Nomicho Privacy Policy
Operator: Chris Hashimoto (橋本クリス), sole proprietor (個人事業主) Trade name: Nomicho (飲み帳) Address: Disclosed without delay upon request (contact support@nomicho.jp) Contact: support@nomicho.jp Effective date: 2026-06-11 Last updated: 2026-06-11 Version: 1.0
1. Introduction
Nomicho (“the App”) is a personal journal application that helps you record, reflect on, and predict the impact of your own drinking. This policy describes what personal information Chris Hashimoto (“we”) collects when providing the App, how it is used, where it is stored, when it is shared, and what rights you have over it.
The App is a tool for self-recording and self-reflection. It is not a medical device and does not provide medical advice, diagnosis, or treatment; it does not measure, diagnose, or monitor intoxication or any medical condition (see Terms of Service §4.2 / §4.3).
This policy is written to comply with Japan’s Act on the Protection of Personal Information (APPI / 個人情報保護法).
2. Information we collect
What we collect depends on how you use the App.
2.1 Information stored on your device (required)
Required for core functionality. Stored in a local database (SQLite) on your device. Nothing in this section leaves the device unless you explicitly enable cloud sync.
- Date of birth — used to age-adjust BAC (blood alcohol concentration) estimates. Collected when you set up your BAC profile (not at first launch).
- Body weight and sex — used as coefficients in BAC estimation. The “sex” field asks which physiological response pattern best matches you, not your registered legal sex.
- Height, alcohol-flush tendency, and drinking frequency — further coefficients for the BAC estimate, collected with your BAC profile.
- Drink logs — drink type, volume, ABV, time logged, session metadata, optional notes and feeling tags.
Not special-care-required personal information. The drink logs, BAC-profile inputs (including alcohol-flush tendency), and the other data above are self-recorded lifestyle information — not medical history, diagnoses, or other special-care-required personal information (要配慮個人情報) as defined in APPI Article 2(3). The opt-in consent regime for such information (Article 20(2)) therefore does not apply, and none of this data is sent to any AI provider.
2.2 Account information (collected when you sign in)
Signing in is optional — the App is fully usable without an account. You sign in only to attach your data to an account, which is what makes cross-device sync possible (sync itself is a further, separate opt-in; see Settings → Sync). Signing in creates an account record on our authentication service even if you do not turn on sync.
We support three sign-in providers. What we receive and store depends on which you use:
- Sign in with Apple — Apple’s stable user identifier and the email address Apple returns. If you choose “Hide My Email,” that address is an
@privaterelay.appleid.comrelay address; we store it as received and do not (and cannot) resolve it to your underlying address. Your display name is provided by Apple on the first sign-in only. - Sign in with Google — Google’s stable user identifier, your verified Google email address, and your display name.
- Sign in with LINE — an opaque user identifier specific to the App and, if you have allowed it, your LINE display name. We do not request your email address from LINE, so no LINE email address is stored. We also do not store any LINE access token: the sign-in confirms your identity only and makes no further calls to LINE.
Storage form. Sign-in accounts are managed by our authentication provider (Supabase Auth). Email addresses are stored in plain text — not hashed — because they are required for the sign-in flow itself; Apple relay addresses are likewise stored as received. A copy on your device mirrors the same fields (the provider, the provider’s user identifier, display name, and an email address where one was provided) so the Account screen works offline.
One account, multiple sign-in methods. From Settings → Account you can connect more than one provider (for example Apple and LINE) to a single Nomicho account; the connected methods then share one account and one set of data. If you install the App on a new device, sign in there with each provider you have connected so that all of your data is recognized.
- Synced data — if you enable sync, whichever of the §2.1 data you have chosen to sync.
2.3 Information sent unless you opt out
The following are enabled by default. You can opt out individually from Settings.
- Crash reports (Sentry) — technical logs sent when the App crashes (OS version, stack trace, anonymous device ID). Drink data is not sent.
- Anonymous product analytics (PostHog) — anonymized event logs (screen transitions, button taps). No drink content or personally identifying information is sent.
2.4 Identifiers and device information
While the §2.3 services (Sentry, PostHog) are enabled — they are on by default — each service issues a device-scoped pseudonymous identifier. These identifiers do not directly identify you, and under the post-2022 amendment to APPI they constitute “person-related information” (個人関連情報).
