Privacy Notice

USERS OF KINTO SHARE - SWEDEN
EFFECTIVE DATE: 1 September 2025

Swedish privacy policy

 

1. Introduction

This Privacy Policy ("Policy") describes how we at Toyota Sweden AB (556041-0010) ("Toyota", "we" or "us") collect and process your personal data in connection with your registration for and use of our car sharing service KINTO. Within Toyota, several mobility services are offered under the joint name KINTO, and this Policy explains how we collect and process your personal data within KINTO. If you provide your personal data when using any other service from Toyota or Lexus, please refer to the information regarding the processing of personal data specific to those services.

 

2. Who is responsible for collecting and processing your personal data?

The data controller responsible for the collection and processing of your personal data is Toyota. Our contact details are as follows:

Mailing address: Box 1103, 172 22 Sundbyberg, Sweden.

Visiting address: Madenvägen 7, 174 55 Sundbyberg, Sweden.

Phone number: 010 - 196 96 00
www.kinto-mobility.se.

 

Toyota Motor Europe NV/SA ("TME") and Toyota Connected Europe Limited ("TCEU") will also collect and process your personal data as joint data controllers in connection with their use of the technical platform used to provide the services within KINTO as described below.

 

TME can be reached at: Avenue du Bourget/Bourgetlaan 60, 1140 Brussels, Belgium.

 

TCEU can be reached at: 10th Floor, 14-18 Handyside Street, London N1C 4DN, United Kingdom.

 

Where applicable, data sharing agreements have been concluded between the parties to regulate the relationship between Toyota, TME and TCEU as it relates to the use and sharing of your personal data.

 

3. How we process your personal data

We process personal data about you when you create an account ("KINTO account") with us and enter into an agreement for car sharing services ("Agreement"). The Agreement is entered into by accepting the terms & conditions for KINTO ("Terms") and by reading this Policy (Note: No physical agreement document is signed). We then process your personal data when you book a vehicle, when you use the vehicle, and when you close your KINTO account. We collect personal data both from you and from external sources. The personal data we process about you is described in detail in the section "Use of your personal data" below and in the document "Summary of personal data processing" available on our website www.kinto-mobility.se.

 

The personal data we process includes, for example, your email address, full name, phone number, address, personal identification number, information on the front and back of your driver's license, and, if you do not have a Swedish driver's license, photos of you. When you use KINTO, we also process personal data about your use of our services, which includes details about upcoming and completed bookings (such as vehicle preferences, dates, times, distances, and damage reporting). We process this data for various purposes, such as enabling you to register a KINTO account, make bookings, or report damage to the vehicle you are renting or have rented. We never process your personal data without ensuring we have a legal basis for the processing in question. There is a legal basis for processing your personal data for each specific purpose.

 

4. What rights do you have regarding your personal data?

Toyota, TME, and TCEU process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and Council (General Data Protection Regulation, "GDPR"). Under GDPR, you have certain rights regarding our processing of your personal data by KINTO:

  • Information: You have the right to receive concise, clear, understandable, and easily accessible information about how we process your personal data and what rights you have regarding this processing. This is one reason why we have established this Policy.
  • Access to personal data: You have the right to access your personal data, for example, to check that we process your personal data in accordance with the law.
  • Rectification: You have the right to have incorrect or incomplete personal data about you corrected or supplemented.
  • Erasure: You have a "right to be forgotten." This means, in short, that you, under certain conditions, can request the erasure or removal of your personal data, for example, when the data is no longer necessary for the purposes for which it was collected or processed, when you withdraw your consent, or when we no longer have compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms.
  • Restriction: You have the right, under certain conditions, to require us to restrict or prevent further use of your personal data. Restriction of the use of your personal data means that we can still store your personal data, but we are prevented from processing your personal data in any other way.
  • Data portability: You have the right, under certain conditions, and as long as it does not affect the rights of others, to receive your personal data electronically and have the right to have it transferred to another data controller. This right can be used, for example, when you have provided us with personal data that we process to fulfill an Agreement with you. The use of the right to data portability makes it easier for you to move, copy, or transfer your personal data between our IT systems or to third parties without affecting the usability of the data.
  • Objections: When we process your data based on our legitimate interest, you have the right to object to our processing of your personal data unless we can demonstrate compelling legitimate grounds for the processing. You can always object to your personal data being used for direct marketing.
  • Complaints: You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Sv. "Integritetsmyndigheten") if you believe that we process your data in violation of GDPR. You can find information on how to submit a complaint on the Authority's website (www.imy.se).
  • Automated decisions: As a general rule, you have the right not to be subject to a decision based solely on automated decision-making (including profiling) if the decision may have legal consequences for you or similarly significantly affect you. Read more under the section "Creation and activation of your KINTO account" about how we make automated decisions when registering your KINTO account.

