Global Privacy Policy

This Global Privacy Policy (this “Global Privacy Policy”) describes the processing of personal data by Mercari, Inc. (“we,” “us,” or “our”) in the provision of our platform service (the “Service”). We comply with data protection laws and regulations applicable to such processing of personal data (the “Applicable Laws”).

This Global Privacy Policy shall apply to the processing of personal data collected from users of the Service (“you” or the “Users”) residing in countries other than Japan. For the Users residing in Japan, a separate Privacy Policy shall be applied and referred to.

This Global Privacy Policy also describes your data protection rights, including the right to object to some of the processing of personal data which we carry out in accordance with the Applicable Laws. More information about your rights, and how to exercise them, is set out in Section "7. Your Rights" below.

Additional Information for U.S. Residents (including California)

If you are a resident of certain U.S. states, including California, you may have additional privacy rights under applicable U.S. state laws.

Please refer to the addendum titled "U.S. State Privacy Notice" below for important information about the categories of personal information we collect, how we use and disclose it, your privacy rights, and how to exercise them.

1. Type, Purpose, and Legal Basis for Collecting Personal Data

When we provide the Service, we collect your personal data directly or indirectly from you.

For the purpose of the Applicable Laws in which the concepts of “Controller” and “Processor” are defined, Mercari, Inc. (at Roppongi Hills Mori Tower, 6-10-1 Roppongi, Minato-ku, Tokyo) is the “Controller” of your personal data as above.

We have set out below a description of all the ways we plan to process the various categories of your personal data. We also describe the legal basis under the General Data Protection Regulation (EU) 2016/679 (the “GDPR”), etc. for each processing of personal data as a reference. Please note that the legal basis may vary depending on the jurisdiction, and if the legal basis specified in the table below does not apply in your jurisdiction, we will process your personal data based on an alternative legal basis permitted under the Applicable Laws, such as obtaining your consent to this Global Privacy Policy or obtaining your separate consent.

Purpose/UseType of DataLegal Basis for Processing
  1. To provide the Service (as defined in the applicable Terms of Service).
  2. To communicate or provide information on various matters concerning the Service.
  3. To perform internal operations.
  4. To respond to inquiries about the Service.
  1. Basic information of the Users (including name, date of birth, address, country/region of residence, occupation, and gender. The same shall apply hereafter).
  2. Account information of the Users (including email addresses, passwords, user IDs, telephone numbers, delivery names, delivery addresses, and nicknames. The same shall apply hereafter).
  3. Information obtained from the Proxy that is essential to the provision of the Service (including your purchase status, settlement status, shipping status, user IDs, and other information you provided to the Proxy. The same shall apply hereafter).
  4. Information concerning identity verification (including the information stated and image printed on your identification cards or documents. The same shall apply hereafter).
  5. Information regarding use of the Service (including the contents of the Service you have used, the dates and frequency of use, your online activities when using the Service, and details of your correspondence with our customer support department, etc. The same shall apply hereafter).
  6. Information obtained from the Users' terminals (including information on Cookies, information related to usage status such as access logs, etc., information on devices used, OS information, and information related to your communications such as IP addresses, browser information, browser language, etc. The same shall apply hereafter).
  7. Information we collect indirectly through business partners and third parties (including information such as identifiers (including Cookies, AdID/IDFA identifiers, and IP addresses), phone numbers, email addresses, browsing history and information such as interests and preferences acquired from third parties, such as public data management platform operators, affiliate service providers, data analysis business operators, fraudulent use detection service providers, advertising business operators, and other service providers. The same shall apply hereafter).
  1. Performance of a contract with you.
  2. Necessary for our legitimate interests (to provide the appropriate Service).
  1. To exclude antisocial forces and sanctioned persons.
  2. To identify children.
  3. To authenticate and confirm the identity of the Users.
  1. Basic information of the Users.
  2. Account information of the Users.
  3. Information concerning identity verification.
  1. Compliance with a legal obligation.
  2. Necessary for our legitimate interests (to comply with a legal obligation).
  1. To customise the contents of the Service to your needs.
  2. To analyse and investigate the use of the Service for improvement and development of the Service and marketing strategy.
  3. To develop the Service and other services of Mercari Group.
  1. Basic information of the Users.
  2. Account information of the Users.
  3. Information obtained from the Proxy that is essential to the provision of the Service.
  4. Information regarding use of the Service.
  5. Information obtained from the Users' terminals.
  6. Information we collect indirectly through business partners and third parties.
  1. Necessary for our legitimate interests (to provide the appropriate Service).
  1. To provide appropriate advertisements about the Service and other services (including services provided by third parties).
  2. To contact you regarding campaigns and surveys.
  3. To link the information obtained from third parties to your personal information already held by us, and match and analyse the information.
  1. Basic information of the Users.
  2. Account information of the Users.
  3. Information obtained from the Proxy that is essential to the provision of the Service.
  4. Information regarding use of the Service.
  5. Information obtained from the Users' terminals.
  6. Information we collect indirectly through business partners and third parties.
  1. Your consent.
  1. To resolve problems relating to the operation of the Service.
  2. To prevent unauthorised use and to ensure safety of the Service.
  1. Basic information of the Users.
  2. Account information of the Users.
  3. Information obtained from the Proxy that is essential to the provision of the Service.
  4. Information concerning identity verification.
  5. Information regarding use of the Service.
  6. Information obtained from the Users' terminals.
  7. Information we collect indirectly through business partners and third parties.
  1. Compliance with a legal obligation.
  2. Necessary for our legitimate interests (to provide the appropriate Service, to comply with a legal obligation, and to establish, exercise or defend against claims).

