Privacy Policy

Effective Date [November 1, 2023]

We, Toyota Financial Services Corporation (referred to herein collectively as “we”, “our” or “us”), respects your privacy and wants you to know how your Personal Information, as defined below, will be handled and used.

We have developed this Privacy Policy (this “Policy”) to describe the types of Personal Information that we may collect, how we may use and share your Personal Information, our lawful basis for processing it, what rights you have in relation to your Personal Information and how we protect it.

Please read this Policy carefully to understand how we will treat your Personal Information collected through our websites. As part of our efforts to transform Toyota from an automotive company to a mobility company, we intend to add additional functions and features to our websites, so be sure to check back for any updates to this Policy. We will indicate at the top of this Policy when it was most recently updated.

Identity of the Controller

For purposes of certain data protection laws, including the Act on the Protection of Personal Information of Japan (the “APPI”) and the General Data Protection Regulation of the European Union and the equivalent data protection law in the United Kingdom (collectively, the “GDPR”), the controller is Toyota Financial Services Corporation, and we are located at: Nagoya Lucent Tower 15F, 6-1 Ushijima-cho, Nishi-ku, Nagoya, 451-6015, Japan.

This Policy applies to the processing undertaken where we, as the controller, determines why and how your Personal Information is processed.

Our representative in the European Economic Area and United Kingdom are

KINTO EUROPE GmbH, a limited liability company having its registered office at Toyota Allee 5, 50858 Köln, Germany, registered with corporate identity number HRB 95859 (Amtsgericht Köln).

Data.Protection@toyota-europe.com

KINTO UK, a limited Liability company having its registered office at Portsmouth, Hampshire, 1000 Lakeside North Harbour Western Road, PO6 3EN (Co. No. 837940).

DPO@kinto-uk.com

Our Data Protection Officer (“DPO”) can be reached at

ml-pd-gk_pii_inquiry@kinto-technologies.com.

Definition of Personal Information

“Personal Information” in this Policy shall have the meaning that is granted to such term or any equivalent term under applicable data protection laws but they generally mean any information relating to an identified or identifiable natural person (“Data Subject”) . Personal Information does not include aggregate information or information that cannot identify natural person.

Collection of Personal Information

The categories of Personal Information we collect, the purposes of processing and, to the extent the GDPR applies, the lawful basis for collection, are detailed below.

Who do we collect it fromWhat do we collectWhy do we collect this dataWhich lawful basis do we rely on
Through automated meansElectronic activity, such as data gathered by technology when you visit our website (such as IP address, browser information, device type, operating services, app versions, what functions or pages you use or click on, the frequency of use, the links you clink on).We use this information to operate, evaluate and improve our business, including developing new products and services; enhancing and improving our services; analyzing your interaction with our services; and to perform data analytics.It is in our legitimate interest to improve our relationship with you by customizing our service to make your experience smooth and efficient through the use of necessary cookies and similar technologies. We also have a legitimate interest in having a functioning website and improving the functionality and maintaining the security of our website through the use of necessary cookies and similar technologies, all of which is not outweighed by the privacy impacts on you.Where the information is collected through the use of cookies and other tracking technologies, and where those are not strictly necessary for the operation of our website, we rely on your consent to collect this information (please see our cookie policy below for further information).
All dataAll categories of dataWe may need to use this information to:establish and enforce our legal rights and obligations;to comply with binding requests made by you when exercising your legal rights (such as those set out in this policy)to comply with binding requests or instructions from applicable regulators, law enforcement agencies, any court or otherwise as required by law;resolve complaints or disputes with you;manage any proposed sale, restructure, or merger of any or all part(s) of our business, including in response to enquiries from prospective buyers or merging organizations; for our own general record keeping and customer relationship management (e.g. to comply with laws relating to consumer, tax, accounting, data protection and/or money laundering.Where the information is required in relation to a lawsuit, complaint, legal requirement or regulatory action we are under a legal obligation to comply with such requirements where it is a mandatory obligation. We may also opt to comply in certain scenarios where it is not mandatory, we would carefully consider such scenarios and we would then rely on our legitimate interest where it would be good governance to do so.We have a legitimate interest in being able to sell any part of our business and we also have a legitimate interest in being able to resolve any dispute directly with you.

As detailed in the section below titled “Cookies,” you can reject our collection of your Personal Information on our websites through automated means, but such rejection may affect our website performance and functionality. With regard to the Personal Information that you voluntarily provide to us, you can always stop providing it, but it may prevent us from providing our services to you.

Sharing of Personal Information

Sometimes we need to disclose your Personal Information to other organizations.

(1) Inside the Toyota group companies

We are part of the Toyota group, which is a group of companies with headquarters in Japan. Therefore, we may need to share your Personal Information with other companies in the Toyota group, for our general business management purposes and, in some cases, to meet our customer needs where providing services across different group entities/locations, for authorizations/approvals with relevant decision makers, for reporting and where systems and services are provided on a shared basis.

