Privacy Policy
Effective Date: 04 November 2025 (JST)
Controller: Nomad G.K. (ノマド合同会社), Japan
1. Scope
This policy explains how we collect, use, share, and protect information when you use the Nomad JP App worldwide.
2. What We Collect
Device & App Info: device model/OS, app version, language, IP-derived coarse region, identifiers (e.g., advertising ID where available), performance metrics.
Usage “Breadcrumbs” (service-essential): anonymised (or pseudonymous) event sequences, e.g., screens viewed and tile/banner interactions that are strictly necessary to operate the App, including counting views and interactions for places, events, and curated banners. These events do not include precise location or information that directly identifies you and are not used for personalised advertising.
Diagnostics: crash reports, stack traces, error logs, and performance data.
Location: on-device processing of your precise location to provide nearby search and map features. We do not store or cache your precise location on our servers.
User Content/Account Data (if applicable): lists, itineraries, favourites, recently viewed items, preferences, basic profile data (e.g., display name, email if accounts are offered).
User History (Recent Items & Personalisation): a per-user, server-side list of up to 100 recently viewed items (item ID, item type, view timestamp only). Entries rotate on a FIFO basis. Used for Recent Items and personalised in-app recommendations. Not shared with third parties and not used for personalised advertising.
Advertising Data: ad impressions/clicks, coarse location, device/advertising identifiers, subject to your device/OS settings and regional consent.
Third-party embeds: when you use features like embedded YouTube videos, the third party may receive technical and interaction data (e.g., IP address, device/OS, language, video requests, playback events, and, where enabled, cookies or local storage) according to its own policies.
We do not knowingly collect sensitive categories of personal data.
3. How We Use Data (Purposes & Legal Bases)
Provide and improve the App (service-essential analytics): operating core features (e.g., counting anonymised views/interactions for places, events, and curated banners), ensuring relevance/quality, troubleshooting, and service planning - contract / legitimate interests. Note: We analyse aggregated/anonymised breadcrumbs and do not use them for personalised advertising.
Personalised recommendations (service-essential): operating content discovery and ranking based on User History (up to 100 recent items; FIFO) — contract / legitimate interests. Not used for personalised advertising.
Diagnostics & security (bug fixing, fraud prevention) - legitimate interests.
Advertising & measurement (non-essential): ad delivery and non-essential measurement (e.g., frequency capping, reporting beyond what is necessary to run the service) - consent where required by law; otherwise legitimate interests.
Communications (service messages; optional updates) - contract / legitimate interests / consent (where required).
Compliance (legal obligations, enforcement of Terms) - legal obligation / legitimate interests.
Where consent is required (e.g., in the EEA/UK for personalised ads/analytics under local law), we will request it via in-app prompts and honour your choices.
Data minimisation. We configure our systems and SDKs to collect and retain only what is necessary for the purposes above.
4. Location Handling
Precise location is accessed only on-device for features like nearby search and maps. We do not store precise location on our servers. Map providers may receive limited data when rendering tiles or computing routes per their policies.
5. Sharing & Recipients
User History. Stored only on our servers and not shared with any third parties (including advertising or analytics partners).
Processors/Service Providers. We use third-party providers to operate and improve the App:
Google Maps Platform (maps, geocoding, tiles, and related features).
Typical data: IP address, device/OS info, app version, language/locale, requests needed to render maps or compute routes, and (when you interact with maps/features) coordinates or coarse location. Processed under Google’s terms/policies.Google AdMob / Google Ad Manager (ad delivery, measurement, frequency capping, fraud prevention).
Typical data: device/advertising identifiers, IP address, coarse location, ad impressions/clicks, and limited technical data. Depending on your region and choices, Google may act as an independent controller for ad personalisation and measurement. Personalised ads are shown only where permitted by law and your consent.YouTube (Google LLC) (embedded web player for video content).
Typical data: IP address, device/OS info, language/locale, video and thumbnail requests, playback events, and (where enabled by YouTube) cookies or local storage. If you are signed in to YouTube/Google, playback may be personalised under YouTube/Google’s terms and privacy policies. Where feasible, we use privacy-enhanced modes (e.g.,youtube-nocookie.com) and limit loading until user interaction.New Relic (diagnostics and performance monitoring).
Typical data: crash reports, stack traces, performance metrics, timestamps, device model/OS, app version, and pseudonymous identifiers. Used to detect, investigate, and resolve stability/performance issues. New Relic acts as our processor. For service-essential analytics, we may forward anonymised/pseudonymous usage events (e.g., tile/banner interactions, view counts) to New Relic as our processor for diagnostics/analytics strictly necessary to operate the App. These events are not shared with ad partners for targeting.
Legal/Compliance. We may disclose information to comply with law, protect rights and safety, or respond to lawful requests.
Business Transfers. We may transfer information in connection with a merger, acquisition, or reorganisation, subject to this Policy.
No sale of personal information. We do not sell personal information for money. Where permitted, we may “share” identifiers with ad partners for targeted advertising; you may decline consent or opt out where required by law. In the EEA/UK, we rely on consent for personalised ads. You can change your choices at any time in Profile → Privacy or via OS settings (e.g., iOS App Tracking Transparency (ATT), resetting the advertising ID, or limiting ad tracking).