- These identifiers are used solely to associate crash reports or analytics events with a single device for reliability and product-improvement purposes.
- Sentry and PostHog do not receive your account identifier (§2.2) or drink logs from the App, so server-side combination of these data sets does not occur.
- You can rotate to a new identifier by opting out of the service in Settings and reinstalling the App.
This App does not use cookies. The Sentry and PostHog SDKs store the above identifiers in device-local storage.
2.5 What we do not collect
The App does not access:
- Contacts, address book, or SMS content.
- Microphone recordings.
- Photos — the camera is used only to scan barcodes (JAN / EAN); no photo is captured or stored.
- Location or GPS data — the last-train alert, when available, uses a station you choose, not your device location.
- Any server-side data when sync is disabled.
2.6 Feedback you submit (optional)
When you send feedback from Settings → Feedback, we receive the message you write and, if you choose to provide them, an optional category and an optional contact email. We also receive your App version, language setting, and a device-scoped identifier. Because submitting feedback is an explicit action you initiate, this information is sent even when cloud sync is turned off. We use it only to respond to you (when you provide a contact email) and to improve the App.
3. Purpose of use
We use collected information only for the following purposes:
- Core App functionality — storing drink logs, estimating BAC, generating reflection cards, calendar display.
- AI features — generating your evening reflection cards from session data (§5).
- Cloud sync (optional) — multi-device sync only when you explicitly enable it.
- Reliability and improvement — bug fixes and product improvements based on crash reports and anonymous analytics.
- Feedback — responding to feedback you submit and improving the App based on it.
- Legal compliance — responding to legally compelled requests from authorities.
We do not use collected information for any other purpose. We do not share or sell your information for advertising, third-party marketing, or repurposing into other services.
4. Where information is stored
4.1 Local storage (default)
By default, all drink records and body information are stored only on your device. They are not accessible to us or to any external party.
When you sign out, your local data stays on this device. If you later want to remove that data from a device you no longer use, sign back in and delete your account, or uninstall the app. Your cloud-synced data (if sync is on) is unaffected by signing out — it remains available by signing back in on the same or another device, and can be removed at any time by signing in and deleting your account.
- Account data inactive on this device for 60 days: if you sign into an account and then don’t open the app while signed into that account for 60 days, local data for that account is removed from this device. Data synced to the cloud is unaffected and re-pulls on next sign-in; local-only data (anything queued but not yet synced) cannot be recovered. Anonymous (signed-out) local data is exempt — it stays on the device until you uninstall.
4.2 Cloud storage (only when sync is enabled)
If you enable sync, the relevant data is stored in:
- Supabase Postgres (Tokyo region /
ap-northeast-1/ Pro plan) — drink records, body information, session metadata. Row-Level Security (RLS) ensures each user can access only their own data.
Supabase is a service operated by Supabase, Inc. (USA), but the App’s data is physically stored in the Tokyo region. Access from the U.S. office is governed by the Supabase Data Processing Agreement (DPA).
5. Sharing with third parties
5.1 Service providers (entrustment / 委託)
We entrust the following service providers with operational tasks, supervising each under APPI Article 25.
| Provider | Purpose | Data sent | Retention |
|---|---|---|---|
| Anthropic, PBC (USA) | Reflection-card text generation | Aggregate session metrics only (drink count, total pure-alcohol grams, category counts, peak feeling, duration, optional hangover-severity estimate) — no photos, no free-text notes, no profile/body data | Under a Zero Data Retention (ZDR) agreement with Anthropic, the inputs and outputs of these API calls are not retained by Anthropic after the request is processed. |
| Supabase, Inc. (USA HQ; data in Tokyo) | Cloud storage for synced data | The §2.2 synced data | While account is active (deleted on account deletion) |
| Sentry (USA) | Crash reports | OS info, stack trace, anonymous ID | 30 days |
| PostHog (EU) | Anonymous product analytics | Event logs | 1 year |
Sentry and PostHog are each on by default; you can opt out of either individually from Settings.
Calls to Anthropic are routed through a Supabase Edge Function proxy that we operate. The App never communicates with Anthropic’s API directly from the device. The proxy enforces rate limits, daily spending caps, and device attestation (App Attest on iOS).