Personal data that you are required to provide for provision of the Service is indicated in the form to be completed by you. You are under no obligation to provide such personal data, but if such personal data is not provided, we may be unable to offer the Service.

2. Processing Security Measures

We make efforts to keep your personal data in accurate and up-to-date condition, and take the necessary and appropriate security control measures in order to protect your personal data against unauthorised access, tampering, leakage, loss, and damage.

3. Provision to Third Parties

We may provide your personal data to the following persons and entities in order to achieve the purposes of processing the personal data:

  1. tenso, inc. (the Proxy);
  2. Mercari, Inc. (US), Merpay, Inc., Mercoin, Inc., and our other affiliated companies;
  3. Stripe for payment, analytics, and other business services (Stripe collects transaction and personal identifying information, which it analyzes and uses to operate and improve the services it provides to us, including for fraud detection. You can learn more about Stripe and read its privacy policy here);
  4. Entities that provide us with infrastructure to provide the Service (not limited to the case of providing your personal data to online services, translation tools, and other infrastructure providers necessary to provide the Service, but also including the case of providing your personal data to delivery companies, settlement agents, subcontractors, and other third parties (for the purpose of product delivery, payment settlement, response to inquiries, after-sales service, and other purposes);
  5. Entities to which we outsource the provision of advertisements or surveys related to the Service or other services;
  6. Counterparties of substantial business transactions, such as a sale or transfer of company assets, merger, or consolidation; and
  7. Third parties to which we disclose your personal data in order to comply with the Applicable Laws; handle legal processes and litigation; respond to requests from public authorities; address national security, law enforcement, and other issues of public concern; protect our rights, or the rights of the Users of the Service, or other third parties; seek available remedies; enforce our Terms of Service; investigate fraud; protect our business or the Users' business, etc.

When we provide your personal data to third parties, we put appropriate measures in place in accordance with the Applicable Laws.

4. Advertising Partners

We may share limited information such as email addresses, device identifiers, cookies, or usage data with advertising and analytics partners, including Google and Meta. This enables us to show you personalised offers and measure the effectiveness of our marketing campaigns (for example, through tools such as Google Ads, Meta Custom Audiences, or similar services). These partners process the information on our behalf or as independent controllers, depending on the circumstances. We will only engage in this type of data sharing where permitted by law and, where required, after obtaining your consent. You can withdraw or manage your consent at any time through the settings available in your browser or device.

5. International Transfer

We may transfer your personal data to countries other than your country including Japan or the United States, which may have a lower level of data protection than your country. When providing personal data to third parties outside your country, we take the necessary measures therefore, such as obtaining consent and concluding data transfer agreements, etc., in accordance with Applicable Laws.

