KINTO Go Privacy Notice

Privacy Notice (Art. 13 of EU Regulation 679/16)

Dear Customer

The companies KINTO Italy S.p.A. and Toyota Financial Services Corporation, thanking you for your interest in their services, wish to inform you that they have entered into a specific agreement ("Joint Controllership Agreement") to define their respective roles and responsibilities in offering you mobility services accessible through the smartphone application called KINTO Go ("KINTO Go" or "App").
The Joint Controller Agreement’s content will be made available to the data subject who request it at the contacts provided below.
With this KINTO Go Privacy Notice ("Privacy Notice"), KINTO Italia S.p.A ("KINTO Italia") and Toyota Financial Services Corporation ("TFSC") intend to provide all the information required by Article 13 of the General Data Protection Regulation 679/2016 ("EU Regulation" or "GDPR") concerning the processing of personal data through KINTO Go.
This Privacy Notice concerns the processing of personal data (such as your name, your email address) provided directly by you when you register for the App or when you use the services available on KINTO Go and does not concern, instead, information collected through other sources, unless expressly stated.

A. Contact information of the Data Controllers

According to Article 26 GDPR, the purposes and means of the processing operations described below are jointly determined by the following companies (together, "Joint Controllers"):

KINTO Italia S.p.A. (KINTO Italia);
Toyota Financial Services Corporation (TFSC).

The Joint Controllers have agreed that KINTO Italy S.p.A. will be the contact point for exercising rights relating to the use of KINTO Go in Italy. For any clarification or request related to the processing of your Personal Data, you can contact KINTO Italia at the following telephone numbers and addresses:

Phone: +39 (0)6 548981
E-mail: info.kinto-go@kinto-mobility.it
PEC: kintoitalia@legalmail.it
Address: KINTO Italia S.p.A.; Via Kiiciro Toyoda, 2, 00148, Rome, RM, Italy

KINTO Italia has appointed a Data Protection Officer ("DPO"), who can be contacted for any clarification or request relating to the processing of your Personal Data. You can request the contact details of the DPO by sending an email to the contact details above.

B. Categories and Sources of Data Collected

To allow you to register and use KINTO Go, we collect certain information that directly or indirectly allows your identification ("Personal Data").
In particular, the following categories of Personal Data (Necessary Data) are necessarily required for registering to KINTO Go:

Personal Data: first name, last name.
Contact Data: e-mail address and telephone number.

To customize your profile on KINTO Go, you will be further requested to enter the following information (Optional Data):

Address;
Date of birth;
Fiscal code;
Profile Picture;
Car license plate;
Geolocation Data of the device used (if activated).

The provision of the Personal Data listed above is optional, however, in the event of failure to provide the Necessary Data, the Joint Controllers will not be able to create your account and provide the services.
Failure to provide Optional Data, on the contrary, does not preclude the creation of the account and the use of the services; however, in some cases providing further information may be necessary in order to access additional services. The car license plate, for example, is required to access and use the parking payment services. Without such information, access to the parking payment functions will be precluded.

C. Purpose and legal basis of data processing.

The Personal Data provided will be processed to achieve the following purposes:

