Privacy Policy – KOTODAMA LAB

PRIVACY POLICY

Kotodama Lab Sdn Bhd

www.kotodama.tokyo

Last Updated: October 2025

1. INTRODUCTION

Kotodama Lab Sdn Bhd (“We,” “Us,” “Our,” “Company”) is committed to protecting your privacy and ensuring you have a positive experience on our website and during your participation in the “Mimpi Kita: Castle In The Air” crowdfunding campaign (“Campaign”).

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data in compliance with the Personal Data Protection Act 2010 (PDPA) and other applicable Malaysian privacy laws.

Please read this Privacy Policy carefully. If you do not agree with our practices, please do not use our Platform or participate in the Campaign.

2. DEFINITIONS

Personal Data: Any information relating to an identified or identifiable natural person
Processing: Any operation performed on personal data, including collection, use, storage, transfer, or deletion
Data Controller: Kotodama Lab Sdn Bhd (the entity responsible for determining how and why personal data is processed)
Data Subject: You, the pledger or website visitor whose personal data is collected
Third-Party Service Provider: External vendors who process data on our behalf (payment processors, email services, etc.)

3. PERSONAL DATA WE COLLECT

3.1 Directly Provided by You

When you pledge to the Campaign or interact with our Platform, we collect:

Essential Pledge Information:

Full name
Email address
WhatsApp mobile number
Physical address (for ticket redemption coordination)
Payment information (processed securely through third-party payment gateways)
Pledge tier selected (RM 2, RM 5, or RM 10)
Pledge timestamp and transaction ID

Optional Community Contributions:

Family photographs from the 1960s or personal memorabilia
Family stories, memories, and written narratives
Names and details of family members featured in contributions
Usage rights and permissions for production design purposes

Communication:

Any messages sent to us via email or through the Platform
Feedback, inquiries, or support requests

3.2 Automatically Collected Information

When you visit www.kotodama.tokyo, we may automatically collect:

IP address
Browser type and version
Operating system
Pages visited and time spent on each page
Referrer source (how you found our website)
Device information
Approximate geographic location (country/city level)

Cookies & Tracking Technologies: We may use cookies and similar technologies to remember your preferences, improve your experience, and analyze website usage. You can control cookie settings through your browser preferences.

3.3 Information from Third Parties

Payment processors provide transaction confirmation and payment status
WhatsApp Business API provides message delivery status
Anti-Gravity Euphoria Sdn Bhd may provide additional context for verification purposes

4. PURPOSES OF DATA COLLECTION & PROCESSING

We process your personal data only for the following lawful purposes:

4.1 Campaign Administration

Processing and recording your Pledge
Verifying Pledge legitimacy and fraud prevention
Assigning Pledge tier and Reward entitlements
Generating Special Thanks credits

4.2 Reward Fulfillment

Delivering OST download links (RM 10 tier)
Contacting you via WhatsApp regarding film ticket availability and redemption
Sending Special Thanks credit confirmations
Coordinating delivery of Project updates and Rewards

4.3 Communications

Sending Campaign updates and Project milestones
Notifying you of Reward delivery and redemption details
Responding to your inquiries or support requests
Sending promotional materials about the Project (with your consent)

4.4 Legal & Compliance

Fulfilling legal obligations under Malaysian tax and financial regulations
Preventing fraud, abuse, or unlawful activity
Enforcing our Terms & Conditions
Protecting our legal rights and interests

4.5 Production Design & Marketing

Using your submitted community contributions (photos, stories) for the film’s production design
Featuring contributor stories on our social media platforms
Creating behind-the-scenes marketing content
Providing attribution and credits in the film and promotional materials

4.6 Website Analytics & Improvement

Analyzing Platform usage patterns to improve user experience
Measuring Campaign effectiveness
Identifying technical issues and optimizing website performance

Important: We will not process your personal data for purposes other than those listed above without obtaining your explicit consent.

5. LEGAL BASIS FOR PROCESSING

Under the PDPA, we process your personal data based on the following legal grounds:

Contract Performance: Processing necessary to fulfill your Pledge and deliver Rewards
Legal Obligation: Complying with Malaysian tax, financial, and regulatory requirements
Consent: You have provided explicit consent for specific uses (e.g., marketing communications, community contributions)
Legitimate Interest: We have a legitimate business interest in fraud prevention, website security, and service improvement

6. DATA RETENTION

We retain your personal data only for as long as necessary to fulfill the purposes outlined in Section 4:

Data Type	Retention Period
Pledge & Payment Information	7 years (per Malaysian tax/financial regulations)
Contact Information	Duration of Campaign + 2 years (for support/dispute resolution)
WhatsApp Communications	2 years after final Reward delivery
Community Contributions (Photos/Stories)	Indefinite (unless deletion requested) – used for production and archival purposes
Website Analytics Data	12 months
IP Addresses & Browsing Data	3 months

After the retention period expires, we will securely delete or anonymize your personal data, except where we are legally required to retain it.

