1. TOP
  2. GDPR Compliance Policy

GDPR Compliance Policy

GDPR COMPLIANCE

GDPR Compliance Policy

Established: June 22, 2026

BRIDGE MULTILINGUAL SOLUTIONS, Inc.
Kenichi Yoshikawa, CEO

BRIDGE MULTILINGUAL SOLUTIONS, Inc. (the “Company,” “we,” “us,” or “our”) recognizes the protection of personal information and personal data handled in connection with our interpretation, translation, multilingual contact center, foreign resident support, and other services as an important responsibility.

We comply with the Act on the Protection of Personal Information of Japan and other applicable laws and regulations. Where the EU General Data Protection Regulation (“GDPR”) applies, we manage personal data appropriately in light of the GDPR.

This Privacy Policy explains how we collect or handle personal information and personal data, including personal data relating to individuals located in the EU/EEA.

1. Business Operator Information

Business Operator: BRIDGE MULTILINGUAL SOLUTIONS, Inc.
Address: 4-3-17 Shinjuku, Shinjuku-ku, Tokyo, Japan
Representative: Kenichi Yoshikawa, CEO
Contact for inquiries regarding personal information protection: privacy@bridge-ms.com

Under the GDPR, when the Company determines the purposes and means of processing personal data by itself, the Company handles such personal data as a “controller.” When the Company processes personal data as an entrusted service provider based on instructions from customer companies or other parties in connection with interpretation, translation, contact center, or other services, the Company may handle such personal data as a “processor.”

2. Personal Information and Personal Data We Collect

The Company may collect or handle the following information to the extent necessary for its business activities and service provision.

  • Name, company name, department name, and job title
  • Address, telephone number, email address, and other contact information
  • Inquiry details, consultation details, and request details
  • Audio data, call records, conversation content, documents, images, and attachments provided in connection with interpretation, translation, and contact center services
  • Identity verification documents, contract-related information, and billing/payment-related information
  • Resumes, work histories, qualifications, backgrounds, and selection information relating to job applicants
  • Website browsing history, cookies, IP addresses, device information, and access logs
  • Other information necessary for service provision, contract performance, legal compliance, or inquiry handling

Due to the nature of the Company’s services, information provided by users or customers in connection with interpretation, translation, consultation support, contact center services, and similar operations may include health information, nationality, race, religion, political opinions, criminal history, or other special categories of personal data under the GDPR. The Company does not intend to actively collect such information and handles it only to the extent necessary for business operations and under appropriate security control measures.

3. Purposes of Use of Personal Information and Personal Data

The Company uses the personal information and personal data it collects for the following purposes.

  • Provision of interpretation, translation, multilingual contact center, foreign resident support, and other Company services
  • Responding to inquiries, consultations, and requests from customers, business partners, and users
  • Execution, performance, billing, payment, communication, and management of contracts
  • Confirmation, improvement, training, and record management for service quality
  • System operation, security management, and prevention of unauthorized use
  • Compliance with laws, regulations, and orders from administrative agencies or courts
  • Recruitment screening, communication with applicants, and onboarding procedures
  • Provision of information regarding services, seminars, information materials, and similar matters
  • Creation of statistical materials, service improvement, and development of new services
  • Other purposes indicated at the time of collection or purposes related to the above

4. Legal Bases under the GDPR

Where the GDPR applies, the Company handles personal data based on one of the following legal bases.

  • Where the data subject has given consent
  • Where processing is necessary for the performance of a contract with the data subject or to take steps prior to entering into a contract
  • Where processing is necessary for compliance with a legal obligation to which the Company is subject
  • Where processing is necessary to protect the vital interests of the data subject or a third party
  • Where processing is necessary for the legitimate interests pursued by the Company or a third party and does not unduly infringe the rights and interests of the data subject
  • With respect to special categories of personal data, where explicit consent has been obtained, where processing is necessary for the establishment, exercise, or defense of legal claims, where processing is necessary for reasons of substantial public interest, or where another exception permitted under the GDPR applies

Where the Company handles personal data as a processor for customer companies or other parties, the Company will, in principle, handle the personal data in accordance with the documented instructions of such customer companies or other parties.

5. Provision of Personal Information and Personal Data to Third Parties

The Company will not provide personal information or personal data to third parties without the consent of the data subject, except in the following cases.

  • Where required by law
  • Where the data subject has given consent
  • Where provision to a service provider is necessary to the extent required for service provision, contract performance, or inquiry handling
  • Where necessary to protect the life, body, or property of an individual
  • Where the Company receives a lawful request from a public authority, court, supervisory authority, or other competent authority
  • Where provision is made to a successor to the extent necessary in connection with a business transfer, merger, company split, or other organizational restructuring

6. Management of Contractors and Subcontractors

The Company may entrust the handling of personal information or personal data to cloud service providers, IT vendors, external translators, interpreters, contact center-related service providers, payment/accounting-related service providers, and other contractors to the extent necessary for service provision and business operations.

