Dear Customer, Thank you for choosing KINTO! In this Privacy Policy, Toyota Financial Services Corporation and other KINTO service provider mentioned in the Appendix (“we”) aim to inform you about how your Personal Data is managed (gathered, stored, used, shared), and how you can exercise your rights. You can click on a specific section on the table of contents to learn more about it.
At KINTO, we are committed to bringing you the best mobility experience. To make sure that you enjoy our services and your requests are processed correctly, we will collect some of your Personal Data. This collected information, such as your name, your e-mail address, or any data about you, will be used by each KINTO service provider mentioned in the Appendix.
The scope of this Privacy Policy concerns the processing of Personal Data provided by you when making use of the KINTO services. For information regarding specific regional services, please refer to the Privacy Policy of each of the KINTO services of your country of interest. In the event of any inconsistency between the terms of this Privacy Policy and the terms stated on the Privacy Policy of each of the regional services, the local terms shall prevail over this Privacy Policy.
“Personal Data” means any information relating to an identified or identifiable natural person, either directly or indirectly. For Indian customers, this may include the "sensitive personal data or information" designated under the Information Technology Act, 2000 such as your passwords.
“Data Protection Authority” means independent public authorities that supervise, through investigative and corrective powers, the application of data protection laws. They provide expert advice on data protection issues and handle complaints lodged against violations of data protection regulations and relevant national laws. For more information about the Data Protection Authorities of the KINTO services, please refer to the Appendix.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data subject” means an individual who is the owner of Personal Data.
“Data Controller” means the person or juristic person that determines the purposes for which and the means by which Personal Data is processed. In this Privacy Policy, Toyota Financial Services Corporation and other KINTO service provider mentioned in the Appendix shall be the Data Controllers.
“Data Processor” means a person or juristic person who processes, collects, uses or discloses Personal Data in accordance with an order of or on behalf of the Data Controllers. The person or the juristic person engaging in those procedures is not the Data Controller. For the detailed information of each Data Processor, please refer to each service’s Privacy Policies listed in the Appendix.
“Usage Data” means information how the services are used, which includes, for example, contract status of various services, usage history, information about your behavior when you use the internet or application such as settings, selection, input, date and time of use, staying time, etc.
“Cookies” means small, temporary files collecting Personal Data that it is necessary to install on the computer of the data subject only for convenience and facilitation of communication while gaining access to a website.
Your Personal Data is collected and processed through the Sign Up/Sign In process and in any subsequent requirements that some services may have so that you can use the KINTO service of your interest. The Necessary Data (as set out below) transmitted shall be solely used by the Data Controllers to allow the access and the use of the KINTO Services.
Particularly, KINTO shall require the following categories of Personal Data which are necessary for the registration (“Necessary Data”):
If you provide any Personal Data to us on behalf of other persons, it is your responsibility to confirm that such other persons consented to the processing and transfer of their Personal Data in accordance with local legislation, and you shall be authorized to receive any privacy notice and other related information on their behalf.
Moreover, other Personal Data may be required in order to allow you to personalize your profile (“Optional Data”). Besides the above, any further processing (including marketing) on the data provided shall be based on the existing KINTO service Privacy Policies. For details about Optional Data, please refer to each service’s Privacy Policies listed in the Appendix.
The provision of the Personal Data listed above is optional, however, in case of failure to provide the Necessary Data, the Data Controllers will not be able to create your account and provide the services.
The failure to provide the Optional Data shall not preclude the creation of the account and the use of the services, but in some cases the insertion of further information may be required in order to access additional services. Car number, for example, shall be required in order to access and use parking payment services. Without the provision of it, the access to parking payment features shall be precluded.
We may obtain certain information through your social media or other online accounts if they are connected to your KINTO account. If you login to KINTO via Facebook or another third-party service, we ask your permission to access certain information about that other account. Depending on the service or platform, we may collect, for example, your name, profile picture, login email address, location and birthday. Said social media or online account provider shall act as a data controller and its Privacy Policy will be available on its respective websites.
The Personal Data provided shall be processed to achieve the following purposes:
a. In order to create your account and to provide the service described in the terms of use. The legal basis for this processing is, according to each local legislation, the correct performance of all the pre-contractual and contractual activities in order to provide the services. For this processing only the failure to provide the Necessary Data shall lead to the impossibility to create an account and provide the contracted service.
b. In order to respect any legal requirement to which the Data Controllers are subjected as well as to respond to possible and legally binding requirements of Data Protection Authority.
