Last updated: February 25, 2026
This Privacy Policy ("Policy") describes how AirTA合同会社 (AirTA G.K.), a company organized under the laws of Japan ("Company," "we," "us," or "our"), collects, uses, stores, discloses, and protects your personal information when you access or use the LiquiChart platform, website, embeddable content, and related services (collectively, the "Service").
AirTA合同会社 is the data controller responsible for your personal information. We are committed to protecting your privacy in accordance with the Act on the Protection of Personal Information of Japan ("APPI"), the General Data Protection Regulation ("GDPR") for residents of the European Economic Area ("EEA"), the California Consumer Privacy Act ("CCPA") for California residents, and other applicable privacy laws.
By using the Service, you acknowledge that you have read and understood this Policy. This Policy should be read in conjunction with our Terms of Service.
2.1 Account Registration Data
When you create an account, we collect:
Email address (required) — used for authentication, account recovery, and service communications
Password — stored only as an irreversible cryptographic hash (bcrypt); we never store or have access to your plaintext password
Display name (optional) — if you choose to provide one
Multi-factor authentication data (optional) — if you enable MFA, we store an encrypted MFA secret and hashed backup codes
Signup metadata — referral source or campaign attribution data collected at the time of registration
2.2 Workspace and Billing Data
When you create a workspace or subscribe to a paid plan, we collect:
Workspace information — workspace name, URL slug, domain, description, and logo
Billing information — processed and stored by Stripe, Inc. ("Stripe"), our third-party payment processor. We store only a Stripe customer identifier, subscription identifier, plan tier, subscription status, and billing period dates. We do not store credit card numbers, bank account details, or other payment instrument data on our servers.
Style and branding preferences — custom chart colors, branding settings, and display preferences
2.3 Poll Vote Data
When visitors interact with polls (including embedded polls on third-party websites), we collect:
Vote responses — the poll option(s) selected by the voter
Browser fingerprint hash — a SHA-256 cryptographic hash generated from a combination of browser properties (user agent, screen resolution, color depth, timezone, language, and hardware concurrency). The hash is computed on your device before transmission. We never receive or store the individual browser properties — only the resulting irreversible hash. This is used solely to prevent duplicate voting.
IP address hash — a cryptographic hash of your IP address, used for rate limiting and vote deduplication. We do not store raw IP addresses in connection with poll votes.
Poll votes are anonymous. We do not associate votes with user accounts, and we do not store any information that would allow us to identify individual voters from their vote data.
2.4 Demographic Data (Optional)
For polls that have demographic collection enabled (a Pro plan feature), voters may be asked to voluntarily provide:
Age range (e.g., 25-34)
Gender
Broad geographic region (e.g., North America, Europe, Asia Pacific)
Industry
Demographic data is self-reported, voluntary, collected in broad categories (not precise values), and stored in association with the vote — not with any personally identifiable information.
2.5 Analytics and Usage Data
We collect analytics data to understand how the Service is used and to improve it:
Page and embed views — which polls and charts are viewed, whether on our website or via embeds on third-party sites
Referrer domain — the domain of the website from which a visitor arrived (e.g., "example.com"), not the full URL
Fingerprint hash — the same browser fingerprint hash described in Section 2.3, used to calculate unique view counts without identifying individuals
Event metadata — the type of interaction (view, embed view) and the surface (public page, embedded widget)
2.6 Security and Audit Data
For security, fraud prevention, and abuse detection, we collect:
IP address — your IP address is logged in connection with security-relevant events (login attempts, password changes, MFA configuration, account modifications). Unlike poll vote data, security logs store IP addresses in their original form to enable investigation of unauthorized access.
User agent string — your browser and device information as reported by your browser
Action type and metadata — the type of security event and associated context
2.7 Email Communication Data
When we send you emails (account verification, notifications, password resets, and other transactional communications), we record:
Delivery information — whether the email was sent, delivered, bounced, or failed
Email type and subject — the category and subject line of the email
Request context — IP address and user agent at the time the email was triggered (e.g., when you requested a password reset)
2.8 Automatically Collected Technical Data
When you access the Service, our hosting infrastructure automatically collects:
IP address, browser type and version, operating system
Device type, screen resolution, language preferences
Date and time of access, pages visited, time spent
Referring URL and exit pages
We use the information we collect for the following purposes:
Service operation — to provide, maintain, and operate the Service, including account management, poll and chart creation, data visualization, and embed delivery
Authentication and security — to verify your identity, protect your account, detect and prevent fraud, unauthorized access, and abuse
Billing and payments — to process subscription payments, manage billing cycles, and handle cancellations through Stripe
Vote integrity — to prevent duplicate voting and manipulation of poll results using anonymized fingerprint and IP hashes
Analytics and improvement — to understand how the Service is used, measure performance, and improve features
Communications — to send transactional emails (account verification, password resets, billing notifications), service updates, and, with your consent, marketing communications
AI-generated insights — to generate automated trend analyses and insight summaries from aggregated, anonymized poll and chart data
Legal compliance — to comply with applicable laws, regulations, and legal processes
We do not sell your personal information to third parties. We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects.
