Privacy Policy
Last Updated: June 25, 2026
Provider: Sanka Inc. (株式会社サンカ), Tokyo, Japan ("Sanka," "we," "us," or "our")
Privacy contact: hey@sanka.com
This Privacy Policy explains how Sanka collects, uses, discloses, retains, and protects personal data in connection with Sanka's websites, cloud services, web applications, APIs, Model Context Protocol (MCP) interfaces, AI features, integrations, sales, marketing, and support activities (collectively, the "Services").
Sanka is primarily a business-to-business service. This Policy is a notice, not a contract for every data-processing scenario. Where Sanka processes personal data contained in customer-controlled records, files, prompts, integration data, or other content ("Customer Data") on behalf of a customer, the customer is generally responsible for determining the purposes and means of processing, and Sanka processes that data under the applicable agreement, Data Processing Addendum or Data Processing Agreement ("DPA"), and the customer's instructions. A DPA is an addendum or agreement that covers personal data processing, subprocessors, international transfers, and security measures. Where an applicable Service Level Agreement ("SLA") covers availability, support response, or incident handling, the SLA governs those service-level commitments.
Please also review the Sanka Terms of Service. If a separate order form, DPA, SLA, or other written agreement applies to your organization, that document may include additional privacy or data-protection terms.
1. Information We Collect
We collect personal data and other information in the following categories, depending on how you use the Services:
- Account and profile information: name, business email address, company or organization, workspace, role, language, authentication information, permissions, settings, and identifiers assigned by Sanka.
- Customer Data: records, messages, files, forms, contacts, companies, deals, orders, estimates, invoices, subscriptions, payments, inventory, tasks, tickets, custom objects, prompts, AI inputs and outputs, workflow settings, approval history, audit logs, and other data that customers or authorized users create, import, connect, upload, or generate through the Services.
- Integration data: data from services that a customer or authorized user connects to Sanka, such as Google Workspace, Gmail, Google Calendar, Google Drive, Google Analytics, Google Search Console, Google Business Profile, HubSpot, Salesforce, Shopify, Slack, Stripe, freee, Money Forward, Xero, QuickBooks, and similar business systems. The exact data depends on the integration, OAuth scope, API key, account settings, and user instructions.
- Billing and payment information: plan, billing contact, billing address, tax identifiers where provided, invoices, receipts, payment status, Stripe customer or subscription identifiers, limited payment method metadata such as card brand and last four digits where available, and related payment, refund, or dispute records. Sanka generally does not receive or store full payment card numbers or card security codes.
- Usage, device, and log data: IP address, device and browser information, operating system, pages or screens viewed, referral URLs, timestamps, feature usage, API usage, performance data, error logs, security logs, audit records, and diagnostic events.
- Website, cookie, and analytics data: data collected through cookies, local storage, pixels, and similar technologies on Sanka websites and pages, including Google Tag Manager, Google Analytics, and PostHog where enabled.
- Communications and support data: emails, chat messages, support tickets, meeting notes, feedback, survey responses, attachments, and metadata relating to communications with Sanka.
- Sales, marketing, and event data: contact information, marketing preferences, campaign interactions, product interests, webinar or event participation, and publicly available business information.
The Services are not designed for customers to submit full payment-card credentials, account passwords, government-issued identifiers, social-security or national-identification numbers, or medical and health information unless Sanka expressly supports the relevant feature or agrees otherwise in writing.
2. How We Use Information
We use information for the following purposes:
- to provide, operate, maintain, secure, and improve the Services;
- to create and manage accounts, workspaces, roles, permissions, subscriptions, billing, and payments;
- to authenticate users, prevent unauthorized access, detect abuse, troubleshoot issues, and maintain audit records;
- to process Customer Data and integration data according to customer settings, user instructions, and applicable agreements;
- to provide AI features, automation, summaries, classification, extraction, recommendations, workflow execution, and other user-facing functions;
- to provide support, professional services, onboarding, training, and customer success activities;
- to analyze website and product usage, understand performance, improve usability, and develop new features;
- to send service notices, security alerts, billing notices, administrative messages, and product updates;
- to conduct sales and marketing, subject to applicable law and your communication preferences;
- to comply with legal obligations, enforce agreements, protect rights, and respond to lawful requests.
