, etc.
    When the Company entrusts any service provider with processing data, the service provider processes the data pursuant to a contract that meets the requirements of applicable Data Protection Laws.
6. Marketing communications
The Company distributes marketing information from time to time to provide interested customers with news and details of products and services. The Company distributes the information only when the recipient has consented to receive marketing information or when the recipient is a customer who purchased any product or service from the Company and did not select opt-out from marketing though the customer had an opportunity to opt-out.
7. Where personal information is stored and transferred

The Company is located in Japan, and many of the service providers and other organizations with whom the Company shares customers' personal information are located in jurisdictions outside the EEA and the UK. Japan has been recognized by the European Commission as providing adequate protection for personal information.

When transferring personal information to third parties, the Company will comply with the requirements of Data Protection Laws, including the adequacy decision between Japan and EU and related Japanese laws and regulations. However, please note that in countries outside the EEA and the UK, customers' personal information is not necessarily protected by national laws. If the customer would like more information regarding where the customer's personal information is stored and transferred, please contact the contact information for inquiries set forth in Article 12 of Chapter 1 (Submission of request for Disclosure etc. and the contact information for inquiries).

8. Retention period for personal information

The Company shall retain personal information until the purposes of use are achieved. It has established specific retention periods for personal information as described below.
For other personal information, the Company determines an appropriate retention period according to the nature of the information and the purpose of the retention thereof taking into account legal and accounting requirements, business necessity, and other factors.

  1. (1) ANA Duty Free Shop duty-free item reservation site member information
    Until completion of procedures for cessation of use or deletion requested through the four methods described below for information provided when using the ANA Duty Free Shop duty-free item reservation site
  2. (2) Other personal information
    The period necessary for the purposes of use consented to by the customer
9. Lodging a complaint with an authority

Customers have the right to lodge a complaint on the processing of their personal data with the data protection authority having jurisdiction over their residence. Please use the following URL to contact the authority having jurisdiction over your residence

http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

EEA residents: Please contact the customer's national supervisory authority,
details of which can be found on the website of European Date Protection Board (https://edpb.europa.eu/about-edpb/board/members_en).

UK residents: Please contact the Information Commissioner-edpb/boa(www.ico.org.uk)

10. The contact information of Controller of personal data and data protection officer

Controller of personal data:ANA Trading Duty Free Co., Ltd.
5F, ANA Narita Sky Center, Narita International Airport, Narita, Chiba Prefecture, Japan data protection officer:ml_notice_adf-pp@anadf.com

Chapter 3. Regarding the Handling of Personal Information of Customers Residing in China

In addition to Chapter 1, the provisions of Chapter 3 shall apply to regarding the handling of personal information of customers residing in the People's Republic of China (hereinafter “China”) pursuant to the China Personal Information Protection Law and related legislation (hereinafter "PIPL etc."). In the event that any provisions of this chapter contradict those of Chapter 1, the provisions of this chapter shall prevail.
1. Introduction
When a customer under the age of 18 uses the Company's services, the customer is required to obtain the guardian's consent or permission to the consent to such use. A customer who uses the Company's services or inputs data on behalf of the data subject shall apply for regarding the handling of personal information by the Company with the consent of the data subject (or a guardian if the data subject is a minor under the age of 14).
2. Collection of sensitive information
The Company may handle personal information qualifying as sensitive personal information under the PIPL etc., such as passport information, health information, payment information, and accommodations information, for the purposes of use. While leakage or unlawful use of sensitive personal information could be detrimental to the interests of customers (for example, by facilitating violations of personal dignity or endangerment of health, safety, or property), the Company will manage such information strictly and handle it in accordance with the law in order to prevent such threats.
3. Retention period for personal information

The Company will retains the customer's personal information until the purposes of use is achieved. In particular, Company sets the retention period for personal information as follows.

