Privacy Policy

The authoritative Privacy Policy for Mekutte is the Japanese version. The English below is for reference; the Japanese text controls in case of any discrepancy.

Mekutte (the “Service”) sets out this Privacy Policy (the “Policy”) regarding the handling of personal information of users and audience participants of the Service.

1. Information collected

The Service may collect the following information.

• Account information: name (display name), email address, profile image, and unique user identifier (UID) provided when authenticating with a Google account; or the email address and password hash entered when registering with email and password (the password itself is securely stored by Firebase Authentication; the Service does not retain it in plaintext).
• Deck information: deck content, titles, creation and update timestamps, publication state, publish settings (reactions / comments / polls / timer), audience cap, etc., for decks the user creates, saves, or publishes through the Service.
• Image information: image files uploaded by the user for inclusion in slides. Stored in Firebase Storage. Once uploaded, the image file’s URL becomes readable by anyone who knows the URL, without authentication, regardless of whether the containing deck has been published, has been unpublished, or remains a draft. Please handle the URL with care when uploading images of people or other third parties.
• Audience participation data: emoji reactions, comments, and poll votes submitted by audience members on published decks, along with submission timestamps. These are linked to an anonymous client identifier (a random UUID) stored in the audience’s browser local storage. The Service itself does not require audience members to register a name or email address, but the comment feature lets the audience optionally enter a display name (up to 30 characters) along with their comment text (up to 100 characters). Both the display name and the comment body are stored in Firestore and shown to other viewers; they may therefore contain names, affiliations, contact details, or other personally identifying information depending on what the audience member chooses to enter. The Service treats such information as voluntarily submitted by the audience member.
• Payment information: for users on a paid plan, Stripe, Inc. (“Stripe”) processes payment. The Service stores Stripe-provided identifiers such as customer ID, subscription state, billing cycle, and price ID. Credit card numbers and cardholder information are processed directly by Stripe and are not held by the Service.
• Access logs: information automatically recorded on the server side (Firebase App Hosting), such as access timestamps, IP addresses, user agents, and referrers.

2. Purpose of use

The collected information is used for the following purposes.

• Providing and operating the Service, and authenticating users.
• Tallying and displaying audience participation (reactions, comments, polls) in real time.
• Billing and processing payment for paid plans.
• Responding to inquiries and sending notifications.
• Improving the Service, developing new features, and analyzing usage.
• Detecting and preventing abuse, and responding to violations of the Terms of Service.
• Other purposes incidental to the above.

3. Disclosure to third parties and processing outsourcing

The Service does not provide personal information to third parties except where required by law or with the user’s consent. However, to the extent necessary to deliver the Service, the Service entrusts the handling of personal data to the following providers and stores data on their cloud platforms. The Service supervises these processors as required by Japan’s Act on the Protection of Personal Information (APPI).

• Google LLC (location: United States) — as the provider of authentication (Firebase Authentication), database (Cloud Firestore), image storage (Firebase Storage), and hosting (Firebase App Hosting) infrastructure. The Service primarily uses data centers in the Asia region (Tokyo, Taiwan, etc.) for Firebase, but personnel and systems of Google LLC located in the United States and other countries may access personal data for operations, maintenance, and incident response.
• Stripe, Inc. (location: United States) — as the payment processor, handling customer identifiers, subscription state, and other payment-related personal data on its systems in the United States and elsewhere.

4. Provision of personal data to third parties in foreign countries

Google LLC and Stripe, Inc. above are companies based in the United States. Through these processors, personal data may be transferred to servers or affiliated entities located in the United States or other foreign countries. In accordance with Article 28 of Japan’s APPI, the Service provides information to users via this Policy.

For details on the data protection regimes in each country and on the safeguards each processor implements (contractual safeguards equivalent to standard contractual clauses, technical and organisational measures, independent certifications, etc.), please refer to the providers’ privacy resources.

• Google Privacy Policy
• Google Cloud / Firebase Data Processing Addendum
• Stripe Privacy Policy
• Stripe Data Processing Agreement

5. Published content

Decks the user chooses to publish on the Service, and the images contained in them, become viewable by anyone who knows the assigned URL, without authentication. Information included in published content is effectively disclosed to an indefinite number of people. To stop publication, the user should unpublish or delete the corresponding deck. Reactions, comments, and votes submitted by the audience are also visible to viewers of the published deck.

6. Cookies and similar technologies

The Service uses cookies and local storage to maintain login state, save guest-editor drafts, and anonymously identify audience participants. Users can disable these in their browser settings, but some features may not work in that case.

In addition, the Service uses the analytics tool “Google Analytics 4 / Firebase Analytics” provided by Google LLC to understand usage and improve the Service. Google Analytics uses cookies and similar identifiers to collect anonymous statistical information such as visited pages, navigation paths, approximate region, device and OS type, and referrer URL. It does not collect information that directly identifies a specific individual, such as names or contact details. The collected data is aggregated and retained on Google LLC’s servers, and the Service references only the aggregated statistics. To opt out of Google Analytics, users may disable cookies in their browser settings, or install Google’s Google Analytics opt-out browser add-on. For how Google collects and processes information, please refer to Google’s policies and terms.

7. Safeguards

The Service takes appropriate and necessary measures to prevent leakage, loss, or damage of personal information. Specifically, access control via Firestore security rules and enforced HTTPS are in place. For non-public user data such as draft decks, unpublished decks, and payment-related information, permission separation ensures that only the authenticated owner can access it. Published decks, audience participation data (reactions, comments, and poll results), and uploaded image files are, by the nature of the Service, readable by anyone who knows the relevant URL. Users and audience members should exercise their own judgement about what information to include in these publicly accessible records. The Service does not guarantee the absolute security of internet communication or server storage.

8. Retention period

Personal information is retained for the period necessary to achieve the purposes above or for the period required by law. To request account deletion, please use the contact form below. Upon account deletion, decks, uploaded images, and the association with payment information will be deleted or anonymized.

9. User rights

Users may request disclosure, correction, addition, deletion, or suspension of use of their personal information. The operator will respond to such requests within a reasonable scope after verifying the user’s identity.

10. Changes to this Policy

This Policy may be changed in response to legal changes, additions to the types of information handled, or other circumstances. When the Policy is changed, the Service will notify users of the changes and the effective date by posting on the Service or by other appropriate means. As a rule, a reasonable period will be provided between notice and the effective date. However, minor changes, correction of clerical errors, and changes that do not disadvantage users may take effect on the date of posting.

11. Personal information handler and contact

• Personal information handler: Umi Ebisujima
• Address: Yamato Bldg. 405, 1-6-16 Kanda-Izumicho, Chiyoda-ku, Tokyo 101-0024, Japan
• Contact: Contact form