This Addendum supplements the Flaggs Privacy Policy and systematically outlines additional conditions and compliance measures to meet the requirements of personal data protection laws in each country or region.
For each country/region, the following items are addressed:
1. Applicable Laws and Definitions
2. Purpose Limitation
3. User Rights
4. Governance Structure (e.g., DPO, Representatives)
5. Special Notes (e.g., Opt-outs, Cross-border Transfers)

Please refer to the Japanese version of the Privacy Policy here: https://flaggs.jp/privacypolicy/jp/, and the Japanese version of this Addendum here: https://flaggs.jp/addendum/jp/.

■ EU Member States (GDPR Applicable Countries)
1. Applicable Law: General Data Protection Regulation (GDPR)
2. Purpose Limitation: Processing must be based on explicit and legitimate purposes. Parental consent is required for processing children's data under the age of 16.
3. User Rights: Access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent.
4. Governance: DPO appointed. Cross-border transfers conducted using SCCs.
5. Special Notes: Consent must be obtained for the use of tools such as Google Analytics. Consent management is handled via cookie banners when such tools are used.

■ United Kingdom (UK GDPR)
1. Applicable Law: UK GDPR and Data Protection Act 2018
2. Purpose Limitation: Equivalent to GDPR. Consent required for users under 16.
3. User Rights: Same as under GDPR.
4. Governance: DPO appointed.
5. Special Notes: Data transfers comply with UK version of SCCs.

■ United States (California)
1. Applicable Law: CCPA / CPRA
2. Purpose Limitation: Must disclose purposes of collection in advance and clearly notify whether personal information is "sold" or "shared".
3. User Rights: Right to know, delete, opt-out, and protection against discriminatory treatment.
4. Governance: Identity verification processes in place for data collection.
5. Special Notes: Flaggs does not sell or share personal information without explicit opt-in consent.

■ South Korea (PIPA)
1. Applicable Law: Personal Information Protection Act (PIPA)
2. Purpose Limitation: Requires prior consent and minimum necessary collection.
3. User Rights: Right to view, correct, delete, and request suspension of processing.
4. Governance: Korean-language-capable DPO appointed.
5. Special Notes: Parental consent required for minors under 14. Obligation to notify upon data processing delegation.

■ Brazil (LGPD)
1. Applicable Law: General Data Protection Law (LGPD)
2. Purpose Limitation: Processing must be based on explicit consent.
3. User Rights: Confirmation, correction, anonymization, deletion, portability, and objection.
4. Governance: Encarregado (DPO) appointed.
5. Special Notes: Where data is collected, opt-in and opt-out mechanisms are provided within the service.

■ Other Covered Countries (Brief Summary)
- Canada (PIPEDA): Reasonableness principle, rights to access and correction.
- Australia: Cross-border transfer restrictions and notification obligations; requires consent.
- Taiwan, Malaysia, Philippines, South Africa: Compliant with PDPA, POPIA, etc.; parental consent required under 14; complaint rights ensured.
- Vietnam, India, Nigeria, Kenya, Russia: Where data localization or local DPO appointment is required, Flaggs will comply accordingly with local law.

Note: The contents of this Addendum are subject to updates in accordance with amendments to the laws of each country.
For further details, please contact the relevant regional DPO or use the online form on the corporate website: https://flaggs.jp/contact/ or email: flaggs-dpo@flaggs.co.jp