We do not use Customer Data to target advertising or sell Customer Data to third parties.
3. Customer Data and AI Features
Customer Data remains controlled by the customer or the applicable rights holder. Sanka processes Customer Data as needed to provide, maintain, secure, support, and improve the Services, comply with customer instructions and agreements, and meet legal obligations.
AI inputs and AI outputs are treated as Customer Data. Without the customer's express permission, Sanka will not use, or permit third-party AI model providers to use, Customer Data to train, fine-tune, or improve general-purpose foundation models. This does not prevent transient processing needed to provide AI features, security and abuse monitoring, legal compliance, or the use of aggregated or de-identified information that cannot reasonably identify a customer or individual.
Some AI features may use third-party AI model or infrastructure providers. The provider, region, retention period, and monitoring practices may vary by feature, customer configuration, enterprise order form, or bring-your-own-key arrangement. If a customer connects its own AI provider account or API key, that provider's terms and privacy practices apply to the customer's use of that provider.
4. Google Workspace and Google API Data
Sanka may request access to Google data only when a customer or authorized user enables a Google-connected feature. Depending on the feature, Sanka may access Google account email or profile information, Gmail messages and metadata, Google Calendar calendars and events, Google Drive files and metadata, Google Analytics properties and reports, Google Search Console data, Google Business Profile data, Google Workspace directory data, and other Google API data that the user authorizes.
Sanka uses Google API data to provide the user-facing feature requested by the customer or authorized user, such as syncing schedules, creating or updating calendar events, processing shared inbox or Gmail workflows, importing or exporting Drive files, preparing reports, reading analytics, or connecting business records. Sanka stores only the Google data reasonably needed to provide and secure those features, honor customer settings, maintain auditability, and comply with legal obligations.
Sanka's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Sanka does not sell Google user data, use it for advertising, use it to determine creditworthiness or similar eligibility, or use it to train or improve generalized AI or machine-learning models except where expressly permitted by Google's policies for the specific user-facing feature.
Human access to Google user data is restricted to limited circumstances, such as documented user consent for support, security or abuse investigation, legal compliance, or internal operations using aggregated or anonymized data where permitted. Customers and users can manage or disconnect Google integrations through Sanka settings, Google account controls, or by contacting hey@sanka.com.
5. Cookies, Analytics, and External Transmission
Sanka websites and applications may use cookies, local storage, pixels, and similar technologies to keep users signed in, remember settings, measure usage, understand how visitors find and use our pages, protect the Services, and improve performance. Current website analytics and tracking tools may include Google Tag Manager, Google Analytics, and PostHog.
These tools may receive information such as IP address, device and browser information, page URL, referrer, timestamp, event name, and interaction data. You can control cookies through your browser settings and, where provided, in-product or website controls. Blocking cookies may affect some Service functionality.
6. Payment Processing and Stripe
Sanka uses Stripe for payment processing, subscription billing, checkout, payment links, hosted invoices, Connect onboarding, and related payment workflows where enabled. Payment-card details are submitted to Stripe through Stripe-controlled payment interfaces. Sanka generally receives limited billing and payment metadata, such as customer IDs, subscription IDs, invoice IDs, payment status, card brand, last four digits, and related transaction information.
Stripe's processing is governed by Stripe's own terms and privacy notices. Customers should not enter full payment-card numbers or card security codes into Sanka free-text fields, files, prompts, or support messages.
7. How We Share Information
We may share information with the following categories of recipients:
- Service providers and subprocessors that support hosting, cloud infrastructure, storage, databases, content delivery, monitoring, logging, security, authentication, email, support, analytics, payments, AI processing, search, crawling, and other Service operations;
- Third-party integrations that customers or authorized users connect to Sanka, according to the relevant settings and instructions;
- Customer administrators and authorized users within the relevant workspace or organization;
- Professional advisers such as lawyers, accountants, auditors, insurers, and consultants;
- Authorities, courts, regulators, or law enforcement where disclosure is required by law, legal process, security necessity, or protection of rights;
- Business transaction participants in connection with a merger, financing, acquisition, reorganization, or sale of assets, subject to appropriate confidentiality and legal safeguards.