In general, the legal basis for this processing is the need to comply with the legal obligation to which the Data Controllers are subjected.
c. With the purpose to contact you by electronic means (telephone, e-mail), in order to send you promotional communications about products and services, similar or different from those required by you. The legal basis for this processing is your express consent, unless otherwise allowed as a legal base under each local legislation.
d. Your Personal Data may be communicated to companies of the Toyota Group which mentioned in the Appendix in order to send you commercial communications about Toyota and Lexus products and services.
The legal basis for this processing is your express consent, unless otherwise allowed as a legal base under each local legislation.
e. Other than where justified by the above legal basis, in order to conduct our ordinary business activities, Data Controllers may process your Personal Data where necessary for:
The legal basis for this processing is your express consent, unless otherwise allowed as a legal base under each local legislation.
For the processing under point c and d above, if you decide not to provide your consent, no process of Personal Data will be carried out. The refusal to provide the consent will have no consequence on the subscription and execution of the contract between you and the Data Controllers, nor will there be any negative consequence against you.
Moreover, the consent provided may be withdrawn at any time as easily as it was given. The withdrawal of consent shall not affect, in any case, the lawfulness of the processing carried out until that moment.
| Categories of personal data | Description of category | Processing purpose |
|---|---|---|
| Personal Data acquired directly from you | This is the Personal Data that is provided by you or collected by us to enable you to sign up for and use the KINTO Service. This may include following data.
- Email Address - Phone Number - Name - Gender - Date of Birth - Address - Location We also collect other information as necessary for us to conduct ordinary business activities. |
To provide KINTO Service.
To authorize and to authenticate a user. For marketing, promotion, and advertising purposes. To customize your experience such as -showing weather forecast. -showing your country phone code in the booking process To conduct ordinary business activities. |
| Data acquired from information technologies | System Log / Application Log | To understand, diagnose, troubleshoot, and fix issues with the KINTO Service.
To evaluate and develop new features, technologies, and improvements to the KINTO Service. |
| Usage Data | To make the services more convenient for customers. To plan, develop and improve the services and various investigations and analyses relating to them. |
|
| IP addresses | To protect the KINTO service environment from unauthorized access and to provide appropriate services to our customers in the right time. |
Each service may collect additional Personal Data which not listed here. To know more about the details of what is collected, its processing purposes and the legal basis, please refer to each service’s Privacy Policies listed in the Appendix.
For Kuwait customers, other than what justified by the legal basis mentioned above, in order to conduct our ordinary business activities, Data Controllers may process your Personal Data where necessary for performance of a task carried out in the public interest or in the exercise of local authority vested to each Data Controller. In addition, we assure to collect only Tier 2 data of the types specified in the Data Classification Policy of CITRA.
KINTO use the hCaptcha anti-bot service (hereinafter “hCaptcha”) on our website. This service is provided by Intuition Machines, Inc., a Delaware US Corporation (“IMI”). hCaptcha is used to check whether the data entered on our website (such as on a signin page) has been entered by a human or by an automated program. To do this, hCaptcha analyzes the behavior of the website or mobile app visitor based on various characteristics. This analysis starts automatically as soon as the website or mobile app visitor enters a part of the website or app with hCaptcha enabled. For the analysis, hCaptcha evaluates various information (e.g. IP address, how long the visitor has been on the website or app, or mouse movements made by the user). Within the data collected during the analysis, only IP addresses will be forwarded to IMI. hCaptcha analysis in the “invisible mode” may take place completely in the background. Website or app visitors are not advised that such an analysis is taking place if the user is not shown a challenge. Data processing is based on Art. 6(1)(f) of the GDPR (DSGVO): the website or mobile app operator has a legitimate interest in protecting its site from abusive automated crawling and spam. IMI acts as a “data processor” acting on behalf of its customers as defined under the GDPR, and a “service provider” for the purposes of the California Consumer Privacy Act (CCPA). For more information about hCaptcha and IMI’s privacy policy and terms of use, please visit the following links:
https://www.hcaptcha.com/privacy and https://www.hcaptcha.com/terms.
Cookies are small text files stored on your browser or device. Cookies allow us to recognize your preferences in order, for example, to adapt the website and your navigation to your specific needs. That is, some of your information is saved in this text file, and when you visit the website again later, the website recognizes your browser to adapt to your preferences.
