Legal & Policies

RubiLabs Inc ("RubiLabs", "we", "us", or "our") is a financial crime intelligence company incorporated in Japan. We operate the Lapis compliance intelligence platform and related services (collectively, the "Services").

Our registered address is in Tokyo, Japan. We are the data controller for personal data collected through our website and Services.

If you have any questions about this Privacy Policy or our data practices, please contact us at privacy@rubilabs.io.

This Privacy Policy applies to personal data we collect when you:

• Visit our website at rubilabs.io • Submit an enquiry or contact form • Use or evaluate the Lapis platform • Subscribe to our research publications or newsletters • Attend events or webinars hosted by RubiLabs

This Policy does not apply to data processed by our customers through the Lapis platform on behalf of their own clients. Our customers are independent data controllers for that data, and their own privacy policies govern its use.

We collect the following categories of personal data:

Identity and contact data — name, job title, institutional affiliation, work email address, telephone number, and country of operation.

Enquiry and correspondence data — the content of messages submitted through our contact form, including the nature of your enquiry, your institution type, and any free-text information you choose to provide.

Usage and technical data — IP address, browser type and version, operating system, referral source, pages visited, and interaction events on our website. This data is collected through analytics tools and is primarily used in aggregated, pseudonymised form.

Communications data — records of your consent preferences, email open and click events (where applicable), and opt-in records for our research or marketing communications.

We do not knowingly collect sensitive personal data (such as health data, political opinions, or financial account numbers) through our website or contact forms.

Where the General Data Protection Regulation (EU) 2016/679 ("GDPR") or the UK GDPR applies to our processing of your personal data, we rely on the following legal bases:

Legitimate interests (Article 6(1)(f)) — We process identity, contact, and enquiry data to respond to your enquiries, to assess potential commercial relationships, and to understand how our website is used. We have carried out legitimate interests assessments where required.

Contractual necessity (Article 6(1)(b)) — Where you enter into a contract with us for the provision of Services, we process your data as necessary to perform that contract.

Consent (Article 6(1)(a)) — Where we send marketing communications or research publications, we rely on your freely given, specific, and informed consent. You may withdraw consent at any time by contacting us or using the unsubscribe mechanism in any communication.

Legal obligation (Article 6(1)(c)) — We may process personal data where necessary to comply with applicable law, including anti-money laundering obligations, tax law, and regulatory requirements in Japan and other relevant jurisdictions.

You have the right to object to processing based on legitimate interests. Please see Section 9 for details of your rights.

RubiLabs is headquartered in Japan and operates primarily within the Asia-Pacific region. We take data sovereignty seriously and apply the following principles to all cross-border transfers of personal data:

Primary storage — Personal data submitted through our website and Services is stored on infrastructure located in Japan and/or Singapore. We do not routinely transfer personal data to jurisdictions without an adequate level of data protection.

Transfers to the EEA or UK — Where we receive personal data from individuals located in the European Economic Area ("EEA") or the United Kingdom, we rely on the European Commission's adequacy decision for Japan (Commission Implementing Decision (EU) 2019/419) as the legal mechanism for data transfers from the EEA to Japan. For transfers involving data processed in other jurisdictions, we use Standard Contractual Clauses ("SCCs") as approved by the European Commission, or the International Data Transfer Agreement ("IDTA") for UK transfers.

Subprocessors — We engage a limited number of third-party subprocessors (including cloud infrastructure providers and analytics tools). Where these subprocessors are located outside Japan or the EEA, we ensure appropriate transfer mechanisms are in place and conduct due diligence on their security and privacy practices. A current list of subprocessors is available upon request.

Government access requests — We do not voluntarily disclose personal data to any government authority unless required to do so by applicable law. Where a disclosure request is received, we will, to the extent permitted by law, notify affected individuals before complying.

We use the personal data we collect for the following purposes:

• To respond to your enquiries and manage our relationship with you • To assess the suitability of our Services for your institution's compliance requirements • To provide, maintain, and improve the Lapis platform and related Services • To send you research publications, product updates, and event invitations, where you have given consent or where we have a legitimate interest • To comply with legal and regulatory obligations applicable to us in Japan and other relevant jurisdictions • To detect, prevent, and respond to fraud, security incidents, and misuse of our Services • To conduct internal analytics and improve our website and user experience

We do not sell personal data. We share personal data only in the following circumstances:

Service providers — We share data with trusted third-party service providers who assist us in operating our website and Services (including cloud infrastructure, email delivery, and analytics). All service providers are bound by contractual obligations to process data only on our instructions and to maintain appropriate security standards.

Corporate transactions — In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same protections described in this Policy.

Legal requirements — We may disclose personal data where required by law, court order, or regulatory authority, or where we believe disclosure is necessary to protect the rights, property, or safety of RubiLabs, our customers, or the public.

Professional advisors — We may share data with lawyers, accountants, auditors, and insurers where necessary in the course of professional services they provide to us, under duties of confidentiality.

We do not share personal data with third parties for their own marketing purposes.