Access rights between members of the Toyota group are limited and granted only on a need to know basis, depending on job functions and roles. Where any group companies process your Personal Information on our behalf (as our processor), we will make sure that they have appropriate security standards in place to make sure your Personal Information is protected.

(2) Outside the Toyota group of companies

From time to time we may ask third parties to carry out certain business functions for us, such as for IT support, data hosting and customer relationship management (CRM) tool providers. These third parties will process your Personal Information on our behalf (as our processor). We will disclose your Personal Information to these parties so that they can perform those functions. Before we disclose your Personal Information to these third parties, we will seek to ensure that they have appropriate security standards in place to protect your Personal Information.

In certain circumstances, we will also disclose your Personal Information to third parties who will receive it as controllers of your Personal Information in their own right for the purposes set out above, where the relevant disclosure is in relation to:

• services provided to you or us by a third party acting independently to us but which has a relationship with us, for example legal advisors, accountants and auditors;

• the purchase or sale of our business (or part of it) in connection with a share or asset sale, for which we may disclose or transfer your Personal Information to the prospective seller or buyer and their advisors;

• the disclosure of your Personal Information in order to comply with a regulator or law enforcement request, legal obligation, to enforce a contract or to protect the rights, property or safety of our employees, customers or others; and

• a disclosure you have asked us to make, or given us permission to make.

We have set out below a list of the categories of recipients outside the Toyota group with whom we are likely to share your Personal Information:

• IT support, website/app and data hosting providers and administrators;

• consultants and professional advisors including legal advisors and accountants;

• courts, court-appointed persons/entities, receivers and liquidators;

• business partners and joint ventures;

• insurers; and

• governmental departments, statutory and regulatory bodies.

Our website may provide links or access to services or information offered by other members of the Toyota group, or by third parties. These parties will have their own privacy notices and any Personal Information collected by other group members or third parties will be subject to their individual privacy notices unless otherwise stated.

Transfers of Personal Information Abroad

As part of an international organization, we may transfer your Personal Information to recipients (either internally or externally, as set out above) that are established in jurisdictions other than your own. Please be aware that the data protection laws in some jurisdictions may not provide the same level of protection to your Personal Information as is provided to it under the laws in your jurisdiction. The jurisdictions to which we may transfer your Personal Information includes the United States, Qatar and other jurisdictions in which our group companies are located (which may overlap with jurisdictions in which other Toyota group companies are located). For information about the jurisdiction of group companies, please see the following webpage.

Our group companies:

https://www.tfsc.jp/en/global/index.html

We take appropriate steps to protect your Personal Information regardless of where it is stored, taking into consideration the requirements of the data protection laws which we consider are applicable to how we process your Personal Information.

If any disclosures of Personal Information referred to above require your Personal Information to be transferred from within the European Economic Area, the United Kingdom or Japan to any country outside these respective jurisdictions, we will seek to ensure that it is adequately protected by way of safeguards, including the use of EU Standard Contractual Clauses as provided under Article 46(2) of the GDPR, unless relevant authorities have made adequacy decision with respect to the recipient jurisdiction.

For more information about what appropriate safeguards we use and how to obtain a copy of them or to find out where they have been made available, please contact us using the details below.

There may also be some instances in which we rely upon one or more permitted exceptions under the relevant data protection law from taking this step for particular situations. For example, where we have asked for your explicit consent to do, or to perform a contract with you, or take steps prior to doing so, to conclude or perform a contract with another party concluded in your interest, for important reasons of public interest, or where it is done in the context of legal claims.

Retention of Personal Information

We also ensure that, in compliance with applicable law, we do not retain Personal Information longer than necessary. We will keep your Personal Information for as long as we have a relationship with you, for example as long as you are a customer, or you wish to keep receiving marketing messages from us (and for a reasonable period thereafter). When determining how long to retain Personal Information after we no longer have a relationship with you, we take into account how long our customers usually want to continue hearing from us, our legal obligations and the expectations of regulators, as well as the length of time information is needed for internal audit purposes and to exercise or defend our legal rights.

We also consider the amount, nature and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

This includes the following:

• Retention in case of queries - We may retain your Personal Information for a reasonable period in case of follow up queries from you.

• Retention in case of claims - We may retain your Personal Information for the period in which you might legally bring claims against us (this means we will retain it in line with relevant limitation periods, which are applicable to your jurisdiction, for example 7 years from the end of the contract, for information relating to contracts with us if based in the United Kingdom) if and to the extent this is relevant.

• Retention in accordance with legal and regulatory requirements - We will consider whether we need to retain your Personal Information after the period of retention in the case of queries or claims because of a legal or regulatory requirement.