Cookies usually also have an expiration date. For example, some cookies are automatically deleted when you close your browser (so-called session cookies), while others may be stored longer on your computer until manually deleted (so-called persistent cookies).
Strictly necessary cookies: these cookies are necessary for the proper functioning of our website and cannot be refused if you want to visit us. They are usually only set in response to user actions that correspond to requests for services, such as privacy settings, logins, and filling forms. Setting your browser to block/warn you about these cookies is possible, but some parts of the site will not function and will only take effect on the web browser you use for that purpose.
Performance cookies: these cookies allow us to count the number of visitors and communication traffic sources, which helps us to determine and improve the performance of our site. They help us see which pages are the most and least popular, helping us understand how visitors move around our site. You will remain anonymous as all the information these cookies collect is combined into one. If you do not accept these cookies, we will not know when you visit our site.
For information on specific cookies used on each of the local services and their purposes, please visit the corresponding local KINTO service of your interest.
The use of the above cookies is subject to your prior consent through our Cookie Notices. Therefore, if you wish to refuse the installation of these cookies on your device and/or opt for the removal of cookies that you have previously consented to, please access our Cookies Notice at any time and change your consent.
You can use the support functions of your browser or system to manage cookies. If cookies are blocked, deactivated or deleted, some functions of the website will no longer work and you will no longer be able to use the service.
For more information on how to set cookies, please visit the following websites for different mobile browsers:
In relation to the processing purposes mentioned in 3.3, the processing, and storage of your Personal Data will be performed through telematic, manual and computer tools, suitable for storing, organizing and selecting data and to allow consultation, extraction and comparison, with logic strictly related to the aims – and in any case with the aim - to ensure the security and confidentiality of data, in accordance with the applicable privacy laws. Your Personal Data shall be retained in computer archives, as long as it is necessary to achieve the purpose for which Personal Data was collected, in accordance with the applicable local legislations, or, in any case, to allow Data Controllers to protect our legitimate rights and interests or those of third parties and until your request for account closure. To determine the appropriate retention period for the Personal Data, we shall consider: the amount, nature and sensitivity of the Personal Data; the potential risk of harm from unauthorized use or disclosure of the Personal Data; the purposes for which we process the Personal Data and whether we can achieve those purposes through other means; and the applicable local legislations requirements. After the account closure request, Personal Data shall be cancelled within days stipulated by each service from the request for the accounts that did not make any purchases in KINTO, whereas Personal Data will be stored for tax and accounting purposes in accordance with the terms provided by law for accounts that have made purchases in the platform, or any other purposes subject to local laws or state regulations applicable to each service. With regard to your contact details used for commercial purposes, as stated in point c and d in 3.3, data storage will be limited according to the period determined by each service or until the withdrawal of your consent, unless a different retention period or legal basis is required by applicable legislative or regulatory requirements. After this period, data will be used only anonymously and for purely statistical, analytical and historical purposes. Lastly, your Personal Data will be deleted by authorized and properly instructed subjects in the field of privacy protection, with the use of security measures, inter alia, to ensure: (i) the confidentiality of your Personal Data; (ii) the security of your Personal Data, for example preventing access by unauthorized parties. For more information about data retention and deletion policy, please refer to each service’s Privacy Policies listed in the Appendix.
The Data Controllers adopt physical, electronic and organizational measures to ensure the security and accuracy of the Personal Data collected, including the limitation of the number of persons who physically can access the servers that contain the company's database, as well as electronic security systems and password protection that defend against unauthorized access.
Please note that you have certain rights in respect to the processing of your Personal Data, pursuant to the applicable data protection laws, which may include the rights to access, rectification, erasure, restriction of processing, data portability, and withdrawal of consent in relation to your Personal Data that we hold. Besides these rights, you are also entitled to object to the processing of your Personal Data in certain circumstances. In addition, you may lodge a complaint with a Data Protection Authority. Moreover, you may have other rights or may not have some rights above under each local legislation. For more information about your rights, please refer to each service’s Privacy Policies listed in the Appendix.
In cases in which a Personal Data transfer should be required, the Data Controllers shall ensure that any transfer of your Personal Data to third countries or international organization is carried out in accordance with each local legislation. Please be aware that other countries or international organization may not have data protection legislation as comprehensive as those of your local legislation, and the same level of protection as that set forth in your local legislation may not necessarily be guaranteed. In such case, we shall guarantee and implement the appropriate contracts, safeguards, and other arrangements between the companies before any data transfer.