  1. (1) Membership information of the ANA DUTY FREE SHOP Duty Free Reservation Site
    For information provided when using the ANA Duty-Free Shop Duty-Free Reservation Site, until cessation of use or removal has been requested as described under 4 below and the related procedures are complete.
  2. (2) Other Personal Information
    Minimum period necessary for the agreed purposes of use
4. Technology and measure to protect customers’ personal information
(1) Company takes security measures to protect customers’ personal information from leakage, loss or damage. Specifically, Company takes the following measures to protect customers' personal information.
  • Company establishes and employs internal controls systems and operational rules on protection of personal information
  • Company manages personal information segregated by category
  • Company develops website with https and sets SSL encryption to secure important customers' data (credit card information, etc.) communication between the customers' web browser and the server.
  • Company uses encryption technology for protecting personal information.
  • Company sets reasonable access authorization and employs access control for protecting unauthorized person from accessing personal information.
  • In order to raise employee awareness of the importance of protecting personal information, Company provides education and training on security and privacy protection.
  • Company establishes an emergency response plan for incidents involving personal information and prepares for implementing it
(2) Company will take all reasonable and practicable steps to ensure that no irrelevant personal information is collected. Company will only retain customers’ personal information for the minimum period of time required to achieve the purposes stated in this Privacy Policy, unless an extension of the retention period is required or permitted by law.
(3) In the event of personal information being at risk, Company will promptly inform customers of the relevant circumstances of the incident in accordance with the requirements of the PIPL etc. and report the regulatory authorities.
5. Request regarding the handling of personal information

In addition to the provisions under Chapter 1 Article 11 (Requests for Disclosure and Inquiries), the Company will respond to requests concerning personal information in its possession for customers residing in the People's Republic of China as described below within the period and extent reasonable and in accordance with the PIPL etc. It will confirm the identity of the requester before responding to such a request.

  1. (1) Request for withdrawal of consent
    When a customer's personal information is handled based on the customer's consent, the customer has the right to revoke such consent. In accordance with the details of such a request, the items of personal information specified by the customer will be deleted within an appropriate and feasible extent.
    However, please note that deletion may prevent customers from being provided with services that they had utilized, or may impede the provision of services in accordance with their wishes.
  2. (2) Request concerning interpretation or explanation of the Privacy Policy
    The customer has the right to request interpretation or explanation of this Privacy Policy.
  3. (3) Methods for submission of requests
    Customers may submit requests to the following parties.
  1. 1) Please contact to the following.
    Contact email address:ml_notice_adf-pp@anadf.com
    To apply, download the Application for Disclosure, fill it out, and send the disclosure application form and necessary documents attached to an email.

  2. 2) Required documents

    1. ①Application forms
      Form requesting disclosure(PDF format / 200KB)
    2. ・Identification documents
    [For the individual]
    • ①Copies of two from the following: passport, health insurance certificate, basic resident registration card with photo, Chinese ID, or other official document
    [For a representative (Both①and②below are required)]
    • ①Letter of trust (legal representatives must provide a certifying document)
    • ②Documents to identify the representative (copies of two from the following: passport, health insurance certificate, basic resident registration card with photo, Chinese ID, or other official document)
  3. 3) Contact Us
    Japan +81-476-31-6510 (toll will apply)
6. Provision to third parties and transfers outside of China

The company will comply with the PIPL etc. when providing customers' personal information to third parties (including joint use and provision to subcontractors involving transfer outside of China).

The company may provide customers’ personal information to joint users of personal information or outside contractors to be processed by such third parties when using personal information jointly with or subcontracting operations to them, to implement the purposes of use specified above. Third parties to whom Company will disclose the personal information of the customers include those located outside China (including Japan), the customers shall be deemed as having consented to the following matters by consenting to the Privacy Policy:

  1. (1) In the case that the country which the third party is located outside China does not have the same data protection laws as China, many of the rights provided in China to the data subjects will not necessarily be provided.
  2. (2) The customers’ personal information may be provided for the purposes specified above to the subsidiaries and affiliates of ANA group companies or third parties outside China.
7. Change of purposes of use of personal data
In the case of a change to the purposes of use of personal information, Company will announce the revised Privacy Policy in advance on the Company website (https://www.anadf.com) and the Company will use personal information in accordance with the new purposes of personal information after obtaining consent from customers.
8. Basic information of Controller of personal information
ANA Trading Duty Free Co., Ltd.
5F, ANA Narita Sky Center, Narita International Airport, Narita, Chiba Prefecture, Japan

Chapter 4. Regarding the Handling of Personal Information of Customers Residing in California, USA.