• Retention permitted under applicable law - We will continue to retain Personal Information where necessary to provide our services to you and the retention of such Personal Information is necessary for the purposes of pursuing our legitimate interests or where it is necessary for public interest purposes.

We review our retention periods for Personal Information on a regular basis, and all Personal Information is retained in compliance with applicable data protection law. We will only permanently retain certain basic Personal Information, for limited purposes. This is in relation to retaining basic contact details, to keep a record that you were a customer, in case you return in the future, or where you have asked us not to contact you again.

Your Rights

Depending on your jurisdiction, you may be entitled to the following rights, which you can exercise by contacting us using the contact information provided in “How to Contact Us” below:

• Where our use of your Personal Information requires consent, you may withdraw this consent at any time without affecting the lawfulness of our processing up to that point;

• You may request access to your Personal Information that we hold (together with other supplementary information such as the purpose for which it is processed, the person to whom it is disclosed and the period for which it is stored);

• You may require us to correct your Personal Information we hold without undue delay if it is inaccurate;

• Depending on the basis on which we process your Personal Information, you may ask us to change, restrict or stop the way in which we communicate with you or process your Personal Information. Specifically, where the GDPR applies, you have the right to object to our processing based on legitimate interest as well as our processing for direct marketing;

• You may ask us to delete your Personal Information;

• You may ask us to move, copy or transfer your Personal Information and to receive the Personal Information which you have provided to us, in a machine readable format, where we are processing it on the basis of your consent or because it is necessary for your contract with us and where the processing is automated;

• You may object to our decision making which is based solely on automated processing of your Personal Information, including profiling, which has a legal effect, or which causes a similarly significant effect (however, we do not currently conduct any such decision making);

You have the right to make a complaint at any time to your local data protection regulator. If you are based in the European Economic Area, you can access a list of these here. If you are based in the UK you can access contact details for the ICO here. We would, however, appreciate the chance to deal with your concerns before you approach such regulator, so please contact us in the first instance.

How to Contact Us

If you would like to exercise any of your rights or if you have any questions about this notice or would like to make a complaint please send an email to ml-pd-gk_pii_inquiry@kinto-technologies.com that details your request and includes your exact name, physical address and email address.

Please note that we may need to verify your identity when you request to exercise your privacy rights. To do so, we may ask you to confirm information we already have on file or provide such other proof as we need in order to determine and confirm your identity before responding to your request.

Cookies

A cookie is a small piece of data that a website asks your browser to store on your computer or mobile device. The cookie allows our website to “remember” your actions or preferences over time. Cookies are widely used in order to make websites work, or to work more efficiently, as well as to provide reporting information. Some cookies are strictly necessary for the functioning of our website.

Why do we use cookies?

We use cookies to learn how you interact with our content and to improve your experience when visiting our website. For example, some cookies remember your preferences and where you left off so that you do not have to repeatedly make these choices when you visit one of our websites.

What types of cookies do we use?
Type of CookieWhat do they do?
NecessaryCookies that are essential to making our websites work correctly. They enable visitors to move around our website and use our features. Examples include remembering previous actions when navigating back to a page in the same session.
Performance / AnalyticalCookies that help us understand how visitors interact with our web properties by providing information about the areas visited, the time spent on our websites and any issues encountered, such as error messages. They help us improve the performance of our websites, alert of any concerns and more.
FunctionalityCookies that allow our web properties to remember the choices you make (such as your user name, language or the region you are in) to provide a more personalized online experience. If you do not accept these cookies, it may affect our website performance and functionality and may restrict access to web content.
How do I reject and delete cookies?

You can choose to reject or block all or specific types of cookies (except for Strictly Necessary Cookies) by changing your preferences from the link below. If you reject the use of cookies, you will still be able to visit our websites but some of the functions may not work correctly.

You may also reject cookies by changing your browser settings. You may also visit www.allaboutcookies.org for details on how to delete or reject cookies and for further information on cookies generally.

<Use of Google Analytics>

Google Analytics shall use cookies to collect logs of your activities on our websites. The logs collected are managed in accordance with Google’s privacy notice, which you can visit the following link:

Google’s Privacy Notice:

https://policies.google.com/technologies/partner-sites?hl=en-GB

To opt out of tracking from Google Analytics on all websites, please use the Google Analytics Opt-out Browser Add-on.

Google Analytics Opt-Out Browser Add-on:

https://tools.google.com/dlpage/gaoptout?hl=en-GB

<Use of Microsoft Clarity>

We use Microsoft Clarity to capture how you use and interact with our website. By using our site, you agree that we and Microsoft can collect and use this data. For more information about how Microsoft collects and uses your data, please visit the Microsoft Privacy Statement

Safeguarding of Personal Information

We implement and maintain reasonable and appropriate security measures against unauthorized or unlawful processing of personal information and against accidental loss or destruction of, or damage to, Personal Information. This includes limiting access to your Personal Information to those employees, agents and other authorized parties who need to know the information to enable us to provide products or services.