In such cases, the Company implements appropriate contractual and organizational measures for contractors, including confidentiality obligations, prohibition of use for purposes other than the entrusted purpose, security control measures, restrictions on subcontracting, and return or deletion upon termination of the contract.

7. International Transfers

The Company is a business operator with offices in Japan. Where the Company receives personal data transferred from the EU/EEA to Japan, the Company handles such personal data appropriately in light of the EU adequacy decision for Japan and the Supplementary Rules based on the Act on the Protection of Personal Information of Japan.

Where personal data is transferred to a third country due to the Company’s use of contractors, cloud services, systems, or other resources outside Japan, the Company implements appropriate safeguards based on an adequacy decision, standard contractual clauses, the consent of the data subject, necessity for contract performance, or other transfer mechanisms permitted under applicable laws and regulations.

8. Retention Period

The Company retains personal information and personal data only for the period necessary to achieve the purposes of use, the period required under contracts or applicable laws, or the period reasonably necessary for dispute resolution, audits, accounting, tax, security management, or other legitimate business purposes.

Personal information and personal data whose retention period has expired, or that is no longer necessary in light of the purposes of use, will be deleted, disposed of, or anonymized within a reasonable period.

9. Security Control Measures

The Company implements appropriate security control measures, including the following, to prevent unauthorized access to, leakage, loss, damage, alteration, or use for purposes other than the intended purposes of personal information and personal data.

  • Management of access privileges
  • Authentication management, including ID and password management and multi-factor authentication
  • Encryption of communications and stored data or equivalent protective measures
  • Log management, monitoring, and backup
  • Confidentiality obligations for employees, interpreters, translators, and contractors
  • Education and training regarding personal information protection and information security
  • Selection, contracting, and supervision of contractors
  • Reporting, investigation, assessment of scope of impact, and recurrence prevention measures in the event of an incident

10. Rights of Data Subjects

Where the GDPR applies, data subjects may exercise the following rights against the Company in accordance with applicable laws and regulations.

  • Right of access to personal data
  • Right to rectification of personal data
  • Right to erasure of personal data
  • Right to restriction of processing of personal data
  • Right to object to processing of personal data
  • Right to data portability
  • Right to withdraw consent at any time for processing based on consent
  • Right to lodge a complaint with a supervisory authority

When a data subject exercises these rights, the Company will verify the identity of the requester and respond in accordance with applicable laws and regulations, in principle within one month after receipt of the request. Where the request is complex or there are numerous requests, the Company may extend the response period in accordance with applicable laws and regulations.

Where the Company handles personal data as a processor for customer companies or other parties, requests from data subjects will, in principle, be referred to the relevant customer companies or other parties, and the Company will respond in accordance with their instructions.

11. Use of Cookies and Similar Technologies

The Company’s website may use cookies and similar technologies for purposes such as improving convenience, access analysis, ensuring security, and improving services.

Users who do not wish to use cookies may disable cookies through their browser settings. However, if cookies are disabled, some functions of the Company’s website may not be available.

Where the Company uses cookies for advertising, access analysis, or marketing purposes, the Company will, as necessary, obtain user consent or take other measures required under applicable laws and regulations.

12. Automated Decision-Making

The Company does not, in principle, conduct solely automated decision-making that produces legal effects concerning data subjects or similarly significantly affects them.

13. Response to Personal Data Breaches

In the event of leakage, loss, damage, unauthorized access, or any other personal data breach involving personal information or personal data, the Company will promptly confirm the facts, identify the scope of impact, prevent the expansion of damage, and implement recurrence prevention measures.

Where the GDPR applies and notification to a supervisory authority or data subject is required, the Company will make the necessary notifications in accordance with applicable laws and regulations and contractual obligations. Where the Company handles personal data as a processor, the Company will notify the customer company or other party acting as controller without undue delay after becoming aware of the personal data breach.

14. EU Representative and DPO

Where the Company is required under the GDPR to appoint an EU representative, the Company will appoint an appropriate EU representative and publish the relevant contact information.

Where the Company is required under the GDPR to appoint a Data Protection Officer, or DPO, the Company will appoint an appropriate DPO and publish the relevant contact information. Even where the Company does not appoint a DPO, the Company maintains an inquiry contact point for personal information protection and personal data protection matters.

15. Contact

For inquiries regarding this Privacy Policy, the handling of personal information or personal data, or the exercise of data subject rights, please contact the following office.

BRIDGE MULTILINGUAL SOLUTIONS, Inc.
Personal Information Office
Address: 4-3-17 Shinjuku, Shinjuku-ku, Tokyo, Japan
Email: privacy@bridge-ms.com
TEL: +81-3-5366-6001
Reception Hours: 9:00 to 17:30 on business days*

*Inquiries received on Saturdays, Sundays, public holidays, during summer holidays, year-end and New Year holidays, or Golden Week holidays will be handled on or after the next business day.

16. Changes to this Privacy Policy

The Company may amend this Privacy Policy as necessary due to amendments to laws and regulations, changes in business activities, changes in service content, changes in the handling of personal information and personal data, or other reasons.

Where the Company makes material changes, it will notify users by posting the changes on the Company’s website or by other appropriate means.

```