“Mirrored Body” Privacy Policy

Sustainable Pavilion 2025 Co., Ltd. (hereinafter referred to as the "Company") establishes the following privacy policy (hereinafter referred to as the "Policy") regarding the handling of personal information of customers using the digital avatar experience application "Mirrored Body" (services provided through the application are hereinafter referred to as the "Service"). The Company will appropriately handle customers' personal information in accordance with this Policy. This Policy applies to the handling of personal information of all users of the Service.

1. Types and Purposes of Personal Information Handling

1. The Company handles the following categories of personal information for the purposes set forth in Section 2. Provision of personal information is voluntary; however, some parts of the Service require such information. If you choose not to provide certain information, you may not be able to access parts of the Service.

   a. Information Provided Directly by the Customer

   • i. Basic Information: Name, nickname, gender, age, occupation, etc.
   • ii. Biometric Information: Facial images, 3D body data, voice data, etc.
   • iii. Input Information: Information such as preferences, thought patterns, and personality, as entered through Company-specified methods.
   • iv. Blockchain-Related Information: Wallet address, fungible tokens (FTs), non-fungible tokens (NFTs)

   b. Information Provided Indirectly Through Third Parties

   • i. Social Login Information: Google ID or Apple ID (only if the customer selects login via Google LLC or Apple Inc.)
   • ii. Health and Lifestyle Information: Height, weight, diet, sleep, physical activity records, and health advice (including information regarding blood pressure risks, immunity decline, and frailty risks) (only if the customer links with the "PHR-CYCLE" platform provided by Wellmira Inc. and NTT DOCOMO, Inc.)

2. We handle customers' personal information to the extent necessary for the purposes listed below:

   a. Based on the customer's consent:

   • i. To outsource processing necessary for the provision of this service at the Signature Pavilion null2 of Expo 2025 Osaka, Kansai, Japan.
   • ii. To outsource processing necessary for dialogue generation of the Mirrored Body (referring to the digital avatar provided by our company; the same shall apply hereinafter) using large language models.
   • iii. To outsource processing necessary for voice synthesis of the Mirrored Body.
   • iv. To integrate with blockchain network services.
   • v. To outsource data management related to this service.

   b. Related to the performance of a contract with the customer:

   • i. To provide (including maintenance and management of) this service.
   • ii. To respond to inquiries, complaints, or consultations.
   • iii. To notify of changes to the terms and conditions related to this service.

   c. Regarding the protection of the rights of our company or other customers:

   • i. To carry out negotiations, dispute resolution, and other legal or administrative procedures.

   d. Regarding the detection of and response to violations as defined by our company:

   • i. To verify whether identity theft or other unauthorized use has occurred.
   • ii. To respond to the transmission of inappropriate information and other violations as defined by our company.

   e. Regarding the development or improvement of this service:

   • i. To analyze the usage of this service and develop new features.
   • ii. To prevent or address system failures and other malfunctions related to this service.

2. Recipients of Personal Information

The Company may provide customers' personal information to the third parties listed below, based on the customer's consent, for the purposes set forth in Section 1 "Types and Purposes of Personal Information Handling." Customers may, in accordance with applicable laws and regulations, withdraw their consent to the provision of personal information by using the management functions available within the Service.

1. Japan Association for the 2025 World Exposition (a Public Interest Incorporated Association)
   The Company may provide the user's basic information, biometric information, input information, or lifestyle information for the purpose of outsourcing processing necessary to provide the Service at the Signature Pavilion null2 of the 2025 World Exposition.

2. Deep Infra Inc.
   The Company may provide the user's basic information, input information, or lifestyle information for the purpose of outsourcing processing necessary for dialogue generation in Mirrored Body using a large language model.

3. Eleven Labs Inc.
   The Company may provide the user's voice data for the purpose of outsourcing processing necessary for voice synthesis in Mirrored Body.

4. THXLAB Pte. Ltd.
   The Company may provide the user's basic information, biometric information, input information, lifestyle information, or blockchain-related information for the purpose of integration with blockchain network services.

5. Amazon Web Services, Inc.
   The Company may provide the user's basic information, biometric information, input information, or lifestyle information for the purpose of outsourcing data management for the Service.

3. Cross-Border Transfer of Personal Information to Third Countries

The Company may transfer users' personal information to the United States and other third countries. In such cases, the Company will implement appropriate safeguards in accordance with applicable laws and regulations, such as by entering into contractual clauses. For reference, information by country (or state) is as set forth below as of the date of this Policy.

1. State of California, United States of America

   • a. Information regarding the personal information protection regime in the relevant foreign country obtained through appropriate and reasonable means:
     Please refer to the Personal Information Protection Commission's "Survey on Personal Information Protection Systems in Foreign Countries" (United States – State of California).
   • b. Information regarding measures taken by the relevant third party for the protection of personal information:
     ・Deep Infra Inc.
     Information cannot be provided as it could not be confirmed whether the company has implemented all measures corresponding to the eight principles of the OECD Privacy Guidelines.