5.2 Disclosure to third parties
We do not disclose your personal information to any third party without your consent, except:
- When required by law (e.g., a valid court order or law-enforcement request).
- When necessary to protect the life, body, or property of any person, and obtaining your consent is difficult.
We do not provide your data to advertisers, data brokers, or any third party for marketing purposes.
5.3 Provision to third parties located outside Japan (cross-border transfer)
As noted in §5.1, some service providers are located outside Japan. The United States is not on the list of countries the Japanese Personal Information Protection Commission (PPC) considers to maintain a personal-information-protection regime equivalent to Japan’s; transfers to U.S.-located providers are therefore subject to the disclosure requirements of APPI Article 28 (post-2022 amendment), which we satisfy below. The European Union is on the list (under the EU-Japan mutual adequacy decision), so additional Article 28 disclosures are not required for EU-located providers; for completeness, EU providers are still listed in the safeguards table.
Summary of the data-protection regime in the destination country (United States)
The U.S. has no comprehensive federal privacy law of general application. Privacy is regulated through a mix of state laws (e.g. California’s CCPA / CPRA) and sector-specific federal laws (HIPAA, GLBA, COPPA). The Federal Trade Commission (FTC) enforces privacy practices under its unfair-or-deceptive-acts authority. U.S. authorities may, under statutes such as the CLOUD Act, compel U.S.-incorporated providers to produce data they hold.
Safeguards in place per provider
| Provider | Destination country | Safeguards in place |
|---|---|---|
| Anthropic, PBC | United States | Data Processing Agreement (DPA) and a Zero Data Retention (ZDR) agreement — Anthropic does not retain the inputs or outputs of API calls after processing. |
| Supabase, Inc. | USA (HQ) / Japan (data storage) | Data Processing Agreement (DPA). Although data is physically stored in the Tokyo region, the contracting entity is U.S.-incorporated (Supabase, Inc.), so this constitutes provision to a foreign third party under APPI Article 28. Access from the U.S. HQ is limited to the scope set out in the DPA. Logical isolation via Row-Level Security. |
| Sentry | United States | Data Processing Agreement (DPA). On by default; you can opt out from Settings at any time. |
| PostHog | EU | Contracted with PostHog B.V. (Netherlands), located in a country designated by the PPC as providing protection equivalent to Japan’s. Data Processing Agreement (DPA). On by default; you can opt out from Settings at any time. |
If you would like more detailed information on the safeguards applied at any of the above providers, please contact us at the address in §10. We will provide such information upon the data subject’s request.
6. Your rights
You have the following rights:
- Export your data — Settings → Export Data downloads the data you contributed (drink logs, sessions, feeling check-ins, custom presets, BAC profile, acceptance records) as JSON. Available from initial release.
- Edit or delete individual records — drink logs and notes can be edited or deleted individually within the App.
- Delete your account — Settings → Delete Account. Data on the device is deleted immediately. Cloud data may persist briefly in backups and replicas; full deletion (including these) completes within 30 days at the latest. Account identifiers held by your sign-in provider (Apple, Google, or LINE) are managed under that provider’s own policies.
- Opt out — crash reports (Sentry) and anonymous analytics (PostHog) can each be disabled individually from Settings at any time.
- APPI rights — under APPI you may request notification of the purpose of use (Article 32), disclosure (Article 33), correction / addition / deletion (Article 34), and cessation of use, erasure, or cessation of third-party provision on any of the grounds set out in Article 35 (including unauthorized acquisition, purpose-creep, improper use, no-longer-needed, leakage risk, or rights-infringement). Contact us at the address in §10.
How to make a rights request and identity verification — Send rights requests under §6 to the §10 contact address (support@nomicho.jp). For identity verification, please write from your registered email address, or include an account identifier or other information sufficient to locate the data in question. Requests are free of charge. We respond by email (or in writing or by phone if requested) within a reasonable period (typically within two weeks).
