PRIVACY POLICY

1． Basic policy

Privacy statement

REALITY Studios, Inc. (hereinafter referred to as the “Company”) recognises the importance of personal data and considers the thorough protection of such information to be a social responsibility. We promise to comply with the Act on the Protection of Personal Data and other relevant laws, regulations, and guidelines, and to properly handle in accordance with this PRIVACY POLICY (hereinafter referred to as this “policy”) regarding the personal data collected from the customers who use the Company’s services (hereinafter referred to as “our services”) and the personal data obtained from our business partners, employees, and others (hereinafter referred to as “business partners”) for the purpose of our business operations (hereinafter referred to as “our business operations”).

Subject

This policy applies to all of our services and our business operations. Please also note that the personal data we collect for each of our services and the purposes for which it is used may be specifically set out in the individual privacy policies (hereinafter referred to as the “individual policy”) for each of our services.

2． Handling of personal data in our business operations

Acquisition of personal data in our business operations

In the conduct of our business, conducting transactions with business partners, organizing events, receiving enquiries, and responding to public relations or personnel procedures, etc., we may obtain personal information relating to contact details such as name, email address, address, telephone number and other necessary information. In such cases, the Company will acquire such personal data by lawful and fair means, including acquisition by disclosure from Group companies.

Purpose of use in our business operation

We shall use the personal data that we acquire only within the scope of the purposes of business management, internal management, execution and management of transactions with the Company, research and analysis of the Company’s business activities, business improvement, guidance on the

Company’s business, services and events, response to enquiries, execution of administrative contact and communication, execution of PR correspondence, and procedures on personnel matters, etc., and we will not use such personal data for any other purposes except with the consent of the customer or business partner or as permitted by law.

3． Handling of personal data in our services

Acquisition of personal data and its categories in our services

In the operation of our services, we will acquire the following personal data necessary for the provision of our services, etc., by legal and fair means, after clarifying the purposes of use in this policy, individual policies, or other relevant documents.

(1) Information registered by the customer

· Name, date of birth/age, gender

· Email address, telephone number, address, and other contact information

(2) Information automatically acquired through our services

· Login history, browsing history, purchase history, and other information related to the customer’s actions on REALITY Studios official shop (hereinafter referred to as the “Official Shop”)

· Advertising ID of the device used by the customer when using the Official Shop

Purpose of use in our services

We will use personal data acquired in connection with the Official Shop or other our services for the following purposes, and will not handle any personal data beyond the scope necessary to achieve those purposes except with your consent or as permitted by law.

· To ship products, prizes, or gifts

· To create your account on our services, and to protect, verify, and authenticate the account

· To notify you of maintenance, updates, changes to the terms of use, and other information related to the use of our services

· To inform you of campaigns, sweepstakes, and other events related to our services

· To respond to your requests for materials, inquiries, consultations, complaints, and after-sales services

· to take measures for the purpose of providing our services to customers safely, such as identifying and notifying individuals who violate the terms of use, and investigating,

detecting, and preventing fraudulent acts using our services, unauthorized access, and other illegal acts

· To plan and improve our services

· To analyze the information acquired and develop new products, content, and services tailored to customers’ interests and preferences (including providing such information to third parties for such purposes)

· For other purposes necessary to operate and provide our services

4． Security control measures for personal data

Formulation of basic policy

A basic policy has been formulated to ensure the proper handling of personal data as an organization (refer to e.g. ‘1. Basic policy’).

Discipline on the handling of personal data

Handling regulations have been established for the methods of handling personal data at each stage of acquisition, use, storage, provision, deletion and disposal, as well as for the responsible person/persons in charge and their duties.

Organizational security control measures

The Group Personal Data Protection Manager is appointed as the person responsible for the management of personal data and clearly defines the responsibilities and authority of employees in relation to the safe management of personal data.

Employees (including temporary staff) are supervised and a system is in place for reporting to the responsible person in the event of a breach of the law or handling rules or signs of such a breach.

Internal regulations and manuals on safety management have been established, and employees are required to comply with them, while appropriate audits are carried out to ensure compliance.

Personnel security management measures

We provide our employees (regardless of their employment status) with education and training at the time of joining the company and on a regular basis regarding the safe management of personal data. We also obtain written pledges regarding confidentiality, including personal data.

Physical security control measures

Access control is implemented in areas where personal data is handled.

Measures are also taken to prevent theft, loss or prying eyes from equipment, electronic media and documents that handle personal data.