To create your account and to allow you to properly use the services offered through KINTO Go, including sending service notifications (e.g., modification to contract terms; confirmation of purchases; expiration of titles). The legal basis for this processing, according to Article 6, para. 1, lett. b) GDPR, is the need to carry out pre-contractual and contractual activities for the purpose of providing the services described in the Terms and Conditions. For this processing only, failure to provide the Necessary Data will result in the impossibility of creating an account and proceeding with the correct provision of services.
To comply with specific legal obligations to which the Joint Controllers are subject as well as to respond to any legally binding requests from the Public Authorities. The legal basis for this processing is found in Article 6, para. 1, lett. c) GDPR and consists in the need to comply with specific legal obligations to which the Joint Controllers are subject.
To carry out research and technical studies aimed at improving the quality of our products/services and developing new ones. With a view to continuous improvement (Kaizen), which has always distinguished the companies of the Toyota Group, which KINTO Italy is part of, we may process your personal data to: -verify, also through surveys, the quality of the service rendered to you and your level of satisfaction - improve the App, existing products and services or develop new ones; - protect, maintain and support our networks, systems and Applications. The above data will only be processed in anonymous and/or aggregate form and, exclusively for internal administrative statistical purposes, may be communicated to the other Toyota Group companies. The legal basis for this processing, according to Article 6, para. 1 lett. f) GDPR, is found in the existence and the need to protect a legitimate interest of the Data Controller; the protection of such legitimate interest would not be possible without using your Personal Data.
To send you, exclusively through the email address you provided, commercial information regarding new services and/or features of the App similar to and in line with those previously offered by KINTO Italia ("Soft spam"). KINTO Italia ensures that the contacts, for this purpose, will be made only by e-mail, and acknowledges that you can decide not to receive such communications at any time and to notify it by written request to support.kinto-go@kinto-mobility.it. In this case, following your request, no further communication for these purposes will be sent. The legal basis for this purpose of processing is found, pursuant to art. 6, para. 1, lett. f) GDPR, in the need to protect a legitimate interest of the Data Controller; the protection of such a legitimate interest would not be possible without using your Personal Data.
To contact you to send marketing communications regarding KINTO Go and other KINTO brand products and services. The Personal Data you provide will be used to contact you through various automated tools such as, email, SMS, push and in-app notifications. You will have the option, at any time, to deactivate the methods through which you do not wish to receive commercial communications by sending a written request to support.kinto-go@kinto-mobility.it. The legal basis for this processing is, according to Article 6, para. 1, lett. a) GDPR, your specific consent, which will be purposely collected.
To share Personal Data provided by you to the companies of the Toyota Group (Toyota Motor Italia S.p.A.; Toyota Financial Services Italia S.p.A.; Toyota Insurance Management SE and Aioi Nissay Dowa Insurance Company of Europe SE) which will process them as independent data controllers for sending commercial communications on Toyota, Lexus and KINTO products and services. The legal basis for this processing is, according to Article 6, para. 1, lett. a) GDPR, your specific consent, which will be specially collected.
To analyse your Personal Data and your shopping preferences and habits and to offer you personalized commercial offers on KINTO products and services, in line with your preferences and increasingly responding to your interests and needs (i.e. profiling). The legal basis for this processing is, according to Article 6, para. 1, lett. a) GDPR, your specific consent, which will be specially collected.
To know the location of your mobile device and, therefore, your geographical position (geolocation), when you use KINTO Go, in order to allow the Company a faster and more efficient provision of the requested services (e.g. showing the services available in the territory where you are located and the contracted establishments that deliver the requested service based on your location). You can always disable geolocation, even temporarily, through the settings of the device you use. The legal basis for this processing is, according to Article 6, para. 1, lett. a) GDPR, your specific consent, which will be specially collected.

For the processing referred to letters e., f., g., h., if you decide not to provide your consent, no processing of Personal Data will be carried out. In any case, the failure to provide consent will not have any kind of repercussion on the signing and execution of the contract between you and KINTO Italia, or will there be any negative consequence towards you. The consent provided may be revoked at any time as easily as it was provided. Revocation of consent will not affect, in any case, the lawfulness of the processing carried out up to that moment.

Categories of Personal Data	Personal Data	Purposes of processing	Legal basis of processing purposes
User Data (Necessary Data)	First Name	To register to KINTO Go and provide services (including service notifications).	Art. 6, par. 2, let. b) Performance of the contract
	Last name
	E-mail address
	Telephone number
User Data (Optional Data)	Geolocation Data of the device used	To know the location of the mobile device and, therefore, the geographical location (geolocation), when using KINTO Go, to allow the Company a faster and more efficient provision of the requested services (e.g. to show the services available in the territory in which the data subject is located and the affiliated establishments providing the requested service based on the location of the device)	Art. 6, par. 2, let. a) Consent
User Data (Optional Data)	Address	To customise the KINTO Go profile.	Art. 6, par. 2, let. b)Performance of the contract
	Date of birth
	Profile picture
	Fiscal code
	Fiscal code
	Car license plate	To provide parking payment services.
	Car license plate	To provide parking payment services.
User Data (Contact Data)	Email-Address	Improvement of products/services Soft spam (e-mail only) Marketing purposes. Communication to Toyota Group companies for marketing purposes Profiling purposes for marketing.	Art. 6, par. 2, let. f)legitimate interest Art. 6, par. 2, let. a)Consent


	TelePhone number

D. Global KINTO ID

The Joint Data Controllers allow you to access the KINTO Go Services also from foreign countries ^{^1}.
In order to achieve the aforementioned purpose, the Personal Data you provide will be stored in a special database, owned by the Joint Data Controllers, and dedicated to the storage of your Personal Data ("KINTO Italy Database").
In addition, in order to ensure the proper delivery on the Italian territory of the services provided by KINTO Go, your Personal Data will be duplicated and stored, together with the usage data of each service, in a local database exclusively owned by KINTO Italia ("KINTO Go Italia").
The Optional Data required to customize your profile as anticipated in Section B of this document will be processed and stored exclusively in the KINTO Go Italy database.
Your account will be automatically authenticated through the Global KINTO ID Platform - an account verification authorization system - which will require no further action on your part.
Should you not wish to proceed with authentication through the Global KINTO ID Platform, the ability to proceed with registration and access of services offered by KINTO Go will be precluded.
For more information on the use of KINTO Go services from foreign countries, you can refer to the KINTO Go Terms of Service, available in the App.