Children

The Website is not targeted at children under the age of 18, and we do not knowingly collect any personal data from children. We will delete any personal information we determine to have been collected from a child or user under the applicable age of consent. If you are a parent or guardian of a child under the relevant digital age of consent and believe he or she has disclosed personal data to us, please contact us at

ml-pd-gk_pii_inquiry@kinto-technologies.com.

Changes to this Policy

We reserve the right to modify this Policy at any time. We will notify you of substantive or material changes at an appropriate timing. Any changes to this Policy become effective upon the date which we separately indicate as effective date.

For California Residents

If you are a resident of the State of California, USA, this section applies as a part of this Policy. In the event of any discrepancy between the provisions of this section and other part of this Policy, the provisions of this section shall prevail.

We process your personal information in compliance with California Consumer Privacy Act (the “CCPA”) and pursuant to this Policy including this section. Personal Information in this section shall mean information that directly or indirectly identifies, relates to, describes, refers to, can be associated with, or can reasonably be combined with a particular individual or household. The terms in this section not defined in this section shall have the meanings granted in the CCPA.

1. Personal Information we collect

We have collected the following categories of Personal Information about you over the past 12 months and will continue to collect the same categories of Personal Information about you. The CCPA defines the categories listed below. Inclusion of a category in the list below indicates only that, depending on the services and products we provide you, we may collect some information within that category. It does not necessarily mean that we collect all information listed in a particular category for all of our customers. We have disclosed your Personal Information to the following categories of third parties for business or commercial purposes in the past 12 months. We have not sold or shared your Personal Information in the past 12 months and do not have plans to do so, as the term “sell” or “share” is defined by the CCPA.

For details of the Personal Information we collect, the business and commercial purposes of collecting Personal Information, and the sources of Personal Information we collect, please see “Collection of Personal Information” above; for the retention period of Personal Information, please see “Retention of Personal Information” above.

Category of Personal InformationDisclosed to Whom
Personal identifiersAffiliated companies; third party service providers; DPO.
Commercial informationAffiliated companies; third party service providers; DPO.
Internet or other electronic network activity informationAffiliated companies; third party service providers; DPO.

2. Your Rights under CCPA

If you are a Californian resident, you have specific rights under the CCPA. The following describes your rights and how to exercise those rights under the CCPA.

(1) Right to Access Specific Information

You have the right to request us to disclose certain information in relation to the collection, sharing, disclosure, or use of your Personal Information. Upon receipt and confirmation of your verifiable request, we will disclose to you any or all of the following information:

• The categories of Personal Information we have collected;

• The categories of sources from which we have collected Personal Information;

• The business or commercial purpose for the collection, sale, or sharing of such Personal Information;

• The categories of third parties we disclose such Personal Information; and

• The specific pieces of your personal information that we have collected.

(2) Right to Request Deletion

You have the right to request us to delete your Personal Information we collected, subject to certain exceptions.

(3) Right to Request Correction of Inaccurate Personal Information

You have the right to request that we correct any inaccuracies in your Personal Information that we collected. Upon receipt and confirmation of your verifiable request, we will correct inaccurate Personal Information from our records. We may deny your correction request if we determine that the contested personal information is more likely than not accurate based on the totality of the circumstances.

(4) Right to Opt-Out of Sale or Share

We have not and will not sell or share any Personal Information, as the term “sell” or “share” is defined by the CCPA.

(5) Right to Request to Limit the Use of Sensitive Personal Information

Restriction of Use

We have not collected your sensitive personal information, as the term “sensitive personal information” is defined by the CCPA.

(6) Right of Non-Discrimination

We shall not discriminate against California residents for exercising any of their rights under the CCPA. Such prohibited discrimination includes, without limitation, denial of goods or services, different prices or rates for goods or services, or a different level or quality of goods or services.

(7) Exercising Your Rights to Access, Delete, and Correct

To exercise your rights to access, delete, and correct your Personal Information as described above, please submit a verifiable request to us by using the information in “How to Contact Us.”

Only you, a natural person authorized by you, a person registered with the California Secretary of State, a person entrusted by you, or your conservator may submit a verifiable request related to your Personal Information. You may also make a verifiable request on behalf of your minor child.

A verifiable request must:

• Provide sufficient information that allows us to reasonably verify that you are the person whose Personal Information we have collected or an authorized representative thereof; and

• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond thereto.

3. Do Not Track

Various third parties are developing or have developed signals or other mechanisms for the expression of consumer choice regarding the collection of information about an individual consumer's online activities over time and across third-party website or online services (e.g., browser do not track signals). Currently, we do not monitor or take any action with respect to these signals or other mechanisms.