Global Privacy Policy

Capitalized terms used but not defined in this policy have the meanings assigned to them in the GDPR, the CPRA, or the Customer's executed agreement with ATMList, as context requires. "Personal data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on personal data, whether by automated means or otherwise. "Controller" means the natural or legal person that determines the purposes and means of processing. "Processor" means a natural or legal person that processes personal data on behalf of the Controller. "Data subject" means the identified or identifiable natural person to whom personal data relates.

"Customer" means the legal entity that has entered into a commercial agreement with ATMList for access to the Services. "Customer Content" means personal data submitted to the Services by or on behalf of Customer, in respect of which Customer acts as Controller and ATMList acts as Processor. "Business contact" means an individual acting in a professional capacity on behalf of a Customer, prospective Customer, vendor, or partner organization. "Site visitor" means any natural person who accesses the ATMList corporate website (atmlist.com) or any subdomain thereof without authenticating to the Services.

References to "applicable law" mean, as the context requires, the data-protection and privacy legislation in force in the jurisdiction(s) where the relevant data subject resides or where the processing occurs. References to articles of the GDPR include equivalent provisions of the UK GDPR and the Swiss FADP, as applicable. Headings are for convenience only and do not affect the interpretation of this policy.

This policy applies to personal data processed through the ATMList corporate website (atmlist.com and subdomains), sales and business-development channels, Customer onboarding and support operations, account-administration and billing systems, marketing and event-registration platforms, and recruitment and talent-acquisition programs. It also applies to personal data incidentally contained in API-request metadata, usage logs, and system telemetry where ATMList determines the purposes of processing independently of Customer instructions.

If the data subject is an end user of a Customer's application or service, the Customer's privacy notice is the primary source of transparency obligations. ATMList processes such data as a Processor and does not control the purposes for which Customer submits it. However, to the extent that ATMList extracts aggregated or anonymized insights from system-wide usage patterns for its own purposes, this policy addresses that processing.

If any provision of this policy conflicts with an executed Master Services Agreement, order form, or DPA between ATMList and a Customer, the executed instrument controls with respect to processing performed on the Customer's behalf. For processing where ATMList acts independently as Controller, this policy states the governing terms unless a separate controller-to-controller agreement has been executed.

For the processing activities described in this policy, the data controller is ATMList, Inc., a corporation organized under the laws of Japan, with its registered office at Otemachi Financial City South Tower 12F, 1-9-7 Otemachi, Chiyoda-ku, Tokyo 100-0004, Japan.

Our Privacy Office may be reached at [email protected]. Our designated representative for purposes of Article 27 of the GDPR and Article 27 of the UK GDPR is available upon request to qualified Customers and data subjects. Our representative in Switzerland for purposes of the Swiss FADP is likewise available upon request.

ATMList has not appointed a data protection officer under Article 37 GDPR because we have assessed that our processing activities as a Controller do not meet the mandatory thresholds of that article. Nevertheless, the Privacy Office functions as the central point of contact for data-protection matters and is staffed by personnel qualified in global privacy law compliance.

Depending on the nature of your interaction with ATMList, we may process the following categories of personal data. ATMList does not process all categories for every data subject; the specific categories depend on the relationship, the Service(s) involved, and the purposes identified in Section 5.

• Business contact data — professional name, title, function, corporate email address, business telephone number, employer name, office location, and billing identifiers associated with Customer or partner accounts.
• Account and authentication data — user identifiers, organization identifiers, hashed credentials, API-key metadata, role assignments, permission sets, multi-factor-authentication tokens, session identifiers, and account-creation timestamps.
• Service usage and telemetry data — API-request timestamps, endpoint paths, query parameters voluntarily transmitted by Customer (including coarse geolocation coordinates, card-network identifiers or BIN prefixes, and request-correlation identifiers), HTTP status codes, rate-limit counters, and quota-consumption metrics.
• Communications data — email correspondence, support-ticket contents, call recordings (where disclosed), meeting transcripts, contractual correspondence, and notes maintained for account-management and business-development purposes.
• Corporate-website data — IP address, user-agent string, device characteristics, browser-configuration preferences (including language settings), cookie-consent preferences, referral URLs, page-interaction events, and session duration on our marketing and informational properties.
• Event and marketing data — registration details for webinars, industry events, and product demonstrations; preferences regarding marketing communications; and records of opt-in and opt-out elections.
• Recruitment data — curricula vitae, cover letters, portfolio links, work-authorization status, compensation expectations, interview assessments, reference-check results, and related evaluation materials for individuals who apply directly to ATMList career openings.
• Financial and transactional data — invoicing records, payment references, purchase-order identifiers, and credit-limit information where applicable to enterprise billing relationships.