7. Breach response
If a leak, loss, or damage of your personal information occurs that meets the reportable-incident criteria defined by the rules of the Personal Information Protection Commission, we will:
- Notify the Personal Information Protection Commission — a preliminary report promptly (typically within 3–5 days) and a full report within 30 days (or within 60 days for incidents involving unauthorized access). This obligation may be excepted where the affected data is protected by strong encryption or similar high-level measures such that material risk is no longer present, and the decryption key has not been compromised.
- Notify affected users — by in-App notification or email (where available) as soon as the scope is identified.
8. Safeguards
- Local-first design — most data never leaves your device.
- Encryption — synced data is encrypted in transit to Supabase and at rest.
- Row-Level Security (RLS) — each user can access only their own data, enforced server-side.
- Indirect AI API access — the client never holds an Anthropic API key; all AI calls go through the Supabase Edge Function proxy.
- Caps and device attestation — rate limiting, daily per-device usage caps, and App Attest (iOS) device attestation.
- API key rotation — keys are rotated on a regular schedule.
9. Users under 20
The App is for users aged 20 or older (the legal drinking age in Japan). Acceptance of the Terms on first launch includes your affirmation that you are 20 or older; users under 20 must not use the App.
10. Contact
For questions about this policy or about how we handle your personal information:
- Email: support@nomicho.jp
- Operator: Chris Hashimoto (橋本クリス), sole proprietor
We will respond within a reasonable period (typically within two weeks).
We are not a member of any certified personal information protection organization (認定個人情報保護団体).
11. Changes to this policy
This policy may be revised in response to changes in law, new App features, or changes in operations. For material changes, we will provide at least 30 days’ advance notice via in-App notification or, where an email address is available, by email. The revision history is in §12.
12. Revision history
| Version | Date | Summary |
|---|---|---|
| 1.0-draft | 2026-04-29 | Week 0 draft. JP-native review scheduled for Week 8. |
| 1.1-draft | 2026-05-28 | Clarified §4.1 — local data stays on device after sign-out; remove via account deletion or uninstall. |
| 1.2-draft | 2026-05-28 | Added §4.1 bullet — 60-day dormant account data auto-removal (NOM-232). |
| 1.3-draft | 2026-05-29 | Finalized §2.2 post-auth — per-provider fields (Apple/Google/LINE), storage form, LINE stores no email/token, multiple sign-in methods per account; trigger broadened from sync to sign-in (NOM-30). |
| 1.4-draft | 2026-06-04 | Documented the in-app feedback channel — §2.6 collection and §3 purpose (NOM-259). |
| 1.5-draft | 2026-06-11 | Reconciled with implementation (NOM-41): removed the §2.1 Location-collection claim (no location is collected — the last-train alert uses a station you choose, not GPS) and added the affirmative no-location statement in §2.5; narrowed §6 export to user-contributed data; dropped the forward Android / Play Integrity references in §5.1 and §8 (iOS-only v1); replaced the operator-address placeholder with the 特商法 / APPI disclose-on-request form (provided without delay on request, pending the Week-8 legal pass). |
| 1.6-draft | 2026-06-11 | Legal-review pass: removed the photo→AI-vision claims (drink-ID / menu-OCR are not in v1) from §2.1 / §3 / §5.1 and stated photos are not sent to any AI provider; specified the actual recap payload (aggregate metrics only) in §5.1; added the omitted BAC-profile fields (height, alcohol-flush tendency, drinking frequency) to §2.1; added the affirmative 要配慮個人情報 (法2(3)) determination; aligned §1’s non-medical statement with Terms §4.2 / §4.3. |
| 1.7-draft | 2026-06-11 | Legal-review pass (cont.): v1 has no photo capture or storage — removed the §2.1 Photos bullet and the §4.2 Supabase Storage line (no Supabase Storage is used; sync strips photo_url), trimmed the photo mentions in §2.3 / §4.1, and added the affirmative no-photo statement to §2.5 (the camera scans barcodes only). Updated §5.1 / §5.3 to reflect the executed Anthropic Zero Data Retention (ZDR) agreement. |
| 1.8-draft | 2026-06-11 | JP-language pass on privacy.ja (BAC vocabulary, 要配慮 wording, 十分性認定国 term); no substantive change to this EN policy. |
| 1.0 | 2026-06-11 | Finalized for the v1 public launch (de-drafted). Earlier 1.x-draft entries are pre-release drafting history. |