Where this has not occurred or is not possible, Data Controllers may still transfer your Personal Data in the following circumstances unless otherwise prohibited in the local legislation:
For more specific information and destination on the international transfer, please refer to each service’s Privacy Policies listed in the Appendix.
For Japanese customers, please refer to the study of Personal Information Protection Commission, Government of Japan for more information on regulations for the protection of personal information in each country. In addition, each entity to which we transfer Personal Data comply with the OECD's 8 privacy principles.
The Personal Data provided by you for the purposes indicated in this Privacy Policy may be, where necessary, communicated to:
The subjects listed above may process your Personal Data either as Data Processors, or as Data Controllers, as appropriate. The Data Processors to whom the Data Controllers delegate further processing operations have been carefully selected in order to ensure the protection of your rights and the protection of your Personal Data.
For more specific information on the processing carried out by these third parties, please contact the service owner mentioned in each service.
Our app, website and other communication channels maintained by KINTO does not knowingly collect Personal Data from or about any person underage without consent of parents or guardians. For more details about underage service usage, please refer to each service’s Privacy Policies listed in the Appendix.
Any changes to the content of this information will be disclosed to you, alternatively, through individual communications.
For any clarification or request regarding your Personal Data treatment, you can contact the Data Controllers that provides the services to you. To know how to contact them, please refer to the Appendix and each service’s Privacy Policies listed in the Appendix.
If You find any discrepancies or have any grievances in relation to the collection, storage, use, disclosure and transfer of your Personal Data under this Privacy Policy or the terms of use, please contact the following:
Mr. Koji Horie, the designated grievance officer
E-mail: ml-pd-gk_pii_inquiry@kinto-technologies.com
In addition, the representative of Toyota Financial Services Corporation in each country is as follows. For the contact information of the representative, please refer to each service’s Privacy Policies listed in the Appendix.
Thailand: Toyota Insurance Broker Company Limited
| Country /Region | Data Protection Authorities | Services | Company Name | Contact Detail |
|---|---|---|---|---|
| Japan | Personal Information Protection Commission (PPC) | Global KINTO ID Platform | Toyota Financial Services Corporation | ml-pd-gk_pii_inquiry@kinto-technologies.com |
| KINTO App | ||||
| KINTO ONE | KINTO Corporation | |||
| Italy | Italian Data Protection Authority (GPDP) | KINTO GO | KINTO Italia S.p.A. (Toyota group company and successor of the business from Toyota Financial Services Italia S.p.A. from 1st February 2022) |
kintoitalia@legalmail.it |
| Brazil | National Data Protection Authority (ANPD) | KINTO ONE Personal | KINTO Brasil Serviços de Mobilidade Ltda. | privacidade@kintomobility.com.br |
| Thailand | Personal Data Protection Committee (PDPC) | KINTO SHARE | Toyota Insurance Broker Company Limited (Toyota group company and successor of the KINTO SHARE business from Toyota Leasing (Thailand) Company Limited from 1st April 2022) |
dpo@tlt.co.th |
| TripSabuy by KINTO | ||||
| KINTO ONE | Toyota Leasing (Thailand) Company Limited | |||
| Argentina | Argentinian data protection authority (AAIP) | KINTO SHARE LATAM | Toyota Argentina S.A. | InfoMobility@toyota.com.ar. |
| Country /Region | Services | Privacy Policy | Cookie Policy |
|---|---|---|---|
| Japan | Global KINTO ID Platform | This Privacy Policy | |
| KINTO App | |||
| KINTO ONE | Japan KINTO ONE Privacy Policy | ||
| Italy | KINTO GO | Italy KINTO GO Privacy Policy | Italy KINTO GO Cookie Policy |
| Brazil | KINTO ONE Personal | Brazil KINTO ONE Personal Privacy Policy & Cookie Policy | |
| Thailand | KINTO SHARE | Thai KINTO SHARE Privacy Policy | Thai KINTO SHARE Cookie Policy |
| TripSabuy by KINTO | TripSabuy by KINTO Privacy Policy | TripSabuy by KINTO Cookie Policy | |
| KINTO ONE | Thai KINTO ONE Privacy Policy | Thai KINTO ONE Cookie Policy | |
| Argentina | KINTO SHARE LATAM | KINTO SHARE LATAM Privacy Policy | |