When Sanka engages subprocessors to process personal data in Customer Data, we use contractual and organizational measures appropriate to the relevant processing and applicable law. Customers may request Sanka's Subprocessor List or DPA by contacting hey@sanka.com.
8. International Transfers
Sanka is based in Japan. We and our service providers may process and store information in Japan, the United States, the European Economic Area, the United Kingdom, and other countries where we or our providers operate. These countries may have privacy and data-protection laws different from those in your jurisdiction.
Where required, Sanka uses appropriate transfer mechanisms and safeguards, such as data-processing terms, standard contractual clauses, the UK Addendum or IDTA, adequacy mechanisms, service-provider or contractor terms, and other measures required by applicable law.
9. Retention and Deletion
We retain personal data for as long as reasonably necessary for the purposes described in this Policy, to provide the Services, maintain business and financial records, comply with legal obligations, resolve disputes, enforce agreements, protect the Services, and meet audit or security requirements.
Customer Data retention, export, deletion, or de-identification after termination follows the Services' functionality, in-product notices, applicable order form, DPA, or Sanka's then-current data-retention and deletion policy. After termination, Sanka deletes or de-identifies Customer Data from active production systems within a reasonable period unless retention is required by law or legitimate business needs. Backups, logs, audit records, billing records, security records, and data in third-party services may be retained or deleted according to normal backup rotation, legal, security, audit, tax, and provider requirements.
Disconnecting an integration does not automatically delete data that was already imported into Sanka or data that remains in the third-party service. Customers should also review the connected provider's settings and retention tools.
10. Your Rights and Choices
Depending on your location and the nature of the data, you may have rights to request access, correction, deletion, restriction, suspension of use, objection, portability, withdrawal of consent, or information about disclosure to third parties. You may also have rights under Japan's Act on the Protection of Personal Information, the GDPR or UK GDPR, United States state privacy laws, or other applicable privacy laws.
To exercise rights for information that Sanka controls, contact hey@sanka.com. We may need to verify your identity and authority. If your request concerns Customer Data controlled by a Sanka customer, we may direct you to that customer or handle the request according to the customer's instructions and applicable law.
You can unsubscribe from marketing emails by using the unsubscribe link or contacting us. You will still receive service, security, billing, and administrative messages where necessary.
11. Security
Sanka maintains administrative, technical, and organizational measures designed to protect information against unauthorized access, loss, misuse, alteration, and disclosure. Measures may include access controls, authentication, encryption in transit and at rest where appropriate, logging, monitoring, backups, vulnerability management, employee confidentiality obligations, vendor review, and incident response processes.
No online service can guarantee perfect security. Customers are responsible for managing their own users, credentials, devices, networks, permissions, connected services, export files, and downstream systems.
12. Children
The Services are intended for business and professional use and are not directed to children. We do not knowingly collect personal data from children through the Services.
13. Legal Requests and Safety
Sanka may disclose information when required by law, court order, subpoena, regulator request, or other valid legal process, or when we believe disclosure is necessary to protect the rights, safety, or security of Sanka, customers, users, or others. Where legally permitted and reasonably practicable, we will notify the relevant customer before or after disclosure and limit disclosure to the information reasonably required.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If changes are material, we will provide notice by a reasonable method, such as posting the updated Policy, updating the "Last Updated" date, sending email, or providing in-product notice. The updated Policy applies from the effective date stated or, if no separate effective date is stated, from publication.
15. Contact
For privacy, security, DPA, Subprocessor List, or data-protection questions, contact:
- Sanka Inc. (株式会社サンカ), Tokyo, Japan
- Email:
hey@sanka.com - Terms of Service:
https://sanka.com/terms/ - Japanese Privacy Policy:
https://sanka.com/ja/privacy/