Summary of Personal Data Processing

 

This summary of personal data processing has been prepared by Toyota Sweden AB (“TSW”) and Toyota Denmark A/S (“TDK”) (TSW and TDK are hereinafter also referred to jointly as "Toyota", "we" or "us".) It complements our general privacy policy (“Policy”) and provides more detailed information about the processing we carry out, the legal basis for it, and how long we retain personal data when you use our car‑sharing service KINTO SHARE. Where applicable, this summary also covers processing carried out by Toyota Motor Europe NV/SA (“TME”) and Toyota Connected Europe Limited (“TCEU”).

(Reference to this “Policy” shall also include the local language versions (SE/DK) and vice versa. Defined terms have the meaning set out in the Policy In the instance of any discrepancies between this English version and the corresponding Swedish and Danish versions, this English version shall prevail).

 

1.             CREATION AND DELETION OF KINTO SHARE ACCOUNT/MEMBERSHIP

We process your data so that:

  • We can initiate the conclusion of a car-sharing agreement with you;
  • we can create your KINTO SHARE account and your KINTO SHARE membership (a free-of-charge membership is automatically created when we create your account);
  • you can approve the account/membership creation (for Swedish drivers: using BankID and for Danish drivers: MitID);
  • we can verify that you meet the requirements for entering a car‑sharing agreement; including confirming that the person using the service holds a valid driving license; and
  • we can delete your account/membership upon your request.

Data processed:

  • Driving license information (Swedish license): license number, expiry date, and personal identity number;
  • Driving license information (Danish and European license): photos of your face next to the front and back of your license, license number (depending on the issuing country), personal identity number, and license expiry date;
  • Temporary BankID verification data (for Swedish Drivers);
  • Temporary MitID verification data (for Danish Drivers);
  • Additional data for foreign licenses: personal identity number and/or date of birth (depending on issuing country) and home address;
  • Payment information: bank account and card details.
  • Account access: password chosen by you;
  • Acceptance of terms: information that you have accepted the general terms for KINTO SHARE.

Lawful grounds for processing:

  • Performance of contract: required to enter into a car‑sharing agreement with you;
  • Legitimate interest: after membership ends, data may be retained to establish, exercise, or defend legal claims.

Retention period:

Data is processed until the car‑sharing agreement ends and for an additional period required to establish, exercise, or defend legal claims, but no longer than 5 years including the current financial year. Your account remains stored for 90 days after membership termination to allow reactivation. You may request immediate deletion via customer support.

 

2.             VERIFICATION AGAINST THE DRIVING LICENCE REGISTER (Swedish licenses)

We verify your license details with the Swedish Transport Agency to confirm that you hold a valid driving license when creating your account and throughout the agreement period.

Data processed:

  • License number, expiry date, and personal identity number.

Lawful grounds for processing:

  • Legal obligation: vehicle rental may only be offered to individuals holding a valid driving license.

Retention period:

Data is processed until the contract ends and for any additional period required to establish, exercise, or defend legal claims, and to handle authority requests, but no longer than 2 years.

 

 

3.             MANUAL VERIFICATION OF DRIVING LICENCE INFORMATION (Danish and European licenses)

If you hold a Danish or European license, we manually verify that the license belongs to you. This is done by comparing the photos you submit in the app with the photos on your license. If we suspect that the person in the photos is not the rightful holder, we may contact the individual using the provided contact details.

Data processed:

  • Photos of your face next to the front and back of your license; license number; license expiry date, personal identity number;
  • Contact details: name, email address, customer ID (for in‑app contact), and phone number.

Lawful grounds for processing:

  • Legal obligation: car rental may only be offered to individuals with a valid license.

Retention period:

Data is processed until the agreement ends and for an additional period required to establish, exercise, or defend legal claims and respond to authority requests, but no longer than 5 years including the current financial year .

 

4.             VERIFICATION AGAINST INFORMATION LISTS (BUS) (Swedish drivers only)

For Swedish drivers we process certain personal data in relation to the information list maintained by Biluthyrarna Sverige (BUS) to:

  • check whether you are registered and/or blocked in BUS’s information list; and
  • report to BUS’s information list if you are found to be in breach of KINTO SHARE’s general terms in any of the following ways:
  • failing to return the vehicle after the rental period;
  • failing to pay parking fines;
  • failing to pay rental fees or other charges;
  • neglecting or damaging the vehicle;
  • being reported to the police for unlawful use; or
  • unlawfully allowing another person to drive the rental vehicle.

The purpose of BUS’s list is to protect rental companies and the public interest. BUS operates this list under authorization from the Swedish Data Protection Authority.

Data processed:

For checks: registration number;

For reporting: name, personal identity number, driving license number, and reason for reporting.

