🇺🇸 US duties prepaid — no customs surprises at delivery✈️ Tracked Japan Post shipping to 40+ countries📦 Hand-packed in Tokyo · ships within 5 business days
🇺🇸 US duties prepaid — no customs surprises at delivery

Privacy

Privacy Policy

Last updated: May 2026

This Privacy Policy describes how Tokyo Carry, operated by Cross Market Holdings LLC (a Washington State, USA company), collects, uses, and shares information when you visit tokyocarry.com or place an order. By using the Site, you agree to the practices described here.

1. Information we collect

We collect information that you provide directly and information collected automatically.

Information you provide

  • Order information: name, shipping address, billing address, email, phone number, payment details (card details are entered into Stripe’s secure form and never touch our servers).
  • Account information (if you create an account): email and password (passwords are hashed, never stored in plain text).
  • Communications: emails you send us, customer service messages, product reviews.
  • Newsletter: email address if you subscribe.

Information collected automatically

  • Device and browser data: IP address, browser type, operating system, referring URL.
  • Usage data: pages viewed, time on site, links clicked, search queries.
  • Cookies and similar technologies: see “Cookies” below.

2. How we use your information

  • To process and fulfill your orders, including arranging shipping and customs documentation.
  • To communicate with you about your orders, account, and customer service inquiries.
  • To send marketing emails (only if you have subscribed; you can unsubscribe anytime).
  • To improve our website, products, and customer experience.
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations including tax, customs, and accounting.

3. Lawful basis for processing (UK/EU GDPR)

If you are in the UK or European Economic Area, our lawful basis for processing your personal data depends on the purpose:

  • Performance of contract: processing orders, payments, shipping, returns, and customer support.
  • Legal obligation: tax records, customs declarations, accounting, fraud reporting.
  • Legitimate interests: fraud prevention, security, analytics in aggregated form, defending legal claims.
  • Consent: marketing emails and non-essential cookies. You may withdraw consent at any time.

4. How we share your information

We share information with third parties only as needed to operate our business:

  • Stripe — to process your payment and screen for fraud. Card data is collected by Stripe directly and never stored on our servers. See Stripe’s Privacy Policy.
  • Our Tokyo fulfillment partner — for picking, packing, labeling, and dispatch. They receive the buyer’s name, shipping address, phone number, and item details necessary to ship the order.
  • Japan Post — to deliver your order and prepare customs documentation. The buyer’s name and address appear on the shipping label and customs declaration.
  • CBP-certified Qualified Party (for U.S. orders) — Japan Post’s CBP-certified duty-prepayment partner receives order value and product description data necessary to pre-pay U.S. import duties on your behalf.
  • Customs authorities — we are required by international shipping law to provide buyer name, address, and order details on customs declarations for international shipments.
  • Email service providers — to send order confirmations and (if subscribed) marketing emails.
  • Hosting and analytics providers (e.g., Vercel, Supabase, Cloudflare, Google Analytics) — to operate the Site and understand how visitors use it. Where required by law, analytics are loaded only after you give consent.
  • Legal compliance — when required by subpoena, court order, or applicable law.

We do not sell your personal information to third parties.

If we are involved in a sale, merger, or acquisition of our business, your personal information may be transferred as part of that transaction. The acquirer would be bound by this Privacy Policy or a substantially similar one.

5. Cookies and tracking

We use cookies and similar technologies in three categories:

  • Strictly necessary — required for the cart, checkout, and login to function. Always active.
  • Analytics — to understand how the Site is used and improve it. Loaded only with your consent in jurisdictions where consent is required (UK, EEA).
  • Marketing (if applicable) — to measure ad performance and personalize offers. Loaded only with your consent in jurisdictions where consent is required.

For visitors in the UK, EEA, and other jurisdictions requiring prior consent, our cookie banner allows you to accept all, reject all (except strictly necessary), or manage preferences. You can change consent at any time via the cookie preferences link in our footer. Disabling strictly necessary cookies may break checkout and other essential site features.

6. Data retention

  • Order records: retained for as long as required by tax and accounting law (typically 7 years in the U.S.).
  • Customer support correspondence: 3 years after last interaction unless needed longer.
  • Marketing list: until you unsubscribe or are detected as inactive.
  • Analytics: identifiable analytics data is configured to expire within 14 months; aggregate data is retained indefinitely.
  • Fraud and security logs: 12 to 24 months unless needed longer for ongoing investigations.

7. Your rights

Depending on your location, you may have the following rights:

  • Access — request a copy of the personal information we hold about you.
  • Correction — request that we correct inaccurate information.
  • Deletion — request that we delete your information, subject to legal retention requirements.
  • Opt-out — unsubscribe from marketing emails at any time via the link in any email.
  • Data portability — request your data in a machine-readable format.
  • Restrict or object to processing — applicable in some jurisdictions.
  • Withdraw consent — for marketing and non-essential cookies, at any time.
  • Lodge a complaint with your local data-protection authority.

EU/UK residents (GDPR): You have all the rights above. You may also lodge a complaint with your local data protection authority. See Section 3 for our lawful basis for each processing purpose.

U.S. state privacy rights: Depending on your state of residence (including California, Colorado, Connecticut, Virginia, Utah, and Texas), you may have rights to know, access, correct, delete, or obtain a copy of personal information we hold about you, and to opt out of certain sharing, targeted advertising, or profiling where applicable. We do not sell personal information for money. If we use advertising or analytics tools that qualify as “sharing” or “targeted advertising” under applicable state law, we will provide the required opt-out method.

To exercise any of these rights, email privacy@tokyocarry.com. We may need to verify your identity before processing your request. We will respond within the timeframe required by applicable law (typically 30 to 45 days).

8. International data transfers

Tokyo Carry operates from Washington State, USA, and our fulfillment partner operates in Japan. By placing an order, you understand that your information will be transferred to and processed in those countries, and may be processed by service providers in other countries.

Where personal data is transferred from the UK, EEA, or Switzerland to a country that does not provide an equivalent level of protection, we rely on appropriate safeguards such as Standard Contractual Clauses, vendor data processing terms, adequacy decisions where applicable (Japan has an EU adequacy decision for certain transfers), or other lawful transfer mechanisms.

9. Children’s privacy

The Site is not intended for children under 16. We do not knowingly collect information from children under 16. If you believe we have collected information from a child, please contact us and we will delete it.

10. Security

We use industry-standard security measures including encryption in transit (HTTPS), encryption at rest, restricted access to personal data, role-based access controls, and PCI-compliant payment processing through Stripe. However, no system is 100% secure and we cannot guarantee absolute security. If we learn of a breach affecting your information, we will notify you as required by law.

11. Marketing emails

We send marketing emails only where we have consent or another lawful basis to do so. Every marketing email includes an unsubscribe link, and you can withdraw consent at any time. Order-related transactional emails (order confirmation, shipping notification, return updates) cannot be unsubscribed because they are part of fulfilling your purchase.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Updates take effect when posted to this page with a revised “Last updated” date. Material changes will be communicated via email if you are subscribed to our newsletter or have an active account.

13. Contact

Questions about this Privacy Policy or your data? Email privacy@tokyocarry.com.