We collect personal data directly from data subjects when they register for an account, communicate with our sales or support teams, subscribe to marketing communications, attend events, apply for employment, or otherwise interact with ATMList properties and personnel.

We also receive personal data from Customer organizations when they provision user accounts, submit support requests, designate technical or commercial points of contact, or provide information necessary for contract administration and billing. Customers are responsible for ensuring that the provision of business-contact data to ATMList complies with applicable transparency requirements.

Additionally, we may receive limited personal data from third-party sources, including: professional-networking platforms and industry directories (for business-development outreach), event organizers (for attendee lists where consent or legitimate interest applies), and publicly accessible government registries (for sanctions screening and compliance checks). We do not purchase marketing lists that include data of individuals who have not manifested a professional interest in our Services.

ATMList processes personal data for the following purposes. Each purpose is linked to a lawful basis under the GDPR (and equivalent UK and Swiss law) as detailed in Section 7. We do not process personal data for any purpose incompatible with the original purpose of collection without providing additional notice where required by law.

Service delivery and contract performance — to provision, maintain, and support Customer accounts; to authenticate users; to process API requests and return responses; and to fulfill our obligations under commercial agreements.

Customer relationship management — to communicate regarding account status, service updates, renewal opportunities, product roadmaps, and technical or commercial matters arising in the course of the business relationship.

Platform security and integrity — to detect, prevent, and respond to fraud, abuse, unauthorized access, denial-of-service attacks, and other threats to the confidentiality, integrity, and availability of the Services and underlying infrastructure.

Product improvement and analytics — to aggregate de-identified usage patterns, monitor system performance, identify coverage gaps, and inform decisions about feature development and capacity planning.

Marketing and business development — to send promotional communications about ATMList products, services, events, and industry insights to business contacts who have consented or where legitimate interest permits, with an opt-out mechanism in each communication.

Recruitment and talent management — to evaluate, communicate with, and maintain records regarding candidates for employment or contractor roles at ATMList.

Legal and regulatory compliance — to comply with applicable laws, regulations, court orders, and lawful requests from government authorities; to conduct sanctions and restricted-party screening; and to establish, exercise, or defend legal claims.

Corporate transactions — to evaluate, negotiate, and execute mergers, acquisitions, financings, reorganizations, or asset sales, subject to confidentiality obligations and the proviso that personal data remains protected under terms no less restrictive than this policy.

Where the GDPR, UK GDPR, or Swiss FADP applies, we process personal data on one or more of the following legal bases. The applicable basis depends on the specific processing activity and the data subject's relationship with ATMList.

Performance of a contract (Article 6(1)(b) GDPR) — processing necessary to perform our obligations under a commercial agreement with a Customer, including account provisioning, API delivery, technical support, billing, and contract administration.

Legitimate interests (Article 6(1)(f) GDPR) — processing necessary for the purposes of our legitimate interests or those of a third party, provided those interests are not overridden by the data subject's rights and freedoms. Our legitimate interests include: (i) ensuring the security, availability, and resilience of the Services; (ii) conducting business-development and account-management activities with existing and prospective enterprise Customers; (iii) improving and optimizing our platform based on aggregated, de-identified telemetry; (iv) protecting our legal rights and defending against claims; and (v) evaluating candidates for employment.

Consent (Article 6(1)(a) GDPR) — processing based on freely given, specific, informed, and unambiguous indication of the data subject's wishes. We rely on consent for: (i) direct marketing communications sent to individuals who are not existing Customers or who have not engaged in a recent commercial dialogue; (ii) deployment of non-essential cookies and similar tracking technologies on our corporate website, where required by the ePrivacy Directive or equivalent legislation; and (iii) processing of special-category data, if any, in the recruitment context where permitted and where explicit consent is obtained.

Legal obligation (Article 6(1)(c) GDPR) — processing necessary for compliance with a legal obligation to which ATMList is subject, including tax record-keeping, mandatory commercial-register filings, sanctions screening, and responses to lawful requests from competent authorities.