Lawful grounds for processing:

Performance of contract: required to fulfil the car‑sharing agreement;

Legitimate interest: to protect our vehicles and establish, exercise, or defend legal claims.

Retention period:

Data used for checking whether you are blocked is processed only during the membership application review. Data used for reporting purposes is retained until the agreement ends and for any additional period required to establish, exercise, or defend legal claims. Reporting documentation is kept for three working days for administrative handling.

 

 

 

5.             PAYMENT ABILITY ASSESSMENT

As part of our review of your request to create a KINTO account, we conduct a payment ability assessment using our external partner Kreditz (www.kreditz.com). Kreditz collects information about your financial situation directly from your bank (under the PSD2 regulation), always with your approval.

Data processed:

  • Identity and contact information: full name, email address, phone number, and personal identity number;
  • Payment ability assessment result: confirmation (yes/no) of whether you meet our credit assessment criteria.

Lawful grounds for processing:

  • Performance of contract: necessary to enter into and fulfil the car‑sharing agreement;
  • Legitimate interest: to ensure your ability to meet payment obligations.

Retention period:

The data is stored only as long as necessary to assess your creditworthiness and for a maximum of 14 days.

 

6. USE OF KINTO AND HANDLING OF BOOKINGS

We process personal data associated with your user account to:

  • enable you to make bookings based on your preferences;
  • show you past bookings;
  • display the duration of your bookings;
  • prevent fraud (e.g., unauthorized fueling, unreported damage, vehicle loss);
  • track when a vehicle is unlocked via the app so we can record booking time and usage and locate vehicles if they go missing;
  • track your usage of KINTO services;
  • record mileage and other data required for correct billing; and
  • allow you to report damages and allow us to log when damages are reported.

Data processed:

  • Identity and contact information: full name, email address and phone number;
  • Location (GPS) data (special processing regulation applies to Danish drivers): we process limited location data related to the vehicle and your use of the same to discover and be able to take action on vehicle misuse, theft, fraud and/or other contractual breaches. GPS data is stored in the vehicle on-board GPS-sensor and transferred every two minutes to a central KINTO repository. The GPS data is however not processed further unless required to be used for any of the above purposes;
  • Vehicle data: we process other vehicle data, for example sensor data (accelerometer, gyroscope, Bluetooth, motion, device‑calculated movement patterns), battery range data, vehicle lock status and other vehicle technical data;
  • Driving behavior data: we process data about how you are using the vehicle, e.g., speed, acceleration, braking, damage, technical faults, incidents, theft, vandalism;
  • Historical customer information: Booking history and previous booking requests. Vehicle preferences (including license plate number). Historical use of fuel cards to identify unauthorized refueling in order to prevent fraud;
  • Payment: Information about payment accounts, payment history, and payment details (for example amount and payment date);
  • Booking information: Time and date for unlocking via the App. Vehicle odometer readings before and after handover. Location data to ensure proper return;
  • Ride‑sharing coordination data (times, places, passengers, pick‑up/drop‑off points);
  • Damage information: Registered damage reports or reports of vehicle loss, records of damages in the damage log after a completed damage inspection, description of the damage, photo of the damage in the App.

Lawful grounds for processing:

  • Performance of contract: necessary to fulfill the car‑sharing agreement entered into between you and us;
  • Legitimate interest: in preventing fraud and maintaining our vehicles;
  • Legal obligation: GPS position may need to be provided if the vehicle is reported missing. Your personal data may be shared in connection with this if you were the last user.

Retention period:

Data is processed until the agreement ends and for an additional period required to establish, exercise, or defend legal claims and respond to authority requests, but no longer than 5 years including the current financial year.

 

7.             SUPPORT SERVICES

We process your personal data to communicate with you effectively when you contact our support service. Your data may also be shared with our support provider, H1 Communication AB, to ensure you receive assistance.

Data processed:

  • Identity and contact information: full name, email address, and phone number;
  • Driving license information (foreign licenses): photos of your face with the front and back of your license, license number, and expiry date;
  • Historical customer information: booking history, previous booking requests, vehicle preferences (including registration numbers), and historical fuel‑card use when you believe you were incorrectly charged for unauthorized fueling;
  • Booking information: times and dates of vehicle unlocking via the app, mileage readings;
  • Payment information: bank account details, payment history, and payment information (amount, date, etc.);
  • Damage information: damage reports, reports relating to loss of vehicle, registered damage logs after inspections, descriptions of damage, and photos of damage submitted through the app;
  • Location data: limited geographical data such as GPS position of a vehicle reported missing.

Lawful grounds for processing:

  • Performance of contract: required to fulfil the car‑sharing agreement;
  • Legitimate interest: to communicate with you and provide support efficiently and cost‑effectively.

Retention period:

Data is processed until the customer support matter is resolved and for any additional period required to establish, exercise, or defend legal claims, up to a maximum of 5 years including the current financial year.