In addition to Chapter 1, the provisions of Chapter 4 shall apply to regarding the handling of personal information of customers residing in California, United States of America pursuant to the California Consumer Privacy Act of 2018 (hereinafter the "CCPA"). In the event that any provisions of this chapter contradict those of Chapter 1, the provisions of this chapter shall prevail.
The terms used in Chapter 4 are based on the definitions provided in the CCPA. In particular, the term "Sale" means the Company's selling, lending, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a customer's personal information to another business operator or a third party in exchange for monetary or other valuable consideration.
The term "Share" means sharing, loaning, publicly announcing, disclosing, disseminating, placing in a situation in which it can be used, transferring, or transmitting by oral, written, electronic, or other means a customer's personal information to a third party for the purpose of cross-context behavioral targeted advertising, irrespective of whether or not it is in exchange for money or other valuable consideration.
However, if the Company concludes an appropriate agreement with another business operator or a third party concerning regarding the handling of personal information, activities mentioned above are not regarded as "Sale" under the CCPA.
1. Acquisition and use of personal information
Personal information likely to be collected in the future or collected in the preceding 12 months by the Company is as defined below. The Company will acquire such personal information directly from customers for purposes as provided in Article 3 (Purposes of use of personal information) of Chapter 1.
Category of personal information to be collected Example of personal information
Identifiers
(Name, symbol, etc. used to uniquely identify a particular subject)		 The customer's name, address, telephone number, fax number, mailing address, email address, passport information, ANA Mileage Club membership number, etc.
Additional data subject to the California Customer Records Statute
(All categories of personal information set forth in Cal.Civ.Code Sec.1798.80(e))		 The customer's physical and medical information related to boarding, credit card number, payment information including details of credit/debit card and other payment methods, etc.
Characteristics of classifications protected under California or federal law The customer's dietary restrictions, etc.
Commercial information The type of customer's ANA Mileage Club membership card, membership service status, membership area, mileage status, credit card expiration date, usage history of the credit card and related information, need for a wheelchair or other special arrangements, flight reservation and cancellation information, usage history of flights and services, details of travel plans and arrangements including flights with ANA and other airlines, accommodations, and other transportation arrangements, information contained in correspondence with customers, contents of inquiries, requests and opinions, etc.
Information on activities through the Internet or other electronic networks Information on how the customer used the Company's website and mobile application, including cookies, advertising identifiers (IDFA, GAID), location information, terminal-specific ID, information about the OS and browser type,and action logs on the website.
Information on occupation or employment The customer's employment information (company name, department/section the customer belongs to, title, address, telephone number, fax number), etc.
Sensitive personal information Passport information, the customer's physical and medical information related to boarding, the customer's dietary restrictions, whether or not arrangements for a wheelchair are necessary, location information, and other information.
2. Disclosure of personal information
  1. (1) Sale of personal information
    The Company will not sell customers' personal information (including personal information concerning minors) to third parties, and has not sold such personal information in the past 12 months.
  2. (2) Sharing of personal information
    The personal information that has a possibility of being shared with third companies by the Company in the future, the types of customers' personal information shared with third parties in the past 12 months, and the types of third parties to which personal information was shared are as stated in the table below. The Company will share such personal information for the purpose of conducting marketing activities (including personalized advertising), including the provision of information about various events and campaigns. The Company will not share with third parties any personal information about a person who it recognizes as a minor.
Types of personal information that has been shared Examples of personal information Types of third parties with which personal information was shared in the past 12 months