We process your personal information on the following legal bases, as applicable under APPI, GDPR, and other privacy laws:
Performance of a contract — processing necessary to provide the Service to you under our Terms of Service, including account management, content hosting, embed delivery, and billing
Consent — where you have given explicit consent, including for analytics cookies (Google Analytics), marketing communications, and optional demographic data collection on polls. You may withdraw consent at any time.
Legitimate interests — where processing is necessary for our legitimate interests and those interests are not overridden by your rights, including security and fraud prevention, service improvement, and vote integrity enforcement
Legal obligations — where processing is necessary to comply with applicable laws, including tax and accounting requirements, and responses to lawful requests from public authorities
5.1 Essential Cookies
Required for the basic operation of the Service. These include session cookies for authentication and security. Essential cookies cannot be disabled without impairing the functionality of the Service.
5.2 Analytics Cookies (Consent Required)
We use Google Analytics 4 ("GA4") to collect anonymized usage statistics. GA4 cookies are not loaded by default. Analytics tracking is only activated after you provide explicit consent through our cookie consent banner. If you do not consent, no GA4 cookies are set and no analytics data is transmitted to Google. You may withdraw consent at any time by clearing your browser's local storage or cookies for our domain.
5.3 Local Storage
We use your browser's local storage (not cookies) to store your cookie consent preferences, including whether you have accepted or declined analytics cookies, the timestamp of your decision, and the consent version.
5.4 Browser Fingerprinting
As described in Section 2.3, we generate a SHA-256 hash from a limited set of browser properties for the sole purposes of preventing duplicate poll votes and calculating unique view counts. This is not a tracking mechanism — the hash cannot be reversed to identify you, is not shared with third parties, and is not used to track you across websites or sessions.
5.5 Managing Your Preferences
You can manage cookies and tracking technologies through the following methods:
Cookie consent banner — select "Essential Only" to decline analytics cookies, or "Accept All" to enable them
Browser settings — most browsers allow you to block or delete cookies through their settings
Google Analytics opt-out — install the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout
We share personal information with the following categories of third-party service providers, solely as necessary to operate and provide the Service:
Stripe, Inc. (United States) — payment processing. Stripe receives your email address and payment method details to process subscription payments. Stripe's handling of your data is governed by the Stripe Privacy Policy.
Google LLC (United States) — Google Analytics 4 for website analytics (consent-gated). Google may process anonymized usage data. Google's handling of analytics data is governed by the Google Privacy Policy. Google Sheets integration is user-initiated and uses encrypted OAuth tokens to access sheet data on your behalf.
Resend, Inc. (United States) — transactional email delivery. Resend receives recipient email addresses and email content to deliver account verification, notification, and other service emails on our behalf.
Vercel, Inc. (United States) — hosting infrastructure. Vercel processes web requests and may log IP addresses and request metadata as part of standard web server operations. Vercel's handling of data is governed by the Vercel Privacy Policy.
These service providers are contractually obligated to process your data only for the purposes specified by us and to maintain appropriate security measures. We do not authorize them to use your personal information for their own purposes.
AirTA合同会社 is based in Japan. Your personal information may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.
We take appropriate safeguards to ensure that your personal information receives an adequate level of protection, including:
For transfers from Japan — compliance with APPI requirements for cross-border transfers, including ensuring that recipient countries provide equivalent levels of data protection or that appropriate contractual safeguards are in place
For transfers from the EEA — reliance on Standard Contractual Clauses ("SCCs") approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms under GDPR
For all transfers — contractual obligations requiring service providers to protect your data in accordance with this Policy
We retain your personal information only for as long as necessary to fulfill the purposes described in this Policy, or as required by law:
Account data — retained for as long as your account remains active. Upon account deletion, personal data is deleted or anonymized within thirty (30) days, subject to any legal retention obligations.
Workspace and billing data — retained for the duration of the workspace's existence. Stripe retains payment data in accordance with its own retention policies and applicable financial regulations.