ATMList does not process special categories of personal data (Article 9 GDPR) as a Controller in the ordinary course of business. In the limited circumstances where such data might be processed (for example, health information voluntarily disclosed in a recruitment accommodation request or diversity-monitoring survey), processing will occur only on the basis of explicit consent (Article 9(2)(a)), employment-law obligations (Article 9(2)(b)), or data manifestly made public by the data subject (Article 9(2)(e)).

ATMList discloses personal data only as described in this section. We do not sell personal data for monetary consideration. We do not share personal data for cross-context behavioral advertising purposes. We do not make personal data available to data brokers or aggregators for their own commercial use.

Within ATMList and its affiliated entities, access to personal data is limited to personnel who require access to perform their job functions, under binding confidentiality obligations. Affiliated entities may act as joint controllers or processors depending on the processing context and the contractual framework in place.

• Infrastructure and technology providers — cloud-hosting, content-delivery, database, and platform-as-a-service providers that host or transmit data on our instructions under written agreements with equivalent data-protection obligations.
• Business-operations providers — customer-relationship-management, billing, enterprise-resource-planning, support-ticketing, and collaboration-platform providers engaged to facilitate our commercial and support operations.
• Professional advisers — external legal counsel, auditors, accountants, and consultants who require access to specific records to provide professional services, bound by professional duties of confidentiality.
• Payment processors — third-party payment gateways and financial institutions that process Customer payments and invoicing on our behalf.
• Regulatory and law-enforcement authorities — where disclosure is required by subpoena, court order, or other lawful process, or where we believe in good faith that disclosure is necessary to comply with law, protect rights or safety, or respond to an emergency.
• Corporate-transaction counterparties — in connection with a merger, acquisition, financing, reorganization, or sale of assets, provided the recipient agrees to protect personal data in a manner consistent with this policy and to use it solely for the purpose of evaluating or completing the transaction.

ATMList engages third-party subprocessors to deliver and support the Services. A current list of subprocessors is maintained as Annex B to our DPA and is made available to enterprise Customers under their commercial agreement. Subprocessors are subject to written contracts that impose data-protection obligations no less protective than those in the DPA.

Customers with an executed DPA receive prior notification of intended additions or replacements of subprocessors via the mechanism described in the DPA, including an opportunity to object on reasonable data-protection grounds within a defined notice period. For processing activities where ATMList acts as Controller, we conduct diligence on third-party recipients to verify their security posture, data-protection compliance, and the adequacy of their safeguards before engagement.

Where a subprocessor accesses or processes personal data from a jurisdiction subject to transfer restrictions, the applicable Standard Contractual Clauses, International Data Transfer Addendum, or other approved transfer mechanism is incorporated into the subprocessor agreement. Subprocessors are permitted to process personal data only to the extent necessary to perform the specific services for which they have been engaged.

ATMList operates a globally distributed infrastructure. Personal data processed by ATMList as Controller may be transferred to, stored in, and processed in countries other than the country in which the data subject resides, including Japan, the United States, member states of the European Union, the United Kingdom, Singapore, and other jurisdictions where ATMList or its subprocessors maintain facilities.

Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a jurisdiction that has not been recognized by the relevant authority as providing an adequate level of protection, ATMList implements appropriate safeguards in accordance with Articles 44 through 49 of the GDPR, including: (i) the European Commission Standard Contractual Clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914), Module One (Controller to Controller) or Module Two (Controller to Processor) as applicable; (ii) the UK International Data Transfer Addendum to the European Commission Standard Contractual Clauses, issued by the Information Commissioner under section 119A of the Data Protection Act 2018; and (iii) the standard data-protection clauses recognized or approved by the Swiss Federal Data Protection and Information Commissioner for transfers from Switzerland.

In addition to the contractual safeguards described above, ATMList conducts transfer impact assessments to evaluate the laws and practices of the destination jurisdiction and implements supplementary technical, organizational, and contractual measures where the assessment identifies risks that contractual clauses alone do not adequately address. Such supplementary measures may include encryption with key management outside the destination jurisdiction, pseudonymization, contractual commitments to challenge unlawful access requests, and transparency reporting where legally permissible.

Data subjects may obtain a copy of the relevant transfer safeguards by submitting a request to the Privacy Office, subject to confidentiality redactions permitted by law.

ATMList retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Retention periods are determined by reference to: (i) the duration of the contractual or business relationship; (ii) statutory retention obligations under tax, commercial, and employment law; (iii) applicable statutes of limitation for potential legal claims; and (iv) operational necessity for security, audit, and business-continuity purposes.

