Legal

外部送信規律に基づく公表事項

Outbound Transmission Disclosure

Last updated: May 19, 2026

Disclosure under Article 27-12 of Japan’s Telecommunications Business Act (as amended, in force June 2023). This page lists every external service that the CapyClimb mobile app or the CapyClimb website transmits user information to, the categories of information sent, and the purpose of each transmission. The Japanese-language version of this page is the authoritative version; this English text is a convenience translation.

Overview / 概要

CapyClimb is designed to minimise the number of third parties that receive your data. The CapyClimb app does not embed any third-party analytics SDK, advertising SDK, social-network SDK, or cross-app tracker. The only outbound transmissions are those listed below, which are necessary to operate the service.

送信主体 / Sender

TheCapybaraCompany, B1, 5-61-4 Nakano, Nakano-ku, Tokyo 164-0001, Japan.

Contact: privacy@capyclimb.com

1. AWS API Gateway & Lambda (CapyClimb backend)

Recipient: Amazon Web Services Japan G.K. (Tokyo region, ap-northeast-1).

Information sent:

Cognito-issued authentication token (JWT) on every authenticated request.
Request payloads required for app functionality — e.g. profile fields you submit, pass purchases, gift claims, door-scan QR tokens.
Standard HTTP metadata (timestamp, user agent, source IP).

Purpose: operate the app and gym (auth, passes, gym access, gift redemption, profile management). Required for the service to function. Same legal basis as the data described in the Privacy Policy §3.

Opt-out: not available without ceasing to use the service. Delete your account in-app (Profile → Settings → Delete account) to stop.

2. Amazon Cognito (authentication)

Recipient: Amazon Web Services Japan G.K. (Tokyo region, ap-northeast-1).

Information sent:

Email address and password (or, for federated sign-in, the OAuth token issued by the provider) on sign-up and sign-in.
Federated identity provider name (Apple or LINE) when you choose to sign in via those providers.
Cognito sub (account identifier) on token-refresh requests.

Purpose: account creation, authentication, and password reset. Required for the service to function.

Opt-out: not available; authentication is mandatory for protected features.

3. Apple Sign in / LINE Login (optional federated sign-in)

Recipients: Apple Inc. (Sign in with Apple) and LY Corporation (LINE Login), respectively.

Information sent: only fields you authorise on the provider’s consent screen — typically email, display name, and the provider-issued identity token. CapyClimb receives the token and forwards it to Cognito for identity federation.

Purpose: account creation and authentication using a federated identity provider, as an alternative to email/password.

Opt-out: don’t use these sign-in buttons. The email/password sign-in path does not transmit anything to Apple or LINE.

4. Payment processor (disclosed at checkout)

Recipient: our payment processor — the company is identified on the checkout screen at the time you confirm payment.

Information sent: card details and the amount you authorise, entered directly on the payment-provider hosted form. CapyClimb does not store or receive full card numbers; we receive only a tokenised reference and a payment-confirmation record.

Purpose: processing the purchase you initiated.

Opt-out: don’t make a paid purchase. Account creation and gym access do not require transmitting payment data unless you buy a paid pass or membership.

5. Expo Updates (over-the-air app updates, optional)

Recipient: Expo, Inc. (operator of EAS Update).

Information sent: app version, OS version, and device model when the app checks for OTA JavaScript updates.

Purpose: deliver bug fixes and small improvements without requiring an App Store update. No user-identifying data is transmitted.

Opt-out: not user-configurable; if you decline App Store auto-updates entirely on iOS, the OTA channel still operates only within the version installed from the App Store.

We do not transmit user information to:

Advertising networks (no IDFA collection, no cross-app/cross-site tracking).
Third-party analytics SDKs (no Firebase Analytics, no Mixpanel, no Amplitude, no GA).
Crash-reporting SDKs operated by third parties (no Sentry, no Bugsnag, no Crashlytics enabled in the shipping build).
Social-network SDKs (no Facebook, X, TikTok, etc.).
Data brokers or marketing partners of any kind.

Updates to this disclosure

If we add a new third-party recipient, we will update this page before the change takes effect and, for material changes, notify users in the app and by email per Terms of Use §14.