DRGNBSTRACG Privacy Policy
Effective Date: February 19, 2025 | Last Updated: February 19, 2024
Applicable Site: https://drgnbstracg.com
1. Brand and Scope Statement
DRGNBSTRACG (hereinafter referred to as “we”) is a global e-commerce platform focusing on genuine Japanese comics collectible figures, mainly selling IP licensed products such as “Demon Slayer: Kimetsu no Yaiba”, “Jujutsu Kaisen” and “Attack on Titan”. This policy applies to the data generated when you interact with us through websites, mobile terminals and social media private messages (such as Instagram DM orders).
2. Data collection matrix
2.1 Core personal information
Data type Example use case Legal basis
Name/shipping address Processing international transportation of Demon Slayer: Kimetsu no Yaiba Nichirin Sword model (cooperative logistics: DHL Priority) Contract performance (GDPR 6(1)(b))
Email/mobile number Sending pre-sale qualification notification for the limited edition “Jakumon-kan” of Jujutsu Kaisen User explicit consent (CCPA CPRA)
Payment information Processing credit card transactions through Stripe (we only store transaction IDs and do not touch CVC/CVV) Contract performance
Customized demand text User-submitted engraving content of Bleach: Zanpakutō (data retention period: 30 days after order completion) User active authorization
2.2 Automated data collection
Device fingerprint: Detect cross-account wool-pulling behavior (such as scalpers rushing to buy limited edition One Piece figures) through IP address and browser User Agent
Behavior heat map: Use Hotjar to record the click distribution of the “Chainsaw Man” Pochita Doll” product page and optimize the page layout
3. Special terms for children’s privacy
Age wall mechanism:
Age confirmation will be forced to pop up before accessing the “Pokemon” children’s product category (≥16 years old in the EU, ≥13 years old in other regions)
For suspected underage accounts, parents must send a consent letter to legal@drgnbstracg.com and attach ID verification
Data isolation: Children’s accounts are prohibited from receiving marketing emails from adult IPs such as “Attack on Titan”
4. Data flow map
Recipient type Data scope Restrictions
Payment gateway (Stripe) Order amount, email address, transaction ID Sign a DPA (data processing agreement) and prohibit secondary marketing
Logistics provider (DHL/UPS) Name, address, phone number + product type (declared as “PVC Figure”) Require the use of TLS encryption to transmit delivery order data
Advertising platform (TikTok) Hashed email address (for “Spy House” advertising retargeting) Automatically deleted within 24 hours after data matching
Copyright holder (Aniplex) Anonymous sales data (to prove the genuine sales of “Demon Slayer” figures) Only provide aggregate reports, without user personal information
5. Cookies and advanced tracking technologies
Necessity classification:
Cookie type Functional example User control method
Strictly necessary Maintain the fairness of the “Jujutsu Kaisen” blind box lottery system (anti-bot) Cannot be disabled, otherwise you cannot shop
Performance analysis Analyze the conversion funnel of “BLEACH” sword accessories through Google Analytics 4 Close through cookiehub.drgnbstracg.com
Ad targeting Facebook CAPI tracks the ROAS of “One Piece” figure ads. Separate authorization is required
Avoid iOS restrictions:
Use **Server-Side Event Tracking (Server-Side GTM)** to bypass ITP 2.3 restrictions on Safari browsers
6. Data sovereignty and security architecture
Storage strategy:
EU user data: AWS Frankfurt data center (GDPR compliant cluster)
Other regions: AWS Singapore node + local backup (daily incremental backups are retained for 30 days)
Encryption standards:
Transport layer: TLS 1.3 + HSTS preload list
Static data: AES-256 + Key rotation (every 90 days)
Penetration test:
Quarterly commission Qualys to conduct vulnerability scans, and prioritize fixing vulnerabilities with CVSS scores ≥ 7.0
7. User rights implementation path
Rights type Operation entry Technical implementation
Data portability Account settings → Download JSON format data package (including order history, IP log) Automated API docking MyData architecture
Right to delete Submit a work order → Upload identity proof → Erase database and backup within 72 hours Use GDPR Eraser tool chain
Oppose profiling Email statement to refuse AI recommendations (such as push notifications for related products of “Attack on Titan”) Disable Apache Spark user behavior clustering algorithm
8. Security incident response protocol
Graded response:
Event level Definition example Response action
Level 1 (serious) Payment system SQL injection leads to credit card information leakage Notify users within 72 hours + freeze suspicious accounts + report to FTC
Level 2 (moderate) Unauthorized access to the pre-sale list of “Demon Slayer” Internal audit + strengthen access control + email notification to affected users
9. Policy Update and Version Control
Grayscale Release: Major changes (such as the addition of NFT digital collection terms) will be pushed to 5% of active users to confirm readability
Multi-language support: English/Japanese/Chinese versions are provided, with the English version as the main version of the legal basis
10. Contact Us
EU Representative:
[Designated in accordance with Article 27 of the GDPR]
Name: EU-REP GmbH
Address: Friedrichstraße 95, 10117 Berlin, Germany
Data Protection Officer (DPO):
Email: dpo@drgnbstracg.com (only accepts privacy complaints)
Response Commitment: Legal opinions will be issued within 15 working days for complex requests (such as cross-border data transfer inquiries)
Compliance tool integration recommendations:
Deploy Osano Consent Management to manage global user consent preferences
Use Vanta to automatically generate SOC 2 Type II compliance reports
Add **Global Privacy in the footer Control (GPC)**Signal recognition switch
Note:
The red marked part needs to be replaced with actual information (such as the designated EU representative address)
If you are engaged in AI toy business (such as “Pokemon” smart speaker), you need to add the “Voice Data Processing Appendix”
The final text needs to be reviewed by the compliance team of Fieldfisher or DLA Piper law firm