Business contact and account data are retained for the duration of the Customer relationship and for a period of up to seven (7) years following termination, to comply with tax and commercial record-keeping obligations and to defend against potential claims. Service-usage and telemetry data are retained in identifiable form for a maximum of ninety (90) days, after which they are aggregated, anonymized, or securely deleted according to environment-specific data-lifecycle policies. Recruitment data for unsuccessful candidates is retained for up to two (2) years, or longer with the candidate's consent, to facilitate future hiring opportunities.

Upon expiration of the applicable retention period, personal data is securely deleted or irreversibly anonymized using industry-standard methods. Where deletion is not immediately technically feasible (for example, data residing in encrypted backup archives on a rotation schedule), access is restricted and further processing is suspended until deletion can be completed in the ordinary course of the backup lifecycle.

ATMList implements and maintains administrative, technical, and physical safeguards designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are assessed and updated on an ongoing basis to address evolving threats and to reflect changes in industry practice and regulatory expectations.

Our information-security program includes: logical access controls with role-based permissions and multi-factor authentication for production systems; encryption of data in transit using TLS 1.2 or higher and encryption of data at rest for primary databases, backups, and object storage; network segmentation with default-deny policies; secure software-development lifecycle practices including peer code review, automated testing, and dependency-vulnerability scanning; centralized security-event logging with correlation and alerting; and an incident-response plan with defined classification, containment, eradication, and notification procedures.

A summary of our security posture is published on our Information Security page. Detailed control matrices, penetration-test executive summaries, and independent audit reports (including SOC 2 Type II reports) are available to qualified Customers under a non-disclosure agreement through our procurement or security-contact channels. The publication of this summary does not modify or supplement contractual security obligations.

Despite our safeguards, no method of electronic storage or transmission is completely secure. ATMList cannot guarantee absolute security. In the event of a security incident involving personal data for which ATMList is Controller, we will notify affected data subjects and relevant supervisory authorities as required by applicable law.

Data subjects whose personal data is processed by ATMList as Controller may have the following rights under applicable data-protection law, subject to conditions, limitations, and exemptions prescribed by the relevant statute:

• Right of access (Article 15 GDPR / CPRA § 1798.110) — to confirm whether ATMList processes personal data concerning the data subject and to obtain a copy of that data together with information about the processing.
• Right to rectification (Article 16 GDPR / CPRA § 1798.106) — to request correction of inaccurate personal data and completion of incomplete personal data.
• Right to erasure (Article 17 GDPR / CPRA § 1798.105) — to request deletion of personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected or where processing is based on consent and consent is withdrawn.
• Right to restriction of processing (Article 18 GDPR) — to request that ATMList limit processing of personal data while a concern about accuracy, lawfulness, or objection is being resolved.
• Right to data portability (Article 20 GDPR) — to receive personal data provided to ATMList in a structured, commonly used, machine-readable format and to transmit it to another controller where processing is based on consent or contract and carried out by automated means.
• Right to object (Article 21 GDPR) — to object to processing based on legitimate interests or to processing for direct-marketing purposes (which ATMList will honor without exception upon verified objection).
• Right not to be subject to automated decision-making (Article 22 GDPR) — as described in Section 17 of this policy.
• Right to withdraw consent (Article 7(3) GDPR) — to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint (Article 77 GDPR) — to file a complaint with a competent supervisory authority in the data subject's country of residence, place of work, or place of the alleged infringement.

Data subjects may exercise their rights by submitting a verifiable request to [email protected]. We will acknowledge receipt and respond within the timeframes prescribed by applicable law (generally within one month, extendable by a further two months for complex or numerous requests, with notice of extension provided within the initial one-month period). We may request reasonable information to verify the requestor's identity and authority before taking action. Where we determine that a right does not apply or that an exemption is available, we will explain the basis for our determination.

Where ATMList acts as Processor on behalf of a Customer, data subjects should direct their requests to the relevant Customer as Controller. ATMList will assist the Customer in responding as required by the DPA.

ATMList does not discriminate against data subjects who exercise their rights under applicable data-protection law. We do not deny services, charge different prices, or provide a different level or quality of services based on a data subject's exercise of privacy rights.

ATMList uses cookies, web beacons, and similar tracking technologies on its corporate website and marketing properties. These technologies serve several functions: (i) strictly necessary — essential for website operation, session management, and security; (ii) functional — to remember preferences such as language selection; (iii) analytics — to understand aggregate visitor behavior and improve site performance; and (iv) marketing — to measure the effectiveness of advertising campaigns and to deliver relevant content to professional audiences on third-party platforms.

