Privacy Policy

KlossHyra Sverige AB ("we" or "the lessor") attaches great importance to protecting your personal data. In this privacy policy we explain which data we collect, why we do so, how we secure it and which rights you have.

We process personal data in accordance with the European General Data Protection Regulation (GDPR) and Swedish privacy legislation.

We only process personal data that is necessary for our services.

• Name and address – to prepare and perform rental agreements and to ship LEGO® sets.

• Email address – to communicate about orders, gift cards, account balance and to let you log in with a one-time passcode.

• Identification data via BankID – to confirm your identity when preparing and signing the rental agreement.

• Payment details – to process payments via Swish or other payment methods.

• Gift card data – such as the name and email address of the purchaser and recipient, personal message, selected amount, sending date, and data relating to the delivery and redemption of gift cards.

• Account and wallet data – such as account balance, redemptions and transaction history for the use of balance on orders.

• Communication data – when you contact us yourself.

• Interest and availability notifications – when you ask to be informed when a set becomes available again.

The website uses functional cookies that are necessary for the site to work. In addition, we use privacy-friendly web analytics without third-party tracking cookies to receive aggregated statistics about the use of the website.

We use personal data only for clear and legitimate purposes.

• Performance of the agreement – to process rental orders, gift card orders, deliveries, returns, redemptions and the use of account balance.

• Identity verification – to conclude the rental agreement validly and to prevent fraud.

• Payments and administration – to process payments, maintain balance information and comply with bookkeeping and tax obligations.

• Customer service – to handle questions, requests and problems.

• Availability notifications – to let you know when a set becomes available again.

• Security and fraud prevention – to prevent misuse of accounts, payments, gift card codes and account balance.

• Improvement of the website – through privacy-friendly, aggregated web analytics.

We base these processing activities on performance of the agreement, legal obligations and, where relevant, our legitimate interest in safe and properly functioning services.

We do not retain personal data longer than necessary for the purpose for which it was collected.

Account, gift card and wallet data are in principle deleted no later than two years after your last account activity, unless a longer retention period is required because of an outstanding balance, a dispute, fraud prevention or a legal obligation.

Identity verification via BankID – the underlying verification data, such as the BankID transaction itself, is not stored for a long period; only the confirmation that verification and signing took place is retained as part of the rental agreement.

Rental agreements and signed documents are retained for up to ten years after the end of the rental period.

Financial administration, such as invoices, payments, gift card orders and payment receipts, is retained for as long as legally required, currently seven years under Swedish bookkeeping rules.

After the applicable retention period has ended