Poll vote data — fingerprint hashes and IP hashes are retained for as long as the associated poll exists. Because this data consists only of irreversible cryptographic hashes, it cannot be used to identify individuals.
Demographic data — retained for as long as the associated poll exists, in aggregated broad-category form.
Security event logs — retained for up to twelve (12) months from the date of the event, after which they are permanently deleted.
Email audit logs — retained in accordance with the retention schedule configured for each record type, typically up to twelve (12) months.
Analytics data — aggregated and anonymized analytics data may be retained indefinitely. Raw event data is periodically purged.
We implement appropriate technical and organizational measures to protect your personal information, including:
Encryption in transit — all data transmitted between your browser and our servers is encrypted using HTTPS/TLS
Password security — passwords are hashed using bcrypt with appropriate work factors before storage; plaintext passwords are never stored or logged
Database isolation — Row-Level Security (RLS) policies enforce data isolation between workspaces at the database level
Multi-factor authentication — optional MFA is available for account protection, with encrypted secret storage
Anonymization — poll vote data uses one-way cryptographic hashes rather than storing identifiable information
Access controls — role-based access controls limit data access to authorized users within each workspace
Audit logging — security-relevant actions are logged for monitoring and investigation purposes
While we take reasonable measures to protect your information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and applicable supervisory authorities as required by law.
Under the Act on the Protection of Personal Information of Japan, you have the following rights with respect to your personal information held by us:
Right of disclosure — you may request disclosure of the personal information we hold about you
Right of correction — you may request correction, addition, or deletion of inaccurate personal information
Right of cessation of use — you may request that we cease using or delete your personal information if it was collected or is being used in violation of APPI
Right to disclosure of third-party provision records — you may request disclosure of records of any provision of your personal information to third parties
To exercise these rights, contact us at support@liquichart.com. We will respond to your request within a reasonable period, and no later than the timeframe required by APPI. We may charge a reasonable fee for disclosure requests, as permitted by law.
If you are a resident of the European Economic Area, you have the following rights under the General Data Protection Regulation:
Right of access — you may request confirmation of whether we process your personal data and obtain a copy of that data
Right to rectification — you may request correction of inaccurate or incomplete personal data
Right to erasure ("right to be forgotten") — you may request deletion of your personal data under certain circumstances
Right to restriction of processing — you may request that we restrict the processing of your personal data under certain circumstances
Right to data portability — you may request to receive your personal data in a structured, commonly used, and machine-readable format
Right to object — you may object to processing based on legitimate interests, including for direct marketing purposes
Right to withdraw consent — where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing based on consent before withdrawal
Right to lodge a complaint — you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement
To exercise these rights, contact us at support@liquichart.com. We will respond within thirty (30) days. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
Right to know — you may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it
Right to delete — you may request that we delete the personal information we have collected about you, subject to certain exceptions
Right to opt-out of sale — you have the right to opt out of the sale of your personal information. We do not sell your personal information and have not sold personal information in the preceding twelve (12) months.
Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights
Categories of personal information collected in the preceding 12 months:
Identifiers (email address, IP address, account name)
Commercial information (subscription records, billing history)
Internet or other electronic network activity (browsing history on our Service, interaction with our Service, analytics data)
Inferences drawn from the above categories (usage patterns, aggregated analytics)
To exercise these rights, contact us at support@liquichart.com. We will verify your identity before fulfilling your request. You may also designate an authorized agent to make a request on your behalf.
The Service is not directed to individuals under eighteen (18) years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take reasonable steps to delete that information promptly. If you believe that we have collected personal information from a child under 18, please contact us immediately at support@liquichart.com.
Our Service respects browser Do Not Track ("DNT") signals. When we detect a DNT signal, we do not load analytics cookies (Google Analytics) unless you have previously provided explicit consent through our cookie consent banner. Note that our first-party fingerprint hashing for vote deduplication is a functional mechanism (not a tracking mechanism) and operates independently of DNT signals, as it is necessary for the integrity of the Service.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this page. For material changes that significantly affect how we handle your personal information, we will provide notice via email to the address associated with your account at least thirty (30) days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy.
If you have concerns about our privacy practices that we are unable to resolve, you may contact the relevant supervisory authority:
Japan — Personal Information Protection Commission (PPC): ppc.go.jp
European Economic Area — the data protection authority in the EU member state of your habitual residence or place of work
California — the California Attorney General's Office: oag.ca.gov/privacy
If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact us at:
Data Controller: AirTA合同会社 (AirTA G.K.)
Email: support@liquichart.com
Location: Tokyo, Japan
We will acknowledge your request within five (5) business days and provide a substantive response within the timeframes required by applicable law.