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law.

Enquiry and contact data — Retained for up to 3 years from the date of last contact, or longer where a commercial relationship is established.

Contractual data — Retained for the duration of the contract and for a period of 7 years thereafter, in accordance with Japanese commercial law and applicable tax regulations.

Analytics and technical data — Retained in identifiable form for up to 13 months, after which it is aggregated or deleted.

Marketing and communications data — Retained until you withdraw consent or opt out, after which we will suppress your data rather than delete it, to ensure we honour your preferences.

Where we are required by law to retain data for longer periods (for example, under anti-money laundering regulations), we will retain data for the legally required duration.

Depending on your location, you may have the following rights in relation to your personal data:

Right of access — You may request a copy of the personal data we hold about you.

Right to rectification — You may request correction of inaccurate or incomplete data.

Right to erasure — You may request deletion of your personal data in certain circumstances (the "right to be forgotten").

Right to restriction — You may request that we restrict processing of your data in certain circumstances.

Right to data portability — You may request that we provide your data in a structured, machine-readable format.

Right to object — You may object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing immediately.

Rights related to automated decision-making — We do not make solely automated decisions that produce legal or similarly significant effects.

GDPR and UK GDPR rights — If you are located in the EEA or the UK, all of the above rights apply to you under the GDPR and UK GDPR respectively.

APPI rights — If you are located in Japan, you have equivalent rights under the Act on the Protection of Personal Information (APPI), including the right to request disclosure, correction, and cessation of use of your personal information.

To exercise any of these rights, please contact us at privacy@rubilabs.io. We will respond within 30 days. We may need to verify your identity before processing your request. You also have the right to lodge a complaint with a supervisory authority — in Japan, the Personal Information Protection Commission (PPC); in the EEA, the relevant data protection authority in your member state; in the UK, the Information Commissioner's Office (ICO).

Our website uses cookies and similar tracking technologies. We use:

Strictly necessary cookies — Required for the website to function. These cannot be disabled.

Analytics cookies — Used to understand how visitors interact with our website. We use pseudonymised data only, and analytics are processed in aggregate. You may opt out of analytics cookies through our cookie preference centre or by enabling "Do Not Track" in your browser.

We do not use advertising or profiling cookies.

A full list of cookies used on our website is available in our Cookie Policy.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256) • Role-based access controls and least-privilege principles • Regular security assessments and penetration testing • Incident response procedures and data breach notification processes in accordance with applicable law

No method of transmission over the internet is completely secure. While we take all reasonable precautions, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

We may update this Privacy Policy from time to time to reflect changes in our practices, Services, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or a prominent notice on our website.

We encourage you to review this Policy periodically. Your continued use of our website or Services after any changes constitutes acceptance of the updated Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

RubiLabs Inc Privacy Office Tokyo, Japan privacy@rubilabs.io

For GDPR-related enquiries from individuals in the EEA, you may also contact our EU representative at the above address, marked for the attention of "GDPR Enquiry".

These Terms of Service ("Terms") govern your access to and use of the RubiLabs Inc. ("RubiLabs", "we", "us") website and the Lapis compliance intelligence platform (collectively, the "Services").

By accessing or using the Services, you confirm that you are authorised to enter into these Terms on behalf of your institution and that your institution agrees to be bound by them. If you do not agree, do not use the Services.

These Terms are effective as of the date of last update shown above.

RubiLabs is designed from the ground up to protect the confidentiality of institutional data.

No collection of end-client data — Lapis does not collect, store, or process personal data about your institution's end-clients. All counterparty intelligence is derived from publicly available sources, licensed third-party data, and regulatory databases. We do not ingest, retain, or analyse your institution's customer records, transaction histories, or internal files.

Data masking by design — Where illustrative or test data is displayed within the Lapis platform for demonstration or evaluation purposes, all entity names, identifiers, and associated data are fully masked using synthetic substitutions. No real individual or corporate data is used in any demonstration environment. Masked data bears no relationship to any real person, company, or transaction.

Operator data isolation — Your institution's queries, search history, case notes, and workflow data are logically isolated from all other customers. RubiLabs does not cross-reference, aggregate, or use operational data from one customer's environment to benefit another.

Intelligence, not surveillance — Lapis provides intelligence about counterparties and ownership structures based on external sources. It does not monitor, profile, or track the individuals within your own institution.

Subject to your compliance with these Terms, RubiLabs grants your institution a limited, non-exclusive, non-transferable licence to access and use the Services during the applicable subscription period.

You may use the Services solely for your institution's internal compliance, risk management, and financial crime prevention purposes. You may not:

• Resell, sublicence, or distribute access to the Services to any third party • Use the Services to build a competing product or service • Reverse engineer, decompile, or extract the underlying algorithms, models, or data infrastructure • Use automated tools to scrape, harvest, or bulk-extract data from the Services • Use the Services in any manner that violates applicable law or regulation

The intelligence outputs produced by Lapis are advisory in nature. They represent analytical findings derived from available data sources at a point in time and are subject to the limitations of those sources.

