Privacy Policy
Effective date: 2026-08-01
This policy explains how NEOTALENT K.K. ("FocusUp", "we") processes personal data in connection with the FocusUp service. For member data tracked on behalf of a customer organization, the organization is the data controller and FocusUp acts as a processor under its instructions; a Data Processing Addendum (DPA) is available.
1. Data we process
- Account data — name, email address, hashed password, language, role, organization.
- Tracking data (only during sessions the member starts, per the organization's settings) — session times, keyboard/mouse activity intensity as aggregate counts only (number of keystrokes, clicks, cursor movement and scrolls — never which keys are pressed or any keystroke contents), light system load (CPU and memory utilization), foreground application names, URLs (full or domain-only), idle periods, and optional periodic screenshots (full or pixelated). Consent is recorded before the first session.
- Derived data — AI-generated session analyses, focus and productivity scores, daily reports and team digests.
- Billing data — subscription status and invoices processed by Stripe (we do not store card numbers).
- Usage data — logs, device and browser metadata, and product analytics (where enabled) for security and improvement. First-touch campaign parameters (UTM) may be stored at signup.
2. Purposes and legal bases
- Providing the service (contract performance).
- Workforce measurement configured by the customer organization (the organization's legitimate interests / legal basis, supported by recorded member consent and transparency-by-design: no stealth mode, member data parity).
- Security, fraud prevention and abuse detection (legitimate interests).
- Billing and tax compliance (legal obligation).
- Product onboarding and marketing emails to administrators (consent / legitimate interests; every non-transactional email contains an unsubscribe link).
3. AI processing
Sampled screenshots and activity logs are processed by large-language-model providers (currently OpenAI) to produce analyses and reports. Providers are bound by data processing terms that prohibit training on our customers' data. AI outputs may be inaccurate and must not be the sole basis of employment decisions.
4. Sharing
We share data only with subprocessors needed to run the service: Amazon Web Services (hosting, storage, email — Tokyo region), OpenAI (AI analysis), Stripe (payments), and, where the organization configures it, Slack/Microsoft (digest delivery). We do not sell personal data.
5. International transfers
Data is hosted in Japan (AWS ap-northeast-1). Where data is transferred across borders (e.g. AI providers in the US), we rely on appropriate safeguards such as standard contractual clauses.
6. Retention and deletion
- Tracking data and screenshots are deleted automatically per the organization's retention window (7–365 days; 90 days maximum in EU compliance mode).
- Organization deletion permanently removes all organization data including screenshots. Members can request deletion of their account data via their administrator; individuals can also contact us directly.
- Backups are retained for up to 30 days.
7. Your rights
Depending on your jurisdiction (GDPR, UK GDPR, APPI, CCPA and similar), you may have rights of access, rectification, erasure, restriction, portability and objection. Members can export their own data as JSON from the app at any time (data parity is built in). To exercise rights, contact your organization's administrator or privacy@neotalent.net.
8. Security
Data is encrypted in transit (TLS) and at rest, access is role-scoped (members see themselves; managers see their teams), passwords are hashed with bcrypt, and screenshots are stored in private object storage accessed via short-lived signed URLs.
9. Contact
NEOTALENT K.K. — privacy@neotalent.net. EU/UK representatives will be appointed prior to EU market entry; details will be published here.