 

5. How to exercise your rights

Toyota is the data controller for the processing of your personal data, and we ask you to send all requests to exercise your rights to Toyota. If necessary, Toyota will then contact the appropriate responsible parties within KINTO or other companies within the Toyota Group (including TME and TCEU) with whom we may share your personal data to resolve your requests or complaints. You can contact us through our data protection contact point: integritet@toyota.se. You can also contact us at the following address: Box 1103, 172 22 Sundbyberg, Sweden.

 

Your requests will be answered as soon as possible and always within the timeframes required by GDPR. When you contact us, we may ask you to provide additional information necessary to confirm your identity. This is to prevent us from disclosing information about other registered individuals than yourself, which may violate GDPR. Please also note that even if you have asked us to erase your personal data, we may be required by law to retain certain personal data.

 

6. Changes and updates to this Policy

This Policy will be updated continuously. In our application and web portal, the most recently updated version of this Policy will always be available, and you are asked, as part of creating your KINTO account, to read it and confirm, by checking a box, that you have read it. If you have questions about changes to this Policy, please contact us using the contact details provided in the section "How to exercise your rights" above.

 

7. What is KINTO?

KINTO is a car sharing service. The service includes:

  • The car sharing services KINTO Share (car sharing service from 1 hour up to and including 30 days) and KINTO Flex (long-term rental between 1-12 months) for cars of the brands Toyota or Lexus, or other brands;
  • The mobile application KINTO Share (SE) ("App") and web portal ("Portal") used to make and manage bookings and to access the vehicle used; and
  • Support services via phone, Portal, and in the App.

 

8. Use of your personal data

This section explains how, why, and by whom your personal data is collected and processed when you register for and use KINTO.

 

Registration to create a KINTO account

To register and use services from KINTO, you need to create a KINTO account. To start a KINTO account, you need to register on the website. When registering, you must provide your email address, full name, phone number, and a password of your choice. These personal data constitute your "Registration Data." To create a KINTO account, you must also confirm that you accept the Terms and have read this Policy.

The Registration Data is collected so you can create an account with us. The processing is lawful because it is necessary to take preparatory steps for the Agreement entered between you and us when you book a car with us. The data is stored until the Agreement between us is terminated and for any additional time required to establish, assert, or defend any legal claims.

 

Credit Assessment

As part of our review of your request to create a KINTO account, we conduct a credit assessment using our external partner Kreditz (www.kreditz.com). Kreditz collects information about your financial situation directly from your bank (under the PSD2 regulation), always with your approval. We also collect your personal identification number to validate your driver's license. By accepting the Terms via BankID, you give us permission to collect such data. The purpose of collecting this personal data is to ensure your payment ability. The processing is lawful because we have a legitimate interest in ensuring payment obligations are fulfilled. The data is stored only as long as necessary to assess your creditworthiness and for a maximum of 14 days.

 

Collection of Driver's License Data

If you have a Swedish driver's license: last validity date of your license.

If you do not have a Swedish driver's license: three photos, where the first shows your face next to the front of the license, the second shows the back of the license, and the third is a photo of your face.

We use your account information regarding your driver's license to verify your license data against the Swedish Transport Agency's license register to ensure you have a valid license. If you do not have a Swedish license, your license data is verified via our supplier Onfido / Entrust (www.entrust.com). We may periodically check the Transport Agency's license register during your membership to verify that you have a valid license. The processing of your license data as described above is to fulfill the Agreement you have with us and in accordance with applicable legal regulations. The data is stored until the Agreement between us is terminated and for any additional time required to establish, assert, or defend any legal claims or fulfill legal obligations to authorities such as the Transport Agency and the police.

 

The above data constitutes your "Account Information."
The processing is lawful because it is necessary for you to enter into an Agreement with us. The data is stored until the Agreement between us is terminated and for any additional time required to establish, assert, or defend any legal claims or fulfill legal obligations.