 

8.             MARKETING AND COMMUNICATION

We process your personal data to:

  • keep you informed (via email or push notifications) about your use of the app and KINTO SHARE, including upcoming and completed bookings;
  • notify you of updates to the general terms and privacy policy;
  • respond to questions regarding your personal data and help you exercise your rights;
  • assist you with changes to your account information;
  • request your feedback on KINTO SHARE;
  • send you invitations to participate in events or market surveys; and
  • ask whether you consent to the use of your personal data for marketing purposes and register your refusal if you decline.

We also use your personal data to create aggregated data to:

  • improve Toyota vehicles, applications, existing services, and develop new mobility solutions;
  • conduct research, perform data analysis, and create aggregated user profiles to enhance KINTO SHARE; and
  • secure, maintain, and support systems, networks, and applications.

In some cases, only aggregated data is used. If aggregated data cannot be linked to you, it no longer constitutes personal data.

Data processed:

  • Identity and contact details: full name, email address, and phone number;
  • Historical customer and booking information: booking history, booking requests, vehicle preferences, unlocking times, and mileage readings;
  • Damage information: number and type of registered damage reports, descriptions, and photos.

Lawful grounds for processing:

  • Legitimate interest: our legitimate interest in communicating selected marketing communication and providing relevant services related to KINTO SHARE, to our existing customers;

Retention period:

   -       Data is processed as long as your carsharing agreement and membership is active, and for any additional period required to establish, exercise, or defend legal claims. Processing based on consent continues until consent is withdrawn.

   -       If you are an active customer, we will store your Personal Data for as long as you remain active with a party within us. If you are no longer active, your Personal Data will be anonymized 7 years after your last activity with us (e.g., 7 years after the date of the last workshop invoice), or 7 years after the first registration date of the vehicle you own and which has been purchased, serviced, or otherwise had activity with us. You will be considered an active customer with us if, during the period, you have one or more interactions with us. Such interactions may include test driving a new or used car, requesting a quote for a new or used car, registering as a customer, workshop visits, or similar activities.

   -       Other information from sales activities is anonymized 12 months after the potential customer’s (prospect’s) last activity in the Toyota network (e.g., a test drive, request for a quote, or other inquiry).

 

 

9.             SHARING OF YOUR PERSONAL DATA

We may share your personal data with the following parties for the purposes described:

  • H1 Communication AB – to provide KINTO SHARE customer support;
  • Companies within the Toyota Group, including Toyota Motor Europe NV/SA and Toyota Connected Europe Limited – for sales and marketing activities in line with your preferences;
  • Facebook and other advertising networks (email address only) – to communicate with existing customers and to block or tailor advertising in your social media feed according to your preferences;
  • Authorities (e.g., enforcement authorities such as the Swedish Enforcement Authority (Kronofogden), supervisory authorities such as the Swedish Transport Agency, and the Swedish and Danish Tax Agencies) and courts – when necessary to fulfil legal obligations;
  • Counterparties or third parties, such as debt collection agencies – in connection with disputes;
  • BUS – to submit required reports to the BUS information list (Swedish drivers);
  • Kreditz (www.kreditz.com) – for carrying out a credit check as part of the onboarding process;
  • External service providers – for development, marketing, and operation of KINTO SHARE, including IT system maintenance and platform support.
  • Your employer, if you have subscribed for Professional Use.

Data processed:

  • Identity and contact information: full name, email address, personal identity number and phone number;
  • Historical customer and booking information: booking history, booking requests, vehicle preferences, unlocking times, mileage, payment history, and payment information.

Lawful grounds for processing:

  • Legitimate interest: to provide relevant services and improve our offerings;
  • Legal obligation: for data shared with authorities, courts, and specific third parties.

Retention period:

Data is processed until the sharing activity is completed.

 

10.          PROCESSING TO FULFIL LEGAL OBLIGATIONS

We process your personal data to comply with legal requirements. This includes sharing information with authorities and courts and retaining certain data for statutorily required periods. Data may also be used in legal disputes or other legal processes.

Data processed:

  • Identity and contact information: full name, email address, and phone number;
  • Payment information: bank account details, payment history, and payment information;
  • Historical customer and booking information: booking history, payment history, and related information.
  • Vehicle E-call data

Lawful grounds for processing:

  • Legitimate interest: to provide relevant services and defend legal claims;
  • Legal obligation: to fulfil statutory duties or comply with court or authority decisions.

Retention period:

Data is retained for as long as necessary to establish, exercise, or defend legal claims, or for the time required by applicable law (e.g., 5 years including the current financial year for accounting purposes).

 

11.          SPECIAL CATEGORY DATA

We do not process any special category data (Article 9(1) GDPR).