In the event that the GDPR applies to the processing of your personal data, we will protect your personal data based on an adequacy decision regarding the transfer of your personal data to Japan and other countries where an adequacy decision has been given or by entering into Standard Contractual Clauses (Article 46(2) of the GDPR) regarding the transfer of your personal data outside the European Economic Area. If you would like to review the Standard Contractual Clauses, please contact us as set out in Section "10. Contact Us" below.

6. Retention Period

We retain your personal data until the purpose of processing thereof has been achieved. When such purpose of processing has been achieved or if the Service is discontinued, we shall delete the relevant personal data without delay. However, we will retain your personal data beyond such period in cases where we are required to do so by the Applicable Laws.

7. Your Rights

In some countries, you have certain rights as a data subject under the Applicable Laws. To the fullest extent permitted by the Applicable Laws, you may have the following rights:

  1. The right to make an inquiry of and to review your personal data
  2. The right to access (and receive copies of) your personal data;
  3. The right to correct your inaccurate or incomplete personal data;
  4. The right to delete your personal data;
  5. The right to restrict the processing of your personal data;
  6. The right to object to our processing of your personal data on the basis of our legitimate interest;
  7. The right to withdraw your consent; *Please note that the legality of the processing of your personal data based on consent granted before such withdrawal of consent is not affected by such withdrawal of consent.
  8. The right to refuse direct marketing or to refuse profiling done for that purpose if your personal data is being processed for direct marketing purposes; and
  9. The right to data portability.

If you or your agent wishes to exercise your rights in accordance with the Applicable Laws, please contact us as set out in Section "10. Contact Us" below.

In addition, you may have the right to lodge a complaint with the relevant supervisory authority under the Applicable Laws.

8. Processing of Children's (Minors') Personal Data

We do not knowingly collect or process personal data of children without the consent of a parent or guardian. Depending on your country/region of residence, the threshold age for children may differ. If you are a parent or guardian and are concerned that your child has provided us with personal data without your consent, you should contact us as set out in Section "10. Contact Us" below.

If we discover that we have collected personal data of children without the consent of the parent or guardian, we will immediately take appropriate action.

9. Cookies

We use cookies and other similar mechanisms (collectively, “Cookies”) to collect certain data about you while you are browsing websites in order to distinguish you as a User for the duration of your visit and when you return to our websites. For more information on how we handle Cookies, please see our Cookie Policy.

10. Contact Us

If you would like to exercise your rights under the Applicable Laws; if you have comments, questions, or concerns; or if you would like to submit a complaint regarding the collection and use of your personal data, please contact us below.

Mercari, Inc.

Attn: Privacy Officer

global_support@mercari.jp

Please note that the email address provided above is solely for inquiries related to personal data. We cannot respond to other types of inquiries there.

For inquiries not related to personal data, please visit our Help Center.

11. Changes

We will review our processing of personal data as appropriate and may revise this Global Privacy Policy. If we make any revisions, we will inform you by displaying them on our website, by other appropriate means, or by notifying you directly.


Addendum

U.S. State Privacy Notice

This Addendum supplements this Global Privacy Policy and applies solely to residents of certain U.S. states, including California. It is intended to provide the disclosures required under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), as well as other applicable U.S. state privacy laws (collectively, "Applicable U.S. State Privacy Laws").


A. Notice at Collection - Categories of Personal Information Collected, Disclosed, and Shared

In the preceding twelve (12) months, we have collected and disclosed for a business purpose, and "shared" for cross-context behavioral advertising (as defined under the CCPA) the following categories of personal information:


CategoriesExamplesDisclosed for a Business PurposeShared for Cross-Context Behavioral Advertising
Identifiers Name, email address, telephone number, account identifiers (including user IDs and nicknames), IP address Service providers (including infrastructure providers, delivery companies, settlement agents, and subcontractors), affiliated companies, and professional advisors Advertising networks, social media platforms, and analytics providers
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) Name, address, date of birth, telephone number, payment-related details Service providers (including infrastructure providers, delivery companies, settlement agents, and subcontractors), affiliated companies, and professional advisors No
Commercial InformationPurchase history, transaction data Service providers (including infrastructure providers, delivery companies, settlement agents, and subcontractors), affiliated companies, and professional advisors No
Internet / Network Activity Online activities, browsing history, access logs, information on devices and OS, and Cookie information Service providers (including infrastructure providers, delivery companies, settlement agents, and subcontractors), affiliated companies, and professional advisors Advertising networks, social media platforms, analytics providers
Geolocation DataApproximate location derived from IP address Service providers (including infrastructure providers, delivery companies, settlement agents, and subcontractors), affiliated companies, and professional advisors Fraud detection service providers
Audio / Visual InformationCorrespondence with customer support and images on identification documents Service providers (including infrastructure providers, delivery companies, settlement agents, and subcontractors), affiliated companies, and professional advisors No
InferencesInterests and preferences acquired from third parties Service providers (including infrastructure providers, delivery companies, settlement agents, and subcontractors), affiliated companies, and professional advisors Advertising networks, social media platforms, and analytics providers
Sensitive Personal Information Government-issued identifiers (such as passport, driver's license, or state identification card numbers) and account login credentials Service providers (including infrastructure providers, delivery companies, settlement agents, and subcontractors), affiliated companies, and professional advisors No

B. Sale and Sharing of Personal Information

We do not "sell" personal information for monetary consideration; however, we "share" personal information for cross-context behavioral advertising as set forth in the table in Section A above (as defined under the CCPA).

You have the right to opt out of such "sharing" of your personal information through the following methods:

  1. Visiting our Do Not Sell or Share My Personal Information page;
  2. Adjusting your preferences through the Privacy Preferences; or
  3. Enabling a Global Privacy Control (GPC) signal in your browser.

Our website recognizes and honors GPC signals enabled in your browser. If we detect a GPC signal, we will treat it as a valid request to opt out of the sharing of your personal information for advertising purposes, to the extent required by the Applicable U.S. State Privacy Laws.

We do not have actual knowledge that we "sell" or "share" the personal information of consumers under sixteen (16) years of age.


C. Your Privacy Rights

Under Applicable U.S. State Privacy Laws, you may have the following rights:

  1. Right to Request to Know and Access: To request that we disclose (i) the categories of personal information we have collected, (ii) the categories of sources from which the information was collected, (iii) the business or commercial purpose for collecting, selling, or sharing the information, (iv) the categories of third parties to whom we disclose the information, and (v) the specific pieces of personal information we have collected about you;
  2. Right to Request Deletion: To request that we delete personal information we have collected from you, subject to certain exceptions;
  3. Right to Request Correction: To request that we correct inaccurate personal information that we maintain about you;
  4. Right to Opt-out of Sale or Sharing: To direct us not to "sell" or "share" your personal information;
  5. Right to Request to Limit Use of Sensitive Personal Information: To request that we limit the use and disclosure of your sensitive personal information to those purposes necessary to provide our services and as otherwise authorized under the Applicable U.S. State Privacy Laws; however, we do not use or disclose sensitive personal information for purposes other than those specified under the CCPA;
  6. Right to Non-Discrimination: To exercise your privacy rights without receiving discriminatory treatment, such as a denial of services or different pricing; and
  7. Additional Rights: Any other rights granted to you under the Applicable U.S. State Privacy Laws.

To exercise your rights, you may:

  1. For Opt-Out Rights: Please follow the instructions provided in Section B of this Addendum.
  2. For Other Rights (Access, Deletion, Correction, etc.): You may submit a verifiable consumer request to us by:
    Submitting a request via email: global_support@mercari.jp; Upon receiving a request for these other rights, we will verify your identity to ensure it is a verifiable consumer request. We will generally verify your identity by matching the information you provide in your request with the information we maintain in our systems (such as your email address or account details). You may also designate an authorized agent to act on your behalf; in such cases, we may require written proof of the agent's authority and direct verification of your identity.

If we decline to take action on your request, you may have the right to appeal our decision, to the extent such appeal rights are provided under the Applicable U.S. State Privacy Laws, by contacting us at global_support@mercari.jp. We will respond to your appeal within the timeframe required by the Applicable U.S. State Privacy Laws. If your appeal is denied, you may also have the right to submit a complaint to your state Attorney General or other appropriate regulatory authority in accordance with the Applicable U.S. State Privacy Laws.


Global Privacy Policy, Last Updated and Effective: May 20, 2026