7. DATA SHARING & DISCLOSURE

7.1 Internal Sharing

Your personal data may be accessed by authorized Kotodama Lab Sdn Bhd staff members who need access to fulfill their roles (e.g., Campaign coordination, Reward fulfillment, customer support).

7.2 Sharing with Anti-Gravity Euphoria Sdn Bhd

We share limited personal data with Anti-Gravity Euphoria Sdn Bhd (the film’s IP rights holder) solely for:

Generating Special Thanks credits
Validating community contributions for production design
Including contributor attributions in the film and promotional materials

Anti-Gravity Euphoria Sdn Bhd must adhere to equivalent data protection standards.

7.3 Third-Party Service Providers

We engage trusted third-party vendors to assist us in operating our Platform and delivering Services. These may include:

Payment Processors: Process pledge payments securely (e.g., credit card, online banking)
Email Service Providers: Send Campaign updates and communications
WhatsApp Business API Provider: Deliver ticket redemption messages and updates
Website Hosting Providers: Host and maintain www.kotodama.tokyo
Analytics Services: Analyze website usage and performance

All third-party service providers are contractually bound to:

Process data only as instructed by us
Maintain equivalent data protection standards
Not disclose your data to unrelated parties
Delete or return data upon termination of services

7.4 Legal Disclosure

We may disclose your personal data if required by law, court order, or governmental authority, or if we reasonably believe disclosure is necessary to:

Enforce our Terms & Conditions
Protect our legal rights or the rights of others
Prevent or investigate fraud or illegal activity
Protect the safety and security of our Platform and users

7.5 No Sale of Personal Data

We do not sell, rent, lease, or trade your personal data to third parties for marketing purposes. Any sharing is strictly limited to the purposes outlined in this Policy.

8. DATA SECURITY

8.1 Security Measures

We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Encryption: Payment information and sensitive data are encrypted using SSL/TLS protocols
Access Controls: Data access is restricted to authorized personnel only
Secure Storage: Data is stored on secure servers with firewalls and intrusion detection
Regular Audits: We conduct periodic security reviews and vulnerability assessments
Data Minimization: We collect only the minimum personal data necessary

8.2 Limitations

While we strive to protect your data, no security system is absolutely impenetrable. We cannot guarantee absolute security. You acknowledge that transmission of data over the internet carries inherent risks.

8.3 Breach Notification

In the event of a data breach affecting your personal data, we will notify affected individuals and relevant authorities as required by the PDPA without unreasonable delay.

9. YOUR RIGHTS AS A DATA SUBJECT

Under the PDPA, you have the following rights:

9.1 Right of Access

You have the right to request and obtain a copy of your personal data held by us. We will provide this information within 30 days of your written request.

9.2 Right of Correction

If your personal data is inaccurate, incomplete, or misleading, you may request correction or amendment. We will make corrections within 30 days or notify you if correction is not possible.

9.3 Right of Deletion

You may request deletion of your personal data in the following circumstances:

Your data is no longer necessary for the original purpose
You withdraw consent
Your data has been processed unlawfully
We have a legal obligation to delete

Exception: We may retain certain data (pledge records, payment information) where required by law or to fulfill our contractual obligations to you.

9.4 Right to Restrict Processing

You may request that we restrict processing of your personal data in certain circumstances, such as when disputing its accuracy.

9.5 Right to Withdraw Consent

If you have provided consent for specific processing activities (e.g., marketing communications, use of community contributions), you may withdraw consent at any time. This will not affect the lawfulness of processing prior to withdrawal.

9.6 Right to Lodge a Complaint

You have the right to lodge a complaint with the Personal Data Protection Commissioner (PDPC) if you believe we have violated your data protection rights.