We deploy a consent-management platform that enables Site visitors to accept or decline non-essential cookies by category, in compliance with the ePrivacy Directive (as implemented in EU member states), the UK Privacy and Electronic Communications Regulations, and equivalent legislation in other jurisdictions. Strictly necessary cookies are set without consent; all other categories require affirmative opt-in before deployment. Consent preferences are stored for a minimum of twelve (12) months and visitors may update their preferences at any time via the cookie-settings link in the site footer.

ATMList does not use tracking technologies within the authenticated Services interface or the API platform itself. The Services do not deploy cookies, pixels, or device-fingerprinting mechanisms on Customer end-user devices. Customer is solely responsible for any tracking technologies deployed within Customer's own applications that integrate with the ATMList API.

ATMList may send marketing communications to business contacts who have: (i) consented to receive such communications; (ii) entered into a commercial relationship with ATMList and received information about the right to object at the time of data collection and in each subsequent communication (soft opt-in, where permitted by law); or (iii) expressed a legitimate professional interest in ATMList Services through demonstrated engagement with our content, events, or sales team.

Every marketing email sent by ATMList includes a clearly identified, functional unsubscribe mechanism. Data subjects may also opt out by contacting the Privacy Office. Opt-out requests are processed promptly and in any event within ten (10) business days. Transactional and service-related communications (including account notices, security alerts, billing updates, and contract-renewal correspondence) are not marketing communications and are not subject to the opt-out mechanism, as they are necessary for the performance of our contractual obligations.

ATMList participates in industry events, webinars, and conferences. Where we co-host events with third-party organizers, we may receive attendee lists. Attendees are informed of data-sharing arrangements through the event registration process. ATMList does not sell or trade event-attendee data to third-party sponsors.

ATMList does not engage in automated individual decision-making as defined by Article 22 of the GDPR — that is, decisions based solely on automated processing (including profiling) that produce legal effects concerning a data subject or similarly significantly affect the data subject. Our data models and algorithms operate on aggregated, de-identified datasets to improve ATM location accuracy, predict machine availability, and score network-coverage quality; these outputs do not produce decisions about individual data subjects.

To the limited extent that automated processes are used for platform-security purposes (such as anomaly detection in API traffic patterns or rate-limit enforcement), any resulting action (such as temporary access restriction) is subject to human review and override, and does not produce legal or similarly significant effects on individuals.

Customer acknowledges that any profiling or automated decision-making performed on Customer Content using ATMList API outputs is the responsibility of the Customer as Controller or independent decision-maker, subject to the Customer's own transparency and lawfulness obligations.

ATMList Services are designed for and marketed to financial institutions, technology companies, and other business enterprises. The Services are not directed to individuals under the age of eighteen (18), and ATMList does not knowingly collect or solicit personal data from children. Our corporate website, marketing properties, and recruitment programs are likewise not directed to children.

If ATMList becomes aware that it has inadvertently collected personal data from a child below the age of digital consent in the relevant jurisdiction (sixteen in the EEA, thirteen in the United Kingdom subject to the UK Age-Appropriate Design Code, and thirteen in the United States under the Children's Online Privacy Protection Act), we will take prompt steps to delete that data. Parents or guardians who believe that ATMList may have collected a child's personal data should contact the Privacy Office immediately.

Customers integrating ATMList Services into consumer-facing applications are solely responsible for determining whether those applications are directed to children and for complying with applicable children's privacy laws, including obtaining verifiable parental consent where required.

This section supplements the remainder of this policy and applies solely to personal information of California residents processed by ATMList as a "business" under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 et seq., the "CPRA"). This section does not apply to personal information that ATMList processes as a "service provider" or "contractor" on behalf of a Customer; in such circumstances, the Customer's privacy notice governs.

Under the CPRA, California residents have the right to: (i) know what personal information ATMList has collected, used, disclosed, and sold or shared (ATMList does not sell or share personal information as those terms are defined in the CPRA); (ii) request deletion of personal information, subject to statutory exceptions; (iii) correct inaccurate personal information; (iv) limit the use and disclosure of sensitive personal information (ATMList does not use or disclose sensitive personal information for purposes that would give rise to this right); and (v) not receive discriminatory treatment for exercising CPRA rights.