Information about Internet or other electronic network activities Information about how the customer used the Company's website, including cookies, advertising identifiers (IDFA, GAID), location information, terminal-specific ID, information about the OS and browser type,and action logs on the website. Ad network
  1. (3) Disclosure of personal information for business purposes
    The categories of customers' personal information that the Company has disclosed in the past 12 months for business purposes and the categories of third parties to which such personal information has been disclosed are as follows.
Category of personal information to be collected Example of personal information Third party to which personal information has been disclosed in the past 12 months
Identifiers
(Name, symbol, etc. used to uniquely identify a particular subject)		 The customer's name, address, telephone number, fax number, mailing address, email address, passport information, ANA Mileage Club membership number, etc. ANA Group member companies, subcontractors handling ANA flights, airports, and airlines that form partnerships with the Company, various service providers, companies with whom the Company has a marketing partnership, government organizations, regulatory and law enforcement authorities, courts, customs, immigration authorities, third-party organizations, etc.
Additional data subject to the California Customer Records Statute
(All categories of personal information set forth in Cal.Civ.Code Sec.1798.80(e))		 The customer's physical and medical information related to boarding, credit card number, payment information including details of credit/debit card and other payment methods, etc. ANA Group member companies, subcontractors handling ANA flights, airports, and airlines that form partnerships with the Company, various service providers, companies with whom the Company has a marketing partnership, government organizations, regulatory and law enforcement authorities, courts, customs, immigration authorities, third-party organizations, etc.
Characteristics of classifications protected under California or federal law The customer's dietary restrictions, etc. ANA Group companies and subcontractors handling ANA flights
Commercial information The type of the customer's ANA Mileage Club membership card, membership service status, membership area, mileage status, credit card expiration date, usage history of the credit card and related information, need for a wheelchair or other special arrangements, flight reservation and cancellation information, usage history of flights and services, details of travel plans and arrangements including flights with ANA and other airlines, accommodations, and other transportation arrangements, information contained in correspondence with customers, contents of inquiries, requests and opinions, etc. ANA Group member companies, subcontractors handling ANA flights, airports and airlines that form partnerships with the Company, various service providers, companies with whom the Company has a marketing partnership, government organizations, regulatory and law enforcement authorities, courts, customs, immigration authorities, third-party organizations, etc.
Information on activities through the Internet or other electronic networks Information on how the customer used the Company's website and mobile application, including cookies, advertising identifiers (IDFA, GAID), location information, terminal-specific ID, information about the OS and browser type, and action logs on the website. ANA Group member companies, various service providers, companies with whom the Company has a marketing partnership, government organizations, regulatory and law enforcement authorities, courts, customs, immigration authorities, third-party organizations, etc.
Information on occupation or employment The customer's employment information (company name, department/section the customer belongs to, title, address, telephone number, fax number), etc. ANA Group member companies, various service providers, companies with whom the Company has a marketing partnership, government organizations, regulatory and law enforcement authorities, courts, customs, immigration authorities, third-party organizations, etc.
Sensitive personal information Passport information, the customer's physical and medical information related to boarding, the customer's dietary restrictions, whether or not arrangements for a wheelchair are necessary, location information, and other information. ANA Group member companies, consigned companies that handle ANA flights, affiliated airports and airlines, various service providers, companies with which the Company has a marketing partnership, government organizations, regulatory and law enforcement authorities, courts, customs, immigration authorities, third-party organizations, and other entities.
3. Sensitive personal information