Personal Data Protection Commissioner Contact:

Website: www.pdpc.gov.my
Email: enquiry@pdpc.gov.my
Toll-free: 1-800-80-6622

10. EXERCISING YOUR RIGHTS

To exercise any of the rights outlined in Section 9, please submit a written request to:

Email: hello@kotodama.tokyo

Your Request Should Include:

Your full name and Pledge ID (if applicable)
Specific right you wish to exercise
Detailed description of your request
Proof of identity (copy of ID or passport)
Preferred method of response

We will acknowledge receipt of your request within 7 days and respond substantively within 30 days, or notify you if additional time is needed.

11. CHILDREN’S PRIVACY

Our Platform and Campaign are not directed to children under 18 years old. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18 without parental consent, we will delete such data immediately.

If you are a parent or guardian and believe we have collected data from your child, please contact us immediately at hello@kotodama.tokyo.

12. INTERNATIONAL DATA TRANSFERS

Personal data collected through our Platform is processed and stored primarily in Malaysia. However, some data may be transferred to or accessed by our third-party service providers located outside Malaysia.

By using our Platform, you consent to such transfers. We ensure that any international transfers are conducted in accordance with the PDPA and equivalent data protection standards.

13. COOKIES & TRACKING TECHNOLOGIES

13.1 What Are Cookies?

Cookies are small text files stored on your device that remember your preferences and interactions with our website.

13.2 Types of Cookies We Use

Cookie Type	Purpose
Essential/Functional	Required for Platform functionality (login, pledge processing)
Analytical	Track user behavior and website performance (Google Analytics)
Preference	Remember your choices and settings
Marketing	Display relevant content and measure Campaign effectiveness

13.3 Cookie Management

Most browsers allow you to control cookies through settings. You can:

Accept or reject cookies
Delete existing cookies
Set preferences for specific websites

Note: Disabling essential cookies may impair Platform functionality.

13.4 Third-Party Cookies

We may use third-party analytics services (e.g., Google Analytics) that place cookies on your device. These services have their own privacy policies. We recommend reviewing their policies for details.

14. THIRD-PARTY LINKS & EXTERNAL WEBSITES

Our Platform may contain links to external websites operated by third parties. This Privacy Policy applies only to www.kotodama.tokyo. We are not responsible for the privacy practices of external websites.

We recommend reviewing the privacy policies of any third-party websites before providing your personal data.

15. MARKETING COMMUNICATIONS & OPT-OUT

15.1 Opt-In Communications

We may send you marketing communications about the Project, including:

Campaign updates and milestones
Project production news
Promotional offers related to the film

These communications will only be sent if you have provided explicit consent.

15.2 Opting Out

You may opt out of marketing communications at any time by:

Clicking the “Unsubscribe” link in any marketing email
Sending a request to hello@kotodama.tokyo
Replying “STOP” to WhatsApp marketing messages

Opting out will not affect transactional communications (e.g., Reward delivery notifications, ticket redemption details).

16. DATA PROTECTION OFFICER & CONTACT

For questions, concerns, or to exercise your data protection rights, please contact:

Kotodama Lab Sdn Bhd Email: hello@kotodama.tokyo Website: www.kotodama.tokyo

We aim to respond to all inquiries within 7 business days.

17. AMENDMENTS & UPDATES

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

17.1 Notification of Changes

We will notify you of material changes by:

Posting the updated Privacy Policy on our website
Updating the “Last Updated” date at the top of this document
Sending you a notification email (for material changes)

17.2 Continued Use

Your continued use of our Platform following notification of changes constitutes acceptance of the updated Privacy Policy.

18. COMPLIANCE WITH MALAYSIAN LAW

This Privacy Policy is designed to comply with:

Personal Data Protection Act 2010 (PDPA)
Personal Data Protection (General) Regulations 2010
Malaysian Consumer Protection Act 1999
Any other applicable Malaysian data protection and privacy laws

In the event of a conflict between this Privacy Policy and mandatory Malaysian law, the applicable Malaysian law will prevail.

19. ENTIRE AGREEMENT

This Privacy Policy, together with our Terms & Conditions, constitutes the entire agreement regarding your privacy and the collection and use of your personal data. It supersedes all prior agreements and understandings.

20. GOVERNING LAW & JURISDICTION

This Privacy Policy is governed by the laws of Malaysia. Any disputes arising from this Privacy Policy shall be resolved in the Malaysian courts.

By accessing www.kotodama.tokyo and pledging to the Campaign, you acknowledge that you have read and understood this Privacy Policy.

If you do not agree with our privacy practices, please do not use our Platform or participate in the Campaign.

Last Updated: October 2025

For the most current version of this Privacy Policy, visit www.kotodama.tokyo