^{[^1] The list of countries from which the KINTO Go services will be accessible will be kept constantly updated by the Joint Data Controllers. Each user may, at any time, request a copy of this list from the contacts provided in Section A of the Privacy Notice.}

E. List of KINTO Go Services

After registering with KINTO Go, you can use the following services (KINTO Go Services):

Use of the private electronic wallet (e-wallet) for simplified payment;
Searching for travel solutions and purchasing tickets;
Parking zone identification and hourly rate payment;
Taxi search and payment;
Search for events and travel solutions to reach them.

The provision of all the services listed above is subject to acknowledgement of this Privacy Notice and acceptance of the Terms and Conditions.

F. CRM

KINTO Italy has purchased from the supplier The & Partners s.r.l. ("T&P"), which, in turn, has entered into a supply agreement with MAPP DIGITAL ITALY S.R.L. ("Mapp"), a license for the use of a Customer Relationship Management ("CRM") through the platform developed by Mapp, which uses Global Access Internet Services GmbH, IP Exchange GmbH and Amazon Web Services EMEA SARL datacenters. The CRM collects all Personal Data collected by KINTO Italy and processed in the manner and for the purposes referred to in point C of this Privacy Notice. Personal Data will be collected directly from you or through tracking and analysis of your preferences and shopping habits on the App.
Personal Data analyzed through the CRM will be processed only in aggregate form for statistical purposes and, with your consent, for marketing and profiling purposes. The Personal Data, stored within the CRM, will only be accessible by personnel specifically authorized by T&P, Mapp and KINTO Italy and will be stored in accordance with the timeframes indicated in point G below.
KINTO Italy guarantees that it has implemented all necessary security measures aimed at ensuring the integrity of the Personal Data contained in the CRM.

G. Methods of data processing and storage

In relation to the above processing purposes, the collection, processing and storage of Personal Data will take place through telematic, manual and computer tools, suitable for storing, organizing and selecting the data, and to allow their consultation, extraction and comparison, with logics strictly related to the purposes themselves and, in any case, in order to ensure the security and confidentiality of the data processed, in accordance with the current provisions.
Your Personal Data will be stored in computer archives for the duration necessary to achieve the above purposes and until the request to close the account. After the account closure request has been made, Personal Data will be deleted within 30 days from receipt of the request, for accounts that have not made purchases on KINTO Go; while the data will be stored for tax and accounting purposes within the terms provided by law for accounts that make purchases in the aforementioned App.
After this period, the data will be used only anonymously and for purely statistical, analytical and historical purposes.
Regarding your contact data used for the purposes of marketing, transfer to third parties, profiling and geolocation referred to point C, lett. e., f., g., h., the retention of the data will last for the period that your account is active or until the revocation of the consent you have given. In this case, the Controller will proceed to terminate any processing for the above purposes, except for those strictly necessary to pursue its compelling interests. Regardless of your request to revoke your consent, geolocation data collection may be deactivated and reactivated at any time.
Ultimately, your Personal Data will be processed by authorized and duly instructed parties regarding the protection of privacy, with the use of security measures, inter alia, to ensure: (i) the confidentiality of your Personal Data; (ii) the security of your Personal Data, for example by preventing access to unauthorized parties.
The Joint Controllers take physical, electronic, and organizational measures to ensure the security and accuracy of the Personal Data collected, including limiting the number of people who can physically access the servers containing the databases, as well as electronic security systems and password protection that defend against unauthorized access.

H. Communication and transfer of data to third parties

The Personal Data you provide for the purposes indicated in this Privacy Notice may, where necessary, be communicated:

T&P and Mapp for the provision of the CRM system, as described in paragraph F.
Companies related, controlled, controlling, affiliated or in any way connected to the Joint Controllers.
Companies providing services, including IT service providers (IT systems, cloud platforms, etc.), which the Joint Controllers use for the proper provision of KINTO Go Services.
- The companies Pluservice Srl, and myCicero Srl (the “Providers”) will act as Data Processors for the performance of certain activities necessary for the management of KINTO Go and the KINTO Go Italia database (based in Italy), for the resolution of problems that require the specific know-how of such Providers and a specific IT infrastructure that cannot be replicated internally. Hosting of the platform and processing related to the provision, operation and updating of software to support the App and detect service performance will also be outsourced to the Providers. In addition, the Providers will be responsible for integrating the functionality that enables e-wallet reloading and payment for purchased services (e.g., tickets and parking), through the Stripe payment platform, and for setting up customer service to support the use of KINTO Go. For these functionalities, Stripe Inc. acts as an Independent Data Controller for payment processing and the related Personal Data processed will not be accessible to the Contractors or Providers in any way or for any purpose. For more information on the processing performed by Providers and Stripe, please refer to the Privacy Notices for the services offered.
  In order to enable you to use the Global KINTO ID Platform, your Personal Data will be stored in the KINTO Italy Database dedicated to it, provided and managed by Amazon Web Services Inc. (“AWS”), based in Frankfurt. Global KINTO ID Platform services are provided through AWS Cognito, which serves as the authentication, verification and access control system for all user accounts.
Any parties external to the structure of the Joint Controllers (external consultants; national and supranational public authorities and bodies) with whom precise agreements have been made regarding the measures to be taken to ensure the security of the data entrusted to them. In any case, the data will be processed exclusively for the pursuit of the purposes indicated above

The subjects listed above may process your Personal Data either as Data Processors, as independent Data Controllers, or as Joint Data Controllers, as the case may be. The Processors to whom the Joint Controllers delegate further processing operations have been carefully selected in order to ensure the protection of your rights and the protection of your Personal Data. The complete list of the subjects to whom, for various reasons and for the purposes indicated above, the Data Controllers may communicate your Personal Data, may in any case be requested without formality from KINTO Italy.

I. Transfer of data to a third country or international organization

The Joint Controllers will not transfer the Personal Data you provide to a third country or international organization. In order to enable the proper use of the KINTO Go Services from foreign countries, the Data Controllers guarantee that the processing activities will be carried out within the European Union (EU) and/or the European Economic Area (EEA). In cases where a transfer of Personal Data is necessary, the Data Controllers guarantee that any transfer of Personal Data to third countries or international organizations will take place in compliance with the conditions indicated in Chapter V of the GDPR in order to ensure an adequate level of protection of individuals. In particular, the Data Controllers guarantee that no transfer of Personal Data will be made without one of the adequate safeguards provided for in Articles 45 to Articles 49 of the GDPR being in place.

J. Your Rights

The rights you may exercise in connection with the processing of your Personal Data are those provided for by Articles 15 to 22 of the GDPR:

the right to obtain from the Joint Data Controllers confirmation that processing of your Personal Data is or is not taking place, as well as information about the processing operations actually taking plac ("Right of Access");
the right to obtain from the Joint Data Controllers the rectification of inaccurate Personal Data ("Right of Rectification");
the right to obtain from the Joint Data Controllers the deletion of Personal Data that are no longer necessary for the purposes pursued, those for which you have revoked your consent to the processing, those for which you have exercised your right to object, those processed erroneously, or those that must be deleted in order to comply with a legal obligation ("Right to Deletion")
The right to obtain from the Joint Data Controllers the restriction of processing with respect to Personal Data whose accuracy is disputed; to Personal Data processed unlawfully for which you object to deletion; to Personal Data no longer necessary in relation to the purposes of collection, but necessary for the establishment, exercise or defense of a right in court; to Personal Data with respect to which you have exercised your right to object, pending verification as to whether the legitimate interest of the Data Controllers prevails ("right to restriction of processing");
the right to obtain from the Joint Data Controllers, where technically possible, the communication to you or directly to another data controller of your Personal Data, in a commonly used computer format, limited to Personal Data processed on the basis of consent or performance of a contract ("Right to data portability")
the right to object to the processing by the Joint Data Controllers of Personal Data whose processing is based on the legal basis of the legitimate interest of the Data Controllers, as well as to the processing of Personal Data for direct marketing purposes ("Right to object").

The aforementioned rights may be exercised by sending a written request or by e-mail to KINTO Italy, using the contacts indicated in point A of this notice.
KINTO Italy, in compliance with current regulations, will respond without undue delay.
Without prejudice to any other administrative or jurisdictional recourse, should you believe that the processing that concerns you violates the Regulation, you have the right to lodge a complaint with the supervisory authority of the Member State in which you reside or habitually work, or of the State in which the alleged violation occurred. For Italy, the competent authority is the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali - GPDP), with whom you can file a complaint by following the instructions available at the following address: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524.

K. Data Deletion

In the event that you need to request the permanent deletion of your Personal Data, for the reasons described in the preceding paragraph, the Joint Data Controllers have provided, according to internal procedures, that the deadline for deletion is 30 days from receipt of the data subject's request.
This right cannot be exercised in case of conflicting legal obligations.

L. Modification of this Privacy Policy

Any changes to the content of this policy will be made known to the user, alternatively, through individual communications, through updates on the KINTO Go website (www.kinto-mobility.it/kinto-go) or directly through the App.