In addition, when electronic media containing personal data are disposed of, processing is carried out to ensure that the data is completely erased.

Technical security control measures

In information systems that handle personal data, access management is implemented, such as limiting access authorisation holders, immediately deactivating the accounts of employees who have transferred or left the company, as well as monitoring access status.

In addition, measures such as the installation of firewalls have been implemented to prevent unauthorized access from outside.

Understanding the external environment

If the Company handles personal data in a foreign country, it will take the necessary and appropriate measures for the safe management of the personal data, having been made aware of the systems for the protection of personal data in that foreign country.

5． Disclosure

Disclosure to third parties

The Company may provide personal data necessary for identity verification, billing address verification, and credit checks to third parties that process payments in accordance with the payment method selected by customers in connection with the Official Shop or other our services.

In addition, the Company may provide personal data to third parties in the following circumstances:

· where we outsource work to third parties to the extent necessary to achieve the purpose of use;

· in the event that the Company carries out a merger, company split, business transfer, or disposal of all or part of its business, assets, or shares (including in connection with bankruptcy or similar proceedings); · to introduce business partners to our group companies; or

· in other cases where the data subject is asked to consent to the provision of the information and the data subject complies with the request.

However, information that has been statistically processed so that individuals cannot be identified may be used for purposes other than those mentioned above.

Disclosure at the request of government agencies, local authorities, public authorities, etc.

The Company may disclose personal data to public authorities in the following cases;

· in accordance with laws and regulations (including laws and regulations outside the country of residence of the data subject);

· where disclosure is necessary for the protection of the life, body or property of a person and it is difficult to obtain the consent of the data subject;

· where it is particularly necessary for the improvement of public health or the promotion of the sound development of children and it is difficult to obtain the consent of the data subject; or

· where it is necessary to cooperate with a national body, a local authority, or a person or entity entrusted by one of those bodies or authorities to carry out affairs prescribed by law and regulations, and where obtaining the consent of the data subject may impede the carrying out of such affairs.

Provision to third parties located outside Japan

Except as excluded by the Act on the Protection of Personal Information, when providing personal data to a third party located in a foreign country, we will provide the following information in advance:

· name of the foreign country;

· information on the system for protecting personal data in the foreign country; and

· information on measures taken by the third party to protect personal data.

Joint use

We may jointly use your personal data within the scope of the purposes of use.

[The scope of the joint users]

GREE Holdings, Inc. and its group companies

The names and other information related to major group companies are posted on the website.

Entrust

The Company may outsource the handling of personal data to external organizations or other parties.

When selecting organizations, etc., the information security management system of the contractor is checked before the contract is concluded.

Even after the contract has been concluded, the information security management system of the contractor is regularly checked.

Cookies, information collection modules

Cookies are a mechanism whereby a website stores a small file inside the user’s browser. For example, when a user visits the same website again, the stored cookie identifies a unique ID that identifies the browser and enables processing such as changing the display of web pages and advertisements for each browser.

You can refuse collection by disabling cookies in your browser settings, but this may limit the functions available on the website.

The following information collection modules are used on our corporate website to collect traffic data and analyze browsing history, etc. using cookies for the purpose of providing functions included on the corporate website, displaying advertisements and analyzing usage.

For information on data handling in the information collection module, see the websites of the respective providers.

Google Inc.「Google Analytics」
 https://policies.google.com/privacy?hl=jp (To analyze access to our corporate website) Google Analytics Opt-out Add-on: https://tools.google.com/dlpage/gaoptout/?hl=ja

6． Contact for personal data

Request for disclosure, correction, addition, deletion, discontinuance of use, etc.

If we receive a request from a customer or their representative for disclosure, correction, deletion, or discontinuance of use of the personal data of the customer, we will respond promptly to the extent possible in accordance with applicable laws and regulations. For such requests, please contact the “REALITY Studios Customer Information Disclosure and Inquiry Desk” below. However, please note that if we make a correction or deletion of, or discontinue the use of any personal information necessary for providing our services, you may no longer be able to use all or part of our services.

Enquiries

Please contact “REALITY Studios Customer Information Disclosure and Inquiry Desk” below for enquiries, consultations, and complaints about the handling of personal data in our services.

REALITY Studios Customer Information Disclosure and Inquiry Desk

realitystudios@gree.net

Enacted: January 19, 2023

Revised: August 1, 2025