ATMList has collected the following categories of personal information about California residents in the preceding twelve (12) months: identifiers (such as name, email address, and IP address); commercial information (such as billing records and service-usage data); internet or electronic-network activity (such as website-interaction data); professional or employment-related information (such as job title and employer); and inferences drawn from the foregoing. The sources, purposes, and disclosure categories are as described in Sections 5, 6, and 8 of this policy. ATMList has not sold or shared personal information as defined by the CPRA and has no actual knowledge of selling or sharing the personal information of consumers under sixteen (16) years of age.

California residents may exercise CPRA rights by submitting a verifiable request to the Privacy Office. We will acknowledge receipt within ten (10) business days and substantively respond within forty-five (45) calendar days, extendable by an additional forty-five (45) days where reasonably necessary, with notice of the extension provided within the initial forty-five-day period. Authorized agents may submit requests on behalf of consumers with written authorization; ATMList may require verification directly from the consumer before processing the request.

Where this policy references the GDPR, the equivalent provisions of the UK GDPR (as defined in section 3(10) and section 205(4) of the Data Protection Act 2018) apply to the processing of personal data of data subjects located in the United Kingdom. References to supervisory authorities include the UK Information Commissioner.

ATMList's UK GDPR representative, required under Article 27 of the UK GDPR, is available upon request. International transfers of UK personal data are governed by the UK International Data Transfer Addendum, or the UK Addendum to the EU Standard Contractual Clauses, as applicable, as described in Section 10.

To the extent that ATMList processes personal data of data subjects in Switzerland as a Controller, such processing is subject to the Swiss Federal Act on Data Protection (FADP) and its implementing Ordinance. References in this policy to the GDPR include equivalent provisions of the FADP to the extent applicable.

ATMList's representative in Switzerland for purposes of Article 14 of the revised FADP and for service of process by the Swiss Federal Data Protection and Information Commissioner (FDPIC) is available upon request. International transfers of Swiss personal data are conducted in accordance with the FDPIC's requirements, including the use of standard data-protection clauses recognized or approved by the FDPIC.

As a corporation organized under the laws of Japan, ATMList is subject to the Act on the Protection of Personal Information (Act No. 57 of 2003, as amended, the "APPI"). ATMList processes personal data in compliance with the APPI, its cabinet orders, and the guidelines issued by the Personal Information Protection Commission of Japan. We maintain a personal-information protection management system commensurate with our obligations as a business operator handling personal information under the APPI.

Where ATMList acts as a personal-information handling business operator under the APPI, we: (i) specify purposes of utilization and limit processing to those purposes; (ii) obtain prior consent before acquiring, using, or providing to third parties any sensitive personal information (as defined in the APPI guidelines); (iii) maintain accurate and up-to-date personal data to the extent necessary to achieve the purpose of utilization; (iv) implement necessary and appropriate security-control measures; (v) supervise employees and contractors who handle personal data; and (vi) respond to data-subject requests for disclosure, correction, cessation of use, and cessation of third-party provision in accordance with Articles 33 through 39 of the APPI.

ATMList's overseas transfers of personal data are conducted in accordance with Article 28 of the APPI, including the provision of information to data subjects regarding the personal-information protection system of the destination country and the measures taken by the recipient to protect personal data. Where the recipient is located in a country recognized by the Personal Information Protection Commission as having a personal-information protection system at a level equivalent to Japan's, or where the recipient has established standards meeting the requirements of the APPI implementing regulations, transfers are conducted on the basis of such equivalence.

Customers that integrate ATMList Services into their own products, applications, or business processes are independent Controllers (or Processors) with respect to the personal data they submit, and they retain full responsibility for compliance with applicable data-protection law. In particular, each Customer is responsible for: (i) providing a legally sufficient privacy notice to its end users that discloses the collection and processing of personal data through the Customer's application, including the role of ATMList as a Processor where applicable; (ii) establishing and maintaining a lawful basis for the collection and transmission of personal data to ATMList; (iii) responding to data-subject requests directed to the Customer and notifying ATMList of requests that require Processor assistance under the DPA; and (iv) conducting its own data-protection impact assessments and transfer impact assessments where required.

Customers shall not submit to the ATMList platform any personal data that is not reasonably necessary for the provision of the Services, and shall not submit special categories of personal data (as defined in Article 9 GDPR), financial-account credentials, or government-issued identification numbers unless a separate written agreement expressly authorizes such submission and addresses the associated compliance requirements.

