Controller and EU representative
The data controller for personal data processed through this website, within the meaning of EU GDPR Art. 4(7), is Hokuyo Automatic Co., Ltd. (Japan). See the Imprint for the registered company details.
For individuals in the European Economic Area, the controller has designated the following representative under Art. 27 GDPR:
- Hokuyo Automatic Co., Ltd., Amsterdam Branch (Netherlands)
- Address and contact details are listed in the Imprint.
You can reach us about any privacy matter at kristou@hokuyo-aut.jp.
What we process and why
This section lists every category of personal data the website processes, the purpose, and the lawful basis under Art. 6(1) GDPR.
- Public site visits. A server-side daily aggregate counter records which routes are loaded. No IP address, user-agent string, or visitor identifier is stored with the counter. Purpose: understanding which pages are useful. Basis: Art. 6(1)(f), legitimate interest in operating and improving the website.
- Downloads. An aggregate counter records that a given installer artifact, platform, and channel was downloaded on a given day. No user identifier is stored. Purpose: distribution metrics. Basis: Art. 6(1)(f), legitimate interest.
- Update checks from the desktop app. The desktop app contacts an update endpoint and sends a User-Agent header that the server parses for architecture and app version. The raw User-Agent is not stored. A daily aggregate counter records the parsed values only. Purpose: serving the correct installer to the correct platform. Basis: Art. 6(1)(b), performance of the implicit update agreement with the user of the software, supported by Art. 6(1)(f).
- Admin authentication. Authorized maintainers receive an HttpOnly session cookie after signing in. The session is bound to a user record with email, password hash, and (optionally) a TOTP secret. Purpose: protecting maintenance tools. Basis: Art. 6(1)(f), legitimate interest in securing the service.
- Contact emails. If you write to us, the email address and message content are processed to respond to you. Purpose: support, sales, privacy, and security correspondence. Basis: Art. 6(1)(b) where you are entering into or under a contract, or Art. 6(1)(f) legitimate interest in answering inquiries.
The website does not run any third-party advertising, marketing, or behavioural analytics. There is no profiling and no automated decision-making within the meaning of Art. 22 GDPR.
Email notify subscriptions
If you submit the notify-me form on the /download page, we store the following so we can email you once the platform you asked about ships:
- your email address (lower-cased)
- the platform you selected
- the timestamp at which you ticked the consent box
- a one-way hash of your IP address (rotated daily) and User-Agent for abuse attribution
Lawful basis: your explicit consent, recorded with the timestamp above (GDPR Art. 6(1)(a)).
Retention: your address is deleted within 30 days of the notification email, or on your request, or 24 months after consent if the platform you asked about has still not shipped, whichever comes first.
Deletion: send an email to kristou@hokuyo-aut.jp with the address you signed up with. A self-service unsubscribe link will be added in a future release; until then, deletion is manual.
Sharing: your address is not shared with third parties. It is stored in the same database as the rest of the site, on the same server.
Retention
- Aggregate analytics counters: up to 24 months from the recorded day.
- Admin session cookie: until you sign out or up to seven days, whichever is sooner.
- Contact emails: up to 24 months after the correspondence is closed.
- Reverse-proxy access logs: 14 days, then deleted.
- Database backups: encrypted, retained for TBD: backup retention period.
Recipients and sub-processors
The website is self-hosted at a Hokuyo office in Germany. There is no third-party hosting provider, no CRM, no marketing platform, and no advertising network involved in processing the data described above. Outgoing email uses Hokuyo corporate mail infrastructure. Personal data is not sold and is not shared for advertising purposes.
Information may be disclosed when required by law, to defend the operator's legal rights, or to investigate a suspected security incident.
International transfers
The primary data location is the European Economic Area: the website and its database are operated from a Hokuyo office in Germany.
The site operator's headquarters is in Japan and administrative access to the German systems may take place from Japan. Such transfers are permitted under Commission Implementing Decision (EU) 2019/419 of 23 January 2019 on the adequate protection of personal data by Japan, which establishes an adequate level of protection for personal data transferred from the EU to Japan.
Your rights
Under the EU GDPR you have the following rights with respect to personal data we hold about you: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection to processing based on legitimate interest (Art. 21). Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Because the public website analytics are aggregate-only, many requests will resolve quickly with the answer that we do not hold individual-level data about your visits. For the data we do hold (contact emails, admin accounts), email kristou@hokuyo-aut.jp. We will respond without undue delay and in any case within 30 days of receiving a request, as required by Art. 12(3) GDPR.
Supervisory authority
You have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. The site is hosted in Germany, so a competent authority is the Bayerisches Landesamt fuer Datenschutzaufsicht (BayLDA); please use the authority of the German state where the office is located if different. Lodging a complaint with the authority does not affect any other legal remedy.
Breach notification
If a personal data breach occurs and is likely to result in a high risk to the rights and freedoms of affected individuals, the operator will notify those individuals without undue delay, as required by Art. 34 GDPR. Notifiable breaches to the supervisory authority are reported within 72 hours per Art. 33 GDPR.
Changes
When this notice changes, the date at the top of the page is updated and a short summary of material changes is added to the changelog.
Contact
For privacy questions or requests, email kristou@hokuyo-aut.jp. The EU representative is named in the Imprint.