Roles. We act as a controller for the App. Our service providers generally act as processors on our instructions; certain partners (e.g., Google for personalised ads/measurement) may also act as independent controllers for their limited purposes.
6. International Transfers
We are based in Japan and may transfer data to other countries where strictly necessary. When transferring personal data internationally, we use appropriate safeguards (e.g., secure transfer protocols, contractual clauses or other mechanisms permitted by applicable laws). For APPI, we provide information about foreign data protection systems and implement necessary measures; where required, we obtain consent.
7. Retention
User History: retained as a rolling list of up to 100 items per user with FIFO rotation. When you clear your history in the app or delete your account, the associated entries are deleted (subject to backup/DR cycles described in this Policy).
Diagnostics/analytics: typically 13 months (or the shortest period needed).
Account/profile and user-generated content: retained while your account is active and for up to 24 months after inactivity, unless required longer by law.
Advertising logs: per partner requirements and law (commonly 13 months).
We delete or anonymise data after retention periods. Note: third-party partners (e.g., Google, New Relic) may retain certain logs in accordance with their own retention policies and legal obligations.
8. Security
We use administrative, technical, and organisational measures appropriate to the risk. No method of transmission or storage is 100% secure. We also apply configuration settings intended to limit SDK data collection and access to the minimum necessary.
9. Your Rights
You can clear Recent Items at any time in the app (History Menu → Clear history).
Your rights depend on where you live and include, where applicable:
APPI (Japan): rights to request disclosure, correction, addition/deletion, suspension of use/provision of retained personal data; to withdraw consent (where relied upon); and to complain to authorities.
GDPR/UK GDPR (EEA/UK): rights to access, rectification, erasure, restriction, portability, objection, and to withdraw consent; to lodge a complaint with a supervisory authority. We use User History for service-essential personalisation under contract/legitimate interests. You have the right to object to processing based on legitimate interests; if you do so, certain personalised features may be unavailable or degraded.
CCPA/CPRA (California): rights to know/access, delete, correct, opt out of “sharing” for cross-context behavioural advertising, and non-discrimination.
We will verify your identity before responding. To exercise rights, contact us (see Section 13). Device/OS controls: you can also manage platform settings such as iOS ATT prompts, resetting IDFA/AAID, or limiting ad tracking.
10. Account Deletion & Data Erasure
You may delete your account and associated personal data (e.g., history, preferences, profile name, email) at any time:
In-app: Profile → Privacy → Delete account (irreversible).
Website request: submit a deletion request via our site; we will verify your identity and action the request within 30 days (or notify you if an extension is required by law).
When an account is deleted, we delete or anonymise personal data linked to your account. We may retain limited records where we have a legal obligation or compelling legitimate interest (e.g., security, fraud prevention, tax/audit). Such records are access-restricted and retained only for the required period.
We also instruct our processors (e.g., hosting, diagnostics) to delete or de-identify relevant data pursuant to our agreements. Note that ad partners primarily rely on device/advertising identifiers; you can also manage these via OS settings (e.g., reset IDFA/AAID, limit ad tracking).
Location note: We do not store your precise location on our servers, so there are no precise-location server logs to erase.
Backups/DR: Residual encrypted copies may persist for a limited time consistent with our backup schedule and will be purged in the ordinary course of those cycles.
11. Children
The App is not directed to children under 13 (or the age required by local law). If we learn we collected personal data from a child, the user account will be suspended and all associated data deleted.
12. Changes
We may update this Policy. The “Effective Date” shows the latest version. Significant changes will be notified in the App.
13. Contact
Controller: Nomad G.K. (ノマド合同会社)
Registered office: 3rd Floor, Shinjuku Dai-7 Hayama Building, 1-36-2 Shinjuku, Shinjuku-ku, Tokyo, 〒160-0022
Email (data protection & privacy requests): privacy@nomadjp.com
Email (general inquiries): support@nomadjp.com
14. Region-Specific Notices
Japan (APPI): We handle retained personal data per the Act on the Protection of Personal Information. We will disclose information about foreign recipients and measures upon request and obtain consent where required. We include personalisation using User History in our utilisation purposes.
EEA/UK: We rely on contract/legitimate interests for service-essential analytics (e.g., view/interaction counts required to run and improve core features). Consent is used for non-essential analytics and personalised ads; you can change choices in Profile → Privacy or via OS settings. Service-essential personalisation based on User History relies on contract/legitimate interests; consent still applies to non-essential analytics and personalised ads. You may object to legitimate-interest processing; if you do, personalised features may be limited.
US (California): Service-essential analytics are categorised as analytics and are not a “sale.” We do not use these breadcrumbs for cross-context behavioural advertising. Where required by law, we honour Global Privacy Control (GPC) signals for opt-outs related to targeted advertising. Using User History for first-party personalisation is categorised as analytics/personalisation, not a “sale” or “sharing” for cross-context behavioural advertising.