The Company will not use nor disclose customers' sensitive personal information for purposes other than certain purposes that are permitted under the CCPA. The Company also will not acquire or process customers' sensitive personal information for the purpose of inferring customers' characteristics.

4. About retention of personal information

The Company will retain customers' personal information until the purposes of use are accomplished and, in particular, a period for retention of personal information has been stipulated as stated below. For other personal information, we consider its necessity for laws, regulations, accounting requirements, and the Company's work and then decide the retention period in accordance with the information's nature and the purpose of retention.

  1. (1) ANA Mileage Club members' personal information
    Until withdrawal from the ANA Mileage Club
  2. (2) Passengers' personal information
    Until the transportation and related work stipulated in the Domestic Conditions of Carriage and the International Conditions of Carriage are completed
  3. (3) Other personal information
    The period that is necessary for the purposes of use to which the relevant person agreed
5.Request regarding the handling of personal

Customer residing in California have the following rights concerning their own personal information

  1. (1) Right to request disclosure
    Customers have the right to make a request of the Company for the disclosure of the following information regarding their personal information acquired, used, and disclosed by the Company within 12 months before the date of the request (hereinafter "Right to Request Disclosure") up to twice in 12 months.
    • The category of the customer's personal information collected by the Company
    • The source of the acquisition of such personal information
    • Business or commercial purposes for the acquisition of such personal information
    • The category of a third party with which such personal information has been shared
    • The customer's specific personal information acquired by the Company
    • The category of the customer's personal information disclosed by the Company for a business purpose
    • The category of third parties to which each category of such personal information has been disclosed
  1. (2) Right to request deletion
    Customers have the right to make a request of the Company for the deletion of certain personal information acquired from customers by the Company (hereinafter "Right to Request Deletion").
  2. (3) Right to request correction
    Customers have the right to make a request for the correction of inaccurate personal information that the Company retains (hereinafter "Right to Request Correction").
  3. (4) Right to opt out of sharing
    Customers have the right to make a request for the cessation of the Company sharing the relevant customer's personal information with third parties (hereinafter "Right to Opt Out of Sharing").
  4. Of the rights stated above, if you will exercise the Right to Request Disclosure, the Right to Request Deletion, or the Right to Request Correction, please contact the Company through the following contact information. The Company will handle requests from customers within the time frame and scope provided in the relevant laws and regulations. Before accepting a request from a customer, the Company will verify the identification of the customer as stated below.
  1. 1) Methods for submission of requests
    Contact email address:ml_notice_adf-pp@anadf.com
    Contact us at the number below.
    Japan +81-476-31-6510 (toll will apply)
  2. 2) Procedures for confirmation of identity
  3. [For the individual]
    • After receiving a request from a customer to exercise the Right to Request Disclosure, the Right to Request Deletion, or the Right to Request Correction, we first will request the submission of information sufficient to confirm the identity of the customer, such as the customer's name and email address, and then will confirm customer identity through comparison of such information provided by the customer with information already ascertained by us.
    [For a representative]
    • In addition to confirmation of customer identity as described under [For the Individual], a letter of attorney must be submitted. We also may contact the customer directly to confirm that the customer has delegated to the representative the authority to exercise the Right to Request Disclosure, the Right to Request Deletion, or the Right to Request Correction.
  4. Of the aforementioned rights, if you will exercise the Right to Opt Out of Sharing, please contact the Company through the contact information stated above. The Company will handle your request within the period and scope in accordance with related laws and regulations.
  5. In principle, the Company will not treat customers who have submitted such requests in a discriminatory manner, such as changing the content of services. However, please note that deleting personal information may prevent customers from being provided with services that have been available to customers or may impede the provision of services that meet customer needs.

Chapter 5. Regarding the Handling of Personal Information of Customers Located in Thailand

1. Introduction

Chapter 5 explains the collection, use, or disclosure (hereinafter collectively "handling" in this chapter) of the personal information of customers located in the Kingdom of Thailand pursuant to Personal Data Protection Act of Thailand B.E. 2562 (2019) (hereinafter the "PDPA").

Under the laws and regulations of Thailand, if consent is required for the handling of personal information related to the use of the Company's services of customers who are minors, quasi-incompetents, or incompetents, and are incapable of giving consent lawfully by themselves, consent or permission of the holder of parental responsibility, curator, or custodian (depending on the situation) must be obtained, in addition to the consent of the data subject. Where the customer is a minor under the age of ten, only consent or permission of the holder of parental responsibility is required.