 

Reporting to Biluthyrarna Sverige (BUS)

Toyota will process your personal data in relation to Biluthyrarna Sverige (org. no. 802015-0333) ("BUS") information list, to (i) check if you are registered and/or blocked in BUS's information list, and (ii) to report to BUS's information list if you have violated the Terms in any of the following ways:

  • Not returning the rental object after the rental period has ended;
  • Not paying parking fines;
  • Not paying rent and other compensation;
  • Neglecting the vehicle;
  • Being reported to the police for unauthorized use;
  • Illegally handing over the rental vehicle to another driver.

When we submit documentation for reporting under point (ii), we process your name, personal identification number, driver's license number, and reason for reporting. We process your personal data according to (i) and (ii) to fulfill the Agreement with you and for our legitimate interest in protecting and maintaining our vehicles. Our reporting is a prerequisite for BUS to maintain an information list, and the list is necessary to safeguard our and other rental companies' legitimate interest in establishing, asserting, or defending legal claims. BUS's information list is maintained with permission from the Swedish Authority for Privacy Protection. If we receive a match against the information list, this information is stored until the Agreement between us is terminated and for any additional time required to establish, assert, or defend legal claims. Documentation for reporting to BUS's information list is stored only as long as necessary for the information to be received and registered by BUS, which is normally within three working days. More information about how personal data is handled in BUS's information list can be found on https://biluthyrarna.se/wp-content/uploads/2018/05/Biluthyrarna-Sverige-Personuppgifter-20180525-1.pdf.

 

Rejection upon Activation of KINTO Account

If your KINTO account is not activated, it is based on an automated decision, for example, because your driver's license identity could not be verified or your payment ability (creditworthiness) is not deemed acceptable. You may also be rejected if you are blocked in BUS's information list. According to GDPR, you generally have the right not to be subject to a decision based solely on automated decision-making if the decision significantly affects you. However, this does not apply if such decision-making is necessary for entering into or fulfilling an Agreement between you and us. Since activation of the KINTO account is necessary for you to access the service, such automated decisions will need to be made. You will always receive a notification if your KINTO account cannot be activated, and you can always contact us to resolve such issues or get an explanation as to why you cannot use a KINTO account. If you do not have a Swedish driver's license and your license identity cannot be verified, we will contact you to resolve such issues. If you are rejected, your Registration and Account Data are stored only as long as necessary to resolve any claims between you and us.

 

Use of KINTO

Toyota uses your Registration Data and Account Data so that you can create and manage bookings. In the context of your use of KINTO, we process your personal data, including your Registration and Account Data, in the following ways:

  • Administration of booking history and booking requests (for example, vehicle preferences, including registration number, use of fuel cards to identify unauthorized refueling according to the Terms, to prevent fraud, odometer readings before and after handover, any registered damage reports or reports of loss of vehicle, date and time of booking, and mileage);
  • Ongoing bookings (for example, time and date of unlocking via the App, registration of damages in the damage log after completed damage checks, and description of the damage including photo in the App); and
  • Follow-up of usage (for example, limited location data related to the vehicle you rent (such as GPS position), and other vehicle data to know that the vehicle has been returned and whether the vehicle is locked or not).

The above data constitutes your "User Information." User Information is used to administer your bookings and ensure that the use of KINTO is in accordance with the Agreement. This involves ensuring that the rented vehicle is returned to the correct location (which involves GPS positioning) and registering new damages that you report via the App, which may lead to insurance claims. The processing is lawful because it is necessary to fulfill the Agreement entered between you and us. The data is stored until the Agreement between us is terminated and for any additional time required to establish, assert, or defend any legal claims.

Toyota, TME, and TCEU may process driving behavior (for example, driving logs, travel logs, speed, acceleration, and braking speed in the future). The purpose is to provide feedback to the driver regarding driving style to create incentives for more sustainable driving. Toyota may in the future offer, for example, membership benefits to create incentives for sustainable driving. Processing of personal data for these purposes will be based on our legitimate interest in developing our products and services in relation to you.

 

The processing of location data above is used only for limited purposes and relates only to the vehicle being rented. Location data is processed, for example, if the vehicle is stolen or if the driver is reported missing. Toyota, TME, and TCEU carry out this processing based on their legitimate interest in being able to track and manage their vehicles. Such data is stored only as long as needed to resolve the situation that led to the activation of location data. If we process location data beyond what is stated above, we use only anonymized and aggregated data that cannot be linked to you as a person. Such data does not constitute personal data about you.