RubiLabs does not warrant that any output is complete, accurate, or current. Compliance determinations, risk assessments, and onboarding decisions remain the sole responsibility of your institution and its qualified compliance personnel. Lapis outputs do not constitute legal advice, regulatory guidance, or a definitive determination of any person's legal status.

You acknowledge that reliance on Lapis outputs without independent verification and professional judgement may not satisfy your regulatory obligations.

All software, algorithms, models, data structures, visual designs, documentation, and content comprising the Services are the intellectual property of RubiLabs or its licensors. Nothing in these Terms transfers any ownership interest to you.

You retain ownership of any data, notes, or outputs you generate through your use of the Services, subject to the licence you grant us to process such data in order to provide the Services.

Each party agrees to keep the other's confidential information strictly confidential and not to disclose it to any third party without prior written consent, except as required by law or regulatory authority.

"Confidential information" includes, without limitation: the terms of any commercial agreement between the parties, any non-public technical documentation, pricing, and any data designated as confidential by either party.

This obligation survives termination of the agreement for a period of five years.

To the maximum extent permitted by applicable law, RubiLabs's total aggregate liability arising out of or in connection with these Terms shall not exceed the fees paid by your institution in the twelve months preceding the event giving rise to the claim.

RubiLabs shall not be liable for any indirect, incidental, consequential, or punitive damages, including loss of profits, loss of data, or reputational damage, arising out of or in connection with the Services, even if advised of the possibility of such damages.

Nothing in these Terms excludes or limits liability for fraud, wilful misconduct, or death or personal injury caused by negligence.

Either party may terminate these Terms upon written notice if the other party materially breaches these Terms and fails to remedy the breach within 30 days of receiving written notice.

RubiLabs may suspend or terminate access to the Services immediately if we reasonably believe your use violates applicable law, creates a security risk, or threatens the integrity of the platform.

Upon termination, your institution's access to the Services will cease and we will handle any retained data in accordance with our data retention policy and applicable law.

These Terms are governed by the laws of Japan. Any dispute arising out of or in connection with these Terms shall first be subject to good-faith negotiation between the parties.

If the dispute is not resolved within 30 days of written notice, it shall be submitted to the exclusive jurisdiction of the Tokyo District Court, unless the parties agree in writing to an alternative dispute resolution mechanism.

We may update these Terms from time to time. Where changes are material, we will provide at least 30 days' written notice before the updated Terms take effect. Your continued use of the Services after the effective date constitutes acceptance.

If you do not agree to the updated Terms, you may terminate your use of the Services prior to the effective date.

Cookies are small text files placed on your device when you visit a website. They allow the website to recognise your device on subsequent visits and store information about your preferences or actions.

We also use similar technologies including local storage and session tokens. References to "cookies" in this policy include these technologies unless otherwise stated.

We use the following categories of cookies on rubilabs.io:

Strictly necessary cookies — These are essential for the website to function correctly. They enable core features such as page navigation, form submission, and security. These cookies do not require your consent and cannot be disabled through our preference centre.

Analytics cookies — We use pseudonymised analytics cookies to understand how visitors interact with our website — for example, which pages are visited most frequently and how users navigate between sections. This data is collected in aggregate and is used solely to improve the website. You may opt out of analytics cookies at any time.

We do not use advertising cookies, retargeting cookies, or any cookies that track your behaviour across third-party websites.

The following cookies are currently set on our website:

__session (strictly necessary) — Maintains your session state during a visit. Expires at the end of your browser session.

_rblabs_consent (strictly necessary) — Records your cookie consent preferences. Expires after 12 months.

_analytics_id (analytics, opt-in) — Pseudonymised visitor identifier used by our analytics provider. Expires after 13 months. Set only with your consent.

_analytics_session (analytics, opt-in) — Session-level analytics data. Expires at the end of your browser session.

We review and update this list periodically. If we introduce new cookies, we will update this policy and request fresh consent where required.

We do not permit third-party advertising or social media networks to set cookies through our website.

Our analytics provider processes data on our behalf under a data processing agreement and may set cookies as described in Section 3. The analytics provider is contractually prohibited from using the data for its own purposes or sharing it with third parties.

You can manage your cookie preferences at any time through the following methods:

Cookie preference centre — Use the cookie settings link in our website footer to review and update your consent choices at any time.

Browser settings — Most browsers allow you to refuse cookies entirely or to delete existing cookies. Note that disabling strictly necessary cookies may impair the functionality of our website. Please consult your browser's help documentation for instructions.

Opt-out tools — For analytics cookies, you may also use your analytics provider's opt-out tool. Enabling "Do Not Track" (DNT) in your browser will be honoured on our website.

Withdrawing consent does not affect the lawfulness of any processing carried out prior to withdrawal.

We may update this Cookie Policy from time to time as our use of cookies changes or in response to regulatory developments. When we make material changes, we will update the "Last updated" date and, where required, re-request your consent.

For questions about our use of cookies, contact us at privacy@rubilabs.io.