Where a Customer is established in a jurisdiction that mandates specific contractual provisions beyond those contained in ATMList's standard DPA or Master Terms, the Customer is responsible for identifying such requirements during the procurement process so that supplementary terms may be negotiated in good faith. ATMList's standard Data Processing Agreement, Information Security overview, and subprocessor list are designed to satisfy the Article 28 GDPR requirements common to enterprise procurement in the EEA, UK, and Switzerland; Customers requiring additional region-specific provisions should engage the ATMList commercial team before transmitting personal data.

In the event of any conflict or inconsistency between this Global Privacy Policy and an executed Master Services Agreement, order form, or Data Processing Agreement between ATMList and a Customer, the executed instrument shall prevail with respect to the processing of personal data that is subject to that instrument. This policy operates as a transparency notice and is not intended to alter, amend, or supplement contractual obligations.

Where ATMList processes personal data as a Processor, the terms of the DPA define the scope of processing, the allocation of responsibilities, and the technical and organizational measures applicable. This policy describes complementary processing where ATMList acts as Controller; it does not expand or modify the Customer's instructions as Processor.

Nothing in this policy shall be construed as a waiver of any right, remedy, defense, or limitation of liability available to ATMList under an executed agreement or at law.

Data subjects who believe that ATMList has processed their personal data in violation of applicable data-protection law may lodge a complaint with the competent supervisory authority. In the European Economic Area, the competent authority is generally the supervisory authority of the data subject's habitual residence, place of work, or place of the alleged infringement. In the United Kingdom, the competent authority is the Information Commissioner's Office. In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner. In Japan, the competent authority is the Personal Information Protection Commission.

ATMList commits to cooperating with supervisory authorities in the resolution of complaints and to complying with advice and orders issued by competent authorities under their statutory powers. We will engage in good faith with any regulatory inquiry and will make available relevant records, policies, and certifications as lawfully requested, subject to confidentiality obligations owed to Customers.

Data subjects are encouraged to contact the Privacy Office before lodging a formal complaint with a supervisory authority so that ATMList has the opportunity to investigate and resolve the concern directly. Contacting ATMList does not limit or affect the data subject's right to file a complaint with a supervisory authority at any time.

ATMList may amend this Global Privacy Policy from time to time to reflect changes in applicable law, regulatory guidance, our processing activities, or our operational practices. Amendments will be identified by an updated document reference and a revised last-updated date at the top of this policy. The version history is maintained as part of the document reference numbering: major revisions increment the primary version number; minor clarifications and non-material updates are reflected in the effective-date and last-updated fields.

Where an amendment materially affects the rights or obligations of data subjects — for example, by expanding the categories of personal data collected, introducing a new purpose of processing, or disclosing data to a new category of recipient — ATMList will provide prominent notice on the corporate website and, where feasible and appropriate, direct notification to impacted individuals or to the enterprise Customers whose business contacts are affected.

Material amendments will have a prospective effective date not less than thirty (30) calendar days from the date of publication, unless a shorter period is mandated by law or regulatory directive. Continued interaction with ATMList after the effective date of a published amendment constitutes acknowledgment of the updated policy to the extent permitted by applicable law. Data subjects who do not agree with a material amendment should cease providing personal data to ATMList and exercise their right to erasure where applicable.

The authoritative version of this Global Privacy Policy is the English-language text published at atmlist.com/privacy. A Japanese translation is published alongside this policy for APPI transparency purposes; for matters relating to Japan's Act on the Protection of Personal Information, the Japanese text may prevail where a dispute arises and the Japanese-language disclosure is the operative compliance instrument. Translations provided for convenience in other languages are not binding and shall not be relied upon for legal interpretation.

Privacy inquiries, data-subject requests, regulatory correspondence, and questions regarding this policy should be directed to:

• Email: [email protected]
• Legal correspondence: [email protected]
• Registered address: Otemachi Financial City South Tower 12F, 1-9-7 Otemachi, Chiyoda-ku, Tokyo 100-0004, Japan
• Website: https://atmlist.com/privacy

Enterprise Customers requiring detailed privacy-and-security diligence materials — including SOC 2 Type II reports, penetration-test summaries, subprocessor annexes, and transfer-impact assessments — should contact their account executive or the ATMList commercial team. These materials are available under a mutual non-disclosure agreement and are updated on a cadence consistent with our annual audit cycle.