 

KINTO Support

Through KINTO, we provide you with support 24 hours a day, 7 days a week. To communicate with you effectively, we use your Registration Data, Account Data, and User Information. For example, we may need to know the length of your booking or the distance you have driven, or we may need access to your booking history to assist with current bookings and vehicle pick-up. We also need to contact you when you register new damages in the damage log, describe such damages, and send photos in the App. The processing is lawful because it is necessary for our legitimate interest in ensuring that you can use KINTO satisfactorily and that damages to our vehicles are reported. The data is stored for as long as the case is ongoing and, for certain data, until you or we terminate the Agreement.

 

Closing and Deleting Your KINTO Account

You can terminate the Agreement and your KINTO account by contacting us. Your KINTO account is immediately blocked and will be fully closed after 90 days, provided you have no unpaid invoices or open cases. In some cases, Toyota has the right to immediately terminate your Agreement. Toyota uses your Account Information to close your registration as described above. The processing is lawful because it is necessary to fulfill the Agreement entered between you and us. If Toyota terminates the Agreement, Toyota stores your personal data for a period of 90 days or for any additional time required to establish, assert, or defend legal claims.

 

Our Communication with You

Toyota uses your Registration Data, Account Data, and User Information to communicate with you in order to:

  • Keep you informed (via email, in-app, or so-called push notifications) about your use of the App and the KINTO service, for example, by notifying you of upcoming and completed bookings;
  • Keep you informed about updates to the Terms and this Policy;
  • Quickly and accurately respond to questions you have regarding the processing of your personal data;
  • Make changes to your Account Information as you have requested;
  • Investigate your experience with KINTO;
  • Ask you if you consent to the processing of your data for marketing purposes; and
  • Support our sales and marketing activities.

Direct marketing (via phone, email, and SMS) regarding, for example, invitations to events, recommendations, or requests to participate in market research is carried out based on the consent you provide during registration, or in some cases, our legitimate interest. If you no longer wish to receive this type of communication, you can opt out at any time, for example by:

  • Clicking the unsubscribe link in our email mailings,
  • Replying with STOP to SMS, or
  • Declining further newsletters via the instructions provided in the mailings.

The processing is lawful from the time your consent is registered until you withdraw it.

 

Use of Your Personal Data for Other Purposes

Toyota, TME, and TCEU use your Account Information and User Information to:

  • Improve the functionality of Toyota's vehicles, their applications, existing products and services, and to develop new products and services;
  • Conduct research and development, perform data analysis, and create group user profiles from aggregated data to enhance and improve KINTO and to develop new mobility services and solutions; and
  • Secure, maintain, and support networks, systems, and applications.

We process the above data only to a limited extent and for the period required to convert the data into anonymized and aggregated data. The legal basis that Toyota, TME, and TCEU rely on for processing your Account Information and User Information for the above purposes and for the limited processing period is the legitimate interest in providing the customer base with relevant services and in developing products and services.

 

Toyota, TME, and TCEU also use your Account Information and User Information, if necessary, in connection with a dispute or other legal proceedings in which we may be involved with you or another third party. The purpose of the processing is to resolve such disputes, and the processing is lawful because it is necessary for our or a third party's legitimate interests in resolving a dispute or other legal proceedings.

 

Toyota, TME, and TCEU also process your personal data to fulfill legal obligations under law or regulation. For example, Toyota may share financial data in accordance with the Accounting Act (1999:1078), as well as data on rentals under the Car Rental Act (1998:492) and the Car Rental Ordinance (1979:873). Processing for these purposes is lawful because it concerns fulfilling a legal obligation. The data is stored for as long as required by law, which for accounting is 7 years.

