← Back to beluuga.ai

Privacy Policy

Last updated: April 17, 2026

Quzilla Capital, Inc. (hereinafter "the Company") provides beluuga.ai (hereinafter "the Service"), an M&A and deal-analysis platform covering Japanese listed companies, to financial professionals including Financial Advisors (FAs), Private Equity (PE) funds, and equity research analysts engaged in M&A advisory work. The Service includes Comparable Company Analysis (Comps), DCF valuation (DCF Financial Models auto-generation), LBO analysis (LBO Financial Models auto-creation), AI Insights, stock price annotations, and WACC calculations, among other features and add-ons.

Due to the nature of the Service, non-public investment information, deal information, and confidential financial data related to your business may pass through our systems. We consider protecting the confidentiality, integrity, and availability of such information to the highest standard as our paramount obligation, and establish this Privacy Policy accordingly.

This Policy is intended to comply with the Act on the Protection of Personal Information (APPI), the Telecommunications Business Act, the Unfair Competition Prevention Act, the Financial Instruments and Exchange Act, and other applicable laws, and to protect your rights to the fullest extent.

Article 1: Definitions

In this Policy, the following terms shall have the meanings set forth below.

  • "Personal Information": Information as defined in Article 2, Paragraph 1 of the APPI.
  • "Business-Related Information": Deal information, target company information, investment candidate information, financial data, and other confidential business information that you input, store, or process through the Service.
  • "Usage Information": Technical information automatically collected in connection with your use of the Service (see Article 3, Paragraph 2).
  • "The Company": Quzilla Capital, Inc.
  • "The Service": The M&A/deal-analysis platform provided by the Company under the name beluuga.ai (including features and add-ons such as Comps, DCF, LBO, AI Insights, stock annotations, and WACC, as well as Add-on subscriptions and Enterprise plans) and all associated services.

Article 2: Scope of Application

This Policy applies to all of the following:

  • All registered users holding an account with the Service
  • All visitors who trial or browse the Service
  • Businesses and developers who access the Service via API
  • All employees and contractors within your organization who use the Service

Article 3: Information We Collect

3-1: Information Collected Directly from You

  • Account Information: Name, email address, company/organization name, title, phone number
  • Identity Verification: Information necessary to verify professional/industry status (financial institution, FA, PE affiliation, etc.)
  • Billing Information: Billing name/entity, billing address (credit card numbers and other payment details are not stored by us but managed by PCI DSS-compliant payment processors)
  • Inquiry & Feedback: All communications you send to the Company
  • Business-Related Information: Deal information, company data, analytical data, etc. that you input or upload to the Service (see Article 4 for details)

3-2: Information Collected Automatically

  • Access Logs: IP address, access date/time, referring page URL, browser/OS information
  • Usage Behavior: Interaction history within the Service, search queries, types of company/financial data viewed (excluding the content of Business-Related Information itself)
  • Device Information: Device type, browser type/version, timezone, language settings
  • Cookies & Similar Technologies: As detailed in Article 9

3-3: Information Obtained from Third Parties

  • Publicly available financial and market data (public data sources such as EDINET, J-Quants, TSE)
  • Payment completion notifications from payment processors (excluding sensitive information such as card numbers)

We do not obtain personal information from social media, data brokers, or similar sources without your consent.

Article 4: Handling of Business-Related Information (Special Protection)

The Service is a platform specialized for M&A advisory work. Business-Related Information that you input or store may include non-public deal information and investment candidate company data. We implement the following special protective measures for such information.

4-1: Prohibition of Purpose-Exceeding Use

Business-Related Information is used solely for the purposes of providing the Service, technical support, and incident response. We will never use Business-Related Information for our own business purposes (investment decisions, sales activities, etc.).

4-2: Employee Access Restrictions

Access to Business-Related Information is limited to the minimum number of personnel with a demonstrated technical necessity for service provision. All access is logged and auditable.

4-3: Prohibition of Third-Party Disclosure

We will never disclose, provide, or sell Business-Related Information to third parties without your explicit consent. Disclosure to competitors, investors, media, or any other party is absolutely prohibited except where required by law.

4-4: Non-Use for AI Training

Your Business-Related Information will not be used for training or improving any AI models or machine learning models, whether ours or third parties'.

4-5: Deletion After Contract Termination

After you cancel the Service, Business-Related Information will be completely deleted from all of our systems (including backups) within 90 days of the cancellation date, except where retention is required by law.

Article 4-2: Use of Generative AI Services

The Service uses generative AI (large language models / LLMs) in features including DCF Chat, LBO Chat, AI Company Summary, stock price annotations, and AI Insights. This Article sets out the handling of such use.

4a-1: AI Subprocessors Used

The Company uses the Claude API provided by Anthropic, PBC (United States) as its generative AI subprocessor. Anthropic contractually commits not to use customer data submitted via API for training or improving its AI models (zero-retention training policy for API customer data).