If the Company is not aware that a customer is a minor, quasi-incompetent, or incompetent before the collection of the customer's personal information, upon knowing that we have collected personal information of the minor without the consent of the holder of parental responsibility (only when the consent is required and the minor cannot lawfully give consent), or of a quasi-incompetent or incompetent without the consent of such person's curator or custodian, the Company will delete the personal information as soon as practicable unless the Company can rely on other legal grounds other than the consent for such processing.

A customer who uses the Company's services or inputs data on behalf of the data subject, such as any family member of the customer or a representative who is capable of acting on behalf of the data subject, shall apply for the handling of personal information by the Company with the consent of the data subject.

In the event that any provisions of Chapter 5 contradict those of Chapter 1, the provisions of Chapter 5 shall prevail.

2. Controller of personal information
The controller of customers' personal information shall be the Company. The Company protects personal information that is collected and used by controllers (who make decisions on the method and purpose of the handling of customers' personal information) and processors (who act based on the controller's written instruction) pursuant to the PDPA.
3. Legal grounds for handling personal information

"The Company protects customers personal information by handling such information only to the extent necessary for specific purposes (as set forth in Article 3 (Purposes of use of personal information) of Chapter 1) pursuant to the PDPA.The Company handles customers' personal information based on any of the following legal grounds. "

  1. (1) When a customer consents to handling (Article 19 of the PDPA)
    Consent will usually only be applied for promotional and marketing related handling, or in some cases, for handling in relation to sensitive personal information.
  2. (2) When handling is necessary in order to perform or take steps to enter into a contract (Article 24(3) of the PDPA)
    This becomes grounds for handling customers' information that is essential to providing services by the Company, including information on customer's identity, contact, payment, and travel.
  3. (3) When the Company needs to handle the information to comply with legal obligations (Article 24(6) of the PDPA)
    This includes sharing personal information with customs, immigration authorities, law enforcement, and legal obligations towards customers and the Company’s employees.
  4. (4) When the information is required to protect the lives of customers or third parties (Article 24(2) of the PDPA), for example, in the event of a medical emergency.
  5. (5) When the handling of personal information is necessary for the legitimate interests of the Company or third parties and these interests are not overridden by the fundamental rights of customers of their personal information under laws and regulations (Article 24(5) of the PDPA).
    This includes, to the extent permitted pursuant to the PDPA, the use of personal information necessary to operate the Company's business and to maintain, develop, and improve the Company's products and services and provide the best possible customer experience.
4. Request regarding the handling of personal information
  1. (1) The PDPA allows customers to have the following legal rights.
  1. A) Request for disclosure
    A customer may request copies of the customer's personal information held by the Company and details of how the Company shall handle it.
  2. B) Request for correction and updating
    The Company will correct or update the customer's personal information wherever possible after due review of the request.
  3. C) Request for deletion
    The customer may request that the Company delete, destroy, or make unidentifiable the whole or part of the customer's personal information held by the Company. The Company will consider the request and delete the information where the information is no longer required or where the law does not permit the Company to continue to retain it.
  4. D) Transferring personal information
    A customer may request a copy of the customer's personal information in a structured, common, machine-readable format. The transfer of personal information only applies to personal information that the Company obtains from the customer and handles on the basis of the customer's consent or in order to perform a contract and that is handled by automated means
  5. E) Objection to handling
    A customer may object to handling aiming for the legitimate interests of the Company or a third party or for direct marketing. The Company will cease handling the customer's information unless the Company can demonstrate compelling legitimate grounds for such handling that override the customer's interests. The Company will cease the handling if the customer's objection is to direct marketing.
  6. F) Restrictions on the method for using personal information
    A customer may restrict the use of the customer's personal information by the Company under certain circumstances. Where this applies, any handling of the customer's personal information (other than retaining it) is carried out legitimately only when the customer's consent is obtained or when the handling is required for legal claims, protecting certain rights, or important public interest.
  7. G) Right to withdraw consent
    If the handling of a customer's personal information is based on consent, the customer has the right to withdraw the consent at any time. However, such withdrawal of the consent shall not retroactively affect the handling of the customer's personal information that the customer has already given consent legally before such withdrawal.
    Please note that the above right is not absolute and does not apply in every situation. There are also legal exemptions that apply to some situations. In such case, the request may be refused. If a request is refused, the Company will inform the customer of reasons therefor when the Company responds. Records of requests made to the Company will be retained so that the Company may ensure that the Company complies with legal obligations.
  1. (2) Method for the submission of requests
    The customer may exercise the customer’s rights free of charge (excluding the case where charging expenses to a customer is permitted by the PDPA). The method for the submission of requests and contact information for inquiries are as follows.
    Contact email address:ml_notice_adf-pp@anadf.com
  2. (3) Responding to a request
    The Company will, after receiving the request from a customer, respond to the request normally within one month. The Company may, as necessary, ask for identification or the proof of authority to submit a request (if the customer is making a request on behalf of a third party). If the request is particularly complex or the customer has made a number of requests, it may take longer to provide a detailed response. Please also bear in mind that there are exceptions to the right above and some situations where the customer is unable to exercise the right.
    If the customer is not satisfied with the Company’s response to the customer’s request or if the customer thinks the customer’s personal information has been mishandled, then the customer has the right to complain to the Personal Data Protection Committee of Thailand. Please refer to Article 9 of Chapter 5 (Lodging a complaint with a supervisory authority) for further details.
5. Data sharing necessary to provide products and services