 

9. Sharing Your Personal Data

In connection with your use of KINTO, Toyota, and where applicable, TME and TCEU, share your personal data with others as follows:

  • Account Information and User Information are shared with Responda Group AB so that they can provide KINTO support to you.
  • Toyota shares your personal data with TME and TCEU within the technical platforms we use within KINTO. TME and TCEU, as joint controllers, have access to the technical platform where your personal data may be stored from time to time, but access will primarily involve sharing aggregated data.
  • Sales and marketing activities may be carried out by other companies within the Toyota Group. If so, Toyota, TME, or TCEU may share your personal data with such a company, but only in accordance with your marketing preferences. You always have the right to opt out of marketing mailings (see above under "What rights do you have regarding your personal data?").
  • We share email addresses with Meta and other advertising networks (such as Google) to communicate with our existing customers. If you have chosen not to receive marketing from us, we may also need to share your email address with Meta and other advertising networks so that such social media can block ads from us in your social media feed or to exclude non- relevant information.
  • If necessary to fulfill legal obligations under law, court order, or authority decision, Toyota, TME, and TCEU will share your personal data with authorities (such as enforcement authorities like the Swedish Enforcement Authority and supervisory authorities like the Swedish Transport Agency and the Swedish Tax Agency) and courts.
  • In the context of a dispute in which Toyota, TME, or TCEU is or may become involved, your personal data may be shared with counterparties or third parties, such as debt collection agencies or professional advisors.
  • We share your personal data with BUS as stated under the section "Activation of KINTO account" above.

Toyota, TME, and TCEU use external service providers in connection with the development, marketing, and provision of KINTO. These service providers may, in some cases, be given access to your personal data when providing services to Toyota, TME, and TCEU. For example, we use external service providers to support and maintain IT systems, platforms, and applications within the services provided by KINTO. All our service providers are subject to confidentiality obligations and information security requirements in accordance with GDPR. Where our service providers process personal data about you on our behalf, we enter into data processing agreements that meet the requirements of GDPR with such parties.

Whenever we share your personal data with external parties, we always ensure that the necessary agreements have been signed by the parties, such as data processing agreements or data sharing agreements, and that necessary security measures have been taken.

 

10. How long do we store your personal data?

As a rule, Toyota, TME, and TCEU store your personal data for as long as necessary to provide you with KINTO's services, fulfill our contractual obligations under the Agreement between us, and achieve the purposes for which we collected the personal data.

 

After your Agreement has been terminated and your KINTO account has been deleted, your Registration Data, Account Information, and User Information will, as a rule, be retained for the period required for us to settle our relationship with you and resolve any outstanding debts or obligations. Your personal data will then be permanently deleted unless we have a legal obligation to retain it for a longer period or otherwise need the data in connection with disputes or legal proceedings. The period during which we retain your personal data is set out in each section above and in our Summary of personal data processing.[2] For your convenience, your KINTO account and its data are retained for 90 days after the termination of the Agreement to allow you to reactivate your Agreement with us. If you want immediate termination, please contact our customer service and we will delete your KINTO account.

 

Please note that we process certain anonymized, aggregated data derived from your personal data but de-identified in such a way that the information no longer constitutes personal data about you. GDPR does not apply to such anonymized aggregated data, and we may retain such data for periods other than those otherwise specified in this Policy.

 

11. Will my personal data be transferred to other countries?

Your personal data may be stored and processed by Toyota, TME, TCEU, or other companies within the Toyota Group, as well as by other third-party providers, in several different countries, including countries other than the one in which you are domiciled. Your personal data may therefore, for example, be transferred to the United Kingdom, Japan, and/or the United States.

Accordingly, your personal data will be transferred to countries outside the EU/EEA, and such transfers will only occur if there is an adequate level of protection in that country or if appropriate safeguards have been implemented, primarily the use of Standard Contractual Clauses (SCCs). We always take all necessary security measures, including technical security measures, to ensure that your personal data is processed in accordance with the requirements of GDPR.

 

If you would like more information on how we protect your privacy when transferring personal data to third countries, please contact us as set out in the section "How to exercise your rights" in this Policy.

12. Your personal data is correct and up to date

It is important that your personal data is correct, complete, and up to date. You can correct certain personal data directly in the App. In some cases, you may need to contact our customer service for technical reasons to correct personal data. If you have other requests regarding the accuracy or currency of your personal data, please contact us as set out in the section "How to exercise your rights" in this Policy.

 

Footnotes / References

[1]: More information about BUS's information list (in Swedish): https://biluthyrarna.se/wp- content/uploads/2018/05/Biluthyrarna-Sverige-Personuppgifter-20180525-1.pdf

[2]: Summary of personal data processing: https://www.kinto-mobility.se/kinto-share/personuppgiftsbehandlingar/