4a-2: Data Sent to AI

When you use features such as DCF Chat, LBO Chat, or AI Company Summary, the messages you enter along with related data held by the Service (target company financials, industry information, etc.) are transmitted to the Claude API. A portion of the transmitted content may be retained for up to 90 days in our database (chat_audit_logs) for abuse detection and quality analysis, after which it is automatically deleted.

4a-3: Accuracy and Disclaimer of AI Output

AI-generated analyses, comments, and financial models are based on statistical predictions and may contain errors (hallucinations), computational inconsistencies, or outdated information. The Company does not warrant the accuracy, completeness, or fitness for a particular purpose of AI-generated output. You must independently verify results and consult qualified professionals before making investment or M&A decisions. See the Terms of Service for the full disclaimer.

4a-4: Notes on Confidential Input

While content entered into AI prompts is subject to the special protections of Article 4, to minimize disclosure risk we strongly recommend that you not enter material non-public information, highly confidential deal terms, or personal data into AI chats. Only enter the minimum information necessary.

Article 5: Purpose of Use

Collected information is used solely for the following purposes:

  • Providing, operating, maintaining, and improving the Service
  • User authentication, account management, and security
  • Calculating, billing, and confirming payment of usage fees
  • Responding to inquiries and providing technical support
  • Sending important service notices (outages, maintenance, policy changes, etc.)
  • Detecting, preventing, and responding to unauthorized access, misuse, and cyberattacks
  • Fulfilling legal obligations (including responses to lawful inquiries from governmental agencies and courts)
  • Analyzing and improving service quality and user experience (conducted in anonymized, aggregated form)

If personal information is to be used for purposes beyond those listed above, we will obtain your prior consent.

Article 6: Third-Party Disclosure

6-1: Principle

We will not provide your personal information or Business-Related Information to third parties except as set forth below.

6-2: Permissible Exceptions

  • With your prior explicit consent
  • When required by law (APPI Article 23, Financial Instruments and Exchange Act, etc.)
  • When necessary to protect life, body, or property and obtaining consent is impractical
  • When receiving a legally-grounded inquiry from a court, public prosecutor's office, police, or other public authority (we will notify you before or after to the extent possible)

6-3: Outsourcing (Subprocessors)

To the extent necessary for service provision, we entrust the handling of personal information and Business-Related Information to the following vendors. All vendors are bound by data protection agreements and subject to appropriate oversight.

  • Stripe, Inc. (USA): Credit card payment processing. Card numbers and other sensitive payment information are held by Stripe (PCI DSS Level 1 certified) and not retained by the Company.
  • Supabase Inc. (USA / AWS ap-northeast-1 Tokyo region): Database and authentication. Customer personal information and Business-Related Information are stored on Supabase-hosted PostgreSQL databases.
  • Vercel Inc. (USA): Application hosting and edge delivery (CDN).
  • Anthropic, PBC (USA): Generative AI (Claude API). See Article 4-2 for details.
  • Resend, Inc. (USA): Transactional email delivery (authentication emails, notifications, etc.).
  • J-Quants (JPX Market Innovations, Inc., Japan) / EDINET (Financial Services Agency, Japan): Acquisition of listed-company financial disclosures and annual/semi-annual reports. These public sources do not include customer personal information.

Any addition or change to our subprocessors will be communicated via an update to this Policy.

6-4: Business Succession

In the event of a merger, corporate split, business transfer, or other organizational restructuring, personal information may be transferred along with the business. In such cases, we will require the successor to be bound by protections consistent with this Policy and will provide you with appropriate notice.

Article 7: Security Measures

7-1: Technical Measures

  • Communication Encryption: All communications between the Service and you are encrypted with TLS 1.2 or higher
  • Data-at-Rest Encryption: All personal information and Business-Related Information stored in databases is encrypted using AES-256 or equivalent
  • Access Control: Data access is restricted to minimum privilege via Role-Based Access Control (RBAC) and Row-Level Security (RLS)
  • Multi-Tenant Isolation: Your data is managed in a state inaccessible to other customers through JWT-based tenant isolation
  • Vulnerability Management: Regular security assessments and penetration testing are conducted
  • Logging & Audit: All system access and operations are logged, and suspicious activity is monitored

7-2: Organizational Measures

  • A Personal Information Protection Officer is appointed and internal rules/procedures are maintained
  • Regular personal information protection training is conducted for employees
  • Access permissions to personal information are strictly managed based on business necessity
  • Regular audits are conducted on outsourcing partners

7-3: Incident Response

In the event of a personal information breach, loss, corruption, or similar incident (or threat thereof), per APPI Article 26 and its enforcement regulations we will file an initial report to the Personal Information Protection Commission promptly (targeting within 72 hours of detection) and a final report within 30 days (within 60 days for incidents involving sensitive personal information). We will also promptly notify affected customers. Notifications will include an overview of the incident, scope of impact, our response measures, and recommended actions for you.