The Company’s products and services are provided in cooperation with other companies and organizations and may share personal information with these third parties in order to carry out business operations. These third parties include:

  1. (1) ANA Group member companies
  2. (2) Organizations with which the Company is required to share personal information:
    Government organizations, regulatory and law enforcement authorities, courts, customs, immigration authorities, and third-party organizations.
  3. (3) Service providers, Subcontractors handling ANA flights, airports, and airlines that form partnerships with the Company, various service providers, and companies with whom the Company has a marketing partnership.
    When the Company entrusts any service provider with handling data, the service provider handles the data pursuant to a contract that meets the requirements of the PDPA.
6. Marketing communications
The Company distributes marketing information from time to time to provide interested customers with news and details of products and services. The Company distributes the information only when the recipient has consented to receive marketing information.
7. Where personal information is stored and transferred

The Company is located in Japan, and many of the service providers and other organizations with whom the Company shares customers' personal information are located in jurisdictions outside Thailand. When transferring personal information to third parties, the Company will comply with relevant Japanese laws and regulations and the requirements of the PDPA.

However, please note that in countries outside Thailand, customers' personal information is not necessarily protected by national laws with the same level of protection as in Thailand. If the customer would like more information regarding where the customer's personal information is stored and transferred, please contact the contact information for inquiries set forth in Article 12 of Chapter 1 (Submission of request for Disclosure and the contact information for inquiries).

8. Retention period of personal information

The Company retains personal information until the purposes of use are achieved and has established specific retention periods for personal information as described below.
For other personal information, the Company determines an appropriate retention period according to the nature of the information and the purpose of the retention thereof taking into account legal and accounting requirements, business necessity, and other factors.

  1. (1) Personal information of ANA Mileage Club members
    Until withdrawal from ANA Mileage Club
  2. (2) Other personal information: The period necessary for the purposes of use consented to by the customer
    However, please note that the Company may retain customers' personal information beyond the above retention period for the purposes of the exercise of legal claims, the defense of legal claims, and compliance with laws and regulations.
9. Lodging a complaint with an authority

Customers have the right to lodge a complaint on the processing of personal information related to the customers with the Personal Data Protection Committee of Thailand.

10. The contact information of Controller of personal data and data protection officer

Controller of personal data:ANA Trading Duty Free Co., Ltd.
5F, ANA Narita Sky Center, Narita International Airport, Narita, Chiba Prefecture, Japan data protection officer:ml_notice_adf-pp@anadf.com

Revised: March 31 2024