2. State of New York, United States of America

   • a. Information regarding the personal information protection regime in the relevant foreign country obtained through appropriate and reasonable means:
     Please refer to the Personal Information Protection Commission's "Survey on Personal Information Protection Systems in Foreign Countries" (United States – State of New York).
   • b. Information regarding measures taken by the relevant third party for the protection of personal information:
     ・Eleven Labs Inc.
     Information cannot be provided as it could not be confirmed whether the company has implemented all measures corresponding to the eight principles of the OECD Privacy Guidelines.

3. State of Washington, United States of America

   • a. Information regarding the personal information protection regime in the relevant foreign country obtained through appropriate and reasonable means:
     Please refer to the Personal Information Protection Commission's "Survey on Personal Information Protection Systems in Foreign Countries" (United States – Federal).
   • b. Information regarding measures taken by the relevant third party for the protection of personal information:
     ・Amazon Web Services, Inc.
     The company has implemented all measures corresponding to the eight principles of the OECD Privacy Guidelines.

4. Singapore

   • a. Information regarding the personal information protection regime in the relevant foreign country obtained through appropriate and reasonable means:
     Please refer to the Personal Information Protection Commission's "Survey on Personal Information Protection Systems in Foreign Countries" (Singapore).
   • b. Information regarding measures taken by the relevant third party for the protection of personal information:
     ・THXLAB Pte. Ltd.
     Information cannot be provided as it could not be confirmed whether the company has implemented all measures corresponding to the eight principles of the OECD Privacy Guidelines.

4. Retention Period of Personal Information

The Company will retain users' personal information only for the period necessary to achieve the purposes set forth in "1. Types and Purposes of Personal Information Handling" above. The specific retention period will be determined based on the type of personal information, the purposes of its use, and the necessity of retaining such information under legal or business requirements.

5. Security Control Measures

The Company will implement necessary and appropriate measures to ensure the security of personal information, including the prevention of leakage, loss, or damage of users' personal information. For details regarding the security control measures implemented by the Company, please refer to Contact for Inquiries set forth in Section 8 below.

6. User Rights

1. Users may have the rights set forth below in accordance with applicable laws and regulations. However, the rights listed in items (f) and (g) may apply only to users residing outside Japan, including in the European Economic Area and the State of California, United States. To exercise any of these rights, please refer to Contact for Inquiries set forth in Section 8 below.

   a. Right to Access Personal Information (Refers to the right to confirm whether the user's personal information is being processed, and if so, to access such personal information.)

   b. Right to Request Correction of Personal Information (Refers to the right to request the correction of inaccurate personal information concerning the user.)

   c. Right to Request Deletion of Personal Information (Refers to the right to request the deletion of the user's personal information under certain circumstances.)

   d. Right to Request Restriction of Processing of Personal Information (Refers to the right to request restriction of the processing of the user's personal information under certain circumstances.)

   e. Right to Object to the Processing of Personal Information (Refers to the right to object to the processing of the user's personal information based on "1. Types and Purposes of Personal Information Handling" and "(2) (c) through (e)" above.)

   f. Right to Data Portability (Refers to the right to receive the user's personal information in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.)

   g. Right Not to Be Subject to Discrimination for Exercising the Above Rights

2. Notwithstanding the provisions of the preceding paragraph, the exercise of the rights set forth therein may be restricted if such exercise would infringe upon the rights of the Company or any third party, or if the Company is required to comply with legal obligations under applicable laws and regulations.

3. Users may, in accordance with applicable laws and regulations, have the right to lodge a complaint with the data protection supervisory authority of their place of residence.

7. Handling of Children's Personal Information

The Company does not knowingly collect or otherwise handle the personal information of children (meaning users who are 13 years of age or older and under 16 years of age; the same shall apply hereinafter) without the consent of a parent or legal guardian. Children must obtain the consent of a parent or legal guardian before providing their personal information. In the event that the Company has collected a child's personal information without obtaining such consent, the Company will promptly take appropriate measures. Please note that, as described in "1. Types and Purposes of Personal Information Handling" and "(2)(a) Based on the User's Consent" above, parents or legal guardians are deemed to have consented to the possibility that the personal information of their child may be entrusted to third parties for processing.

8. Contact for Inquiries

For all inquiries regarding the handling of personal information, please contact the following:

Name: Sustainable Pavilion 2025, Inc.
Address: Room 16 Partnerham House, 3-8 Koyama, Shinagawa-ku, Tokyo
Email: info@sp-2025.com
Responsible Person: Security Officer

Revised on: March 31, 2025
Enacted on: January 31, 2025