Article 8: Retention Period

Retention periods for personal information vary by purpose of collection as follows:

  • Account Information: During the active account period and 90 days after cancellation (for inquiry response purposes)
  • Usage Logs / Access Logs: 1 year from date of collection
  • Billing / Transaction Records: 7 years in accordance with retention obligations under the Commercial Code and tax laws
  • Business-Related Information: Completely deleted within 90 days of cancellation (see Article 4, Paragraph 5)
  • DCF/LBO Model Output (Excel files, etc.): Retained during the account's active term; completely deleted within 90 days of cancellation (same treatment as Business-Related Information)
  • AI chat audit logs (chat_audit_logs): Retained for up to 90 days then automatically deleted (see Article 4-2, Paragraph 2)
  • Inquiry Records: 2 years from last response date

After the retention period expires, data is promptly deleted or anonymized using secure methods.

Article 9: Cookies and Similar Technologies

9-1: Types of Cookies Used

  • Essential Cookies: Cookies indispensable for core Service functionality (authentication, session management). Used without your consent.
  • Functional Cookies: Cookies used to remember your settings and preferences. Subject to your consent.
  • Analytics Cookies: Cookies used for aggregating and analyzing usage patterns. We currently use only Vercel Analytics (a privacy-focused, cookie-less analytics platform), subject to your consent.

We do not use cookies for targeted advertising purposes. We do not share data with third-party advertising networks.

9-2: Cookie Management

You can disable or delete cookies through your browser settings. However, disabling essential cookies (authentication cookies, etc.) may cause all or part of the Service to malfunction.

Article 10: Your Rights

You have the following rights regarding your personal information held by the Company:

  • Right to Disclosure: The right to review the content of personal information held by the Company
  • Right to Correction/Addition/Deletion: The right to request correction, addition, or deletion of inaccurate information
  • Right to Suspension/Erasure: The right to request suspension of use or erasure when there is purpose-exceeding use or improper acquisition
  • Right to Stop Third-Party Provision: The right to request cessation of provision to third parties
  • Data Portability: The right to receive your data in machine-readable format (CSV, JSON, etc.)
  • Right to Notification of Purpose: The right to request notification of the purposes for which we use your personal information

To exercise any of the above rights, please contact hello@beluuga.ai. After identity verification, we will respond within 30 days as a rule.

If we are unable to accommodate a request, we will explain the reasons. You also have the right to file a complaint with the Personal Information Protection Commission if you are dissatisfied with our response.

Article 11: Minors

The Service is not intended for persons under the age of 18, and we do not intentionally collect personal information from minors. If we become aware that a person under 18 has registered for the Service, we will delete the account and associated information.

Article 12: International Data Transfers

In operating the Service, certain personal information may be transferred overseas (e.g., to the United States) through our subprocessors (see Article 6-3). In such cases, per APPI Article 24 and its enforcement regulations we will provide information about the personal-information protection system of the destination country and contractually bind our subprocessors to protections equivalent to or greater than this Policy. The primary storage location for customer Business-Related Information is Supabase (AWS ap-northeast-1 Tokyo region), managed within Japan. Note that the Service is designed and operated under Japanese law; we do not explicitly offer compliance with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, the California Consumer Privacy Act (CCPA), or other non-Japanese privacy regimes. Although the Service is technically accessible from outside Japan, our primary intended audience is users located within Japan.

Article 13: Changes to This Policy

13-1: Notification of Changes

When this Policy is amended, we will provide notice through the following methods:

  • Material Changes (addition of usage purposes, changes to third-party sharing conditions, extension of retention periods, etc.): Notification to your registered email address and in-Service announcement no later than 30 days before the change takes effect
  • Minor Changes (wording corrections, contact information changes, etc.): Notice via the update date displayed on this Policy

13-2: Consent Through Continued Use

If you continue to use the Service after changes to this Policy, you will be deemed to have consented to the updated Policy. If you do not agree with a material change, you may cancel the Service.

13-3: Opt-out of Marketing Emails

When the Company sends promotional emails regarding service introductions or feature announcements, in compliance with the Act on Specified Commercial Transactions and the Act on Regulation of Transmission of Specified Electronic Mail, we will clearly include an opt-out (unsubscribe) link in the email body. You may request to stop receiving such emails at any time via that link. Notifications essential to operating the Service (outages, maintenance, policy changes, billing, etc.) are not subject to opt-out.

Article 14: Governing Law & Jurisdiction

This Policy is governed by the laws of Japan. Any dispute arising under this Policy shall be subject to the exclusive jurisdiction of the Tokyo District Court as the court of first instance.

Article 15: Contact

For questions, opinions, or requests to exercise your rights regarding this Policy, or any inquiries about the handling of personal information, please contact:

Quzilla Capital, Inc.
Personal Information Protection Officer
Email: hello@beluuga.ai
Website: https://beluuga.ai

We will respond to inquiries within 5 business days as a rule.

Established: March 14, 2026 | Last updated: April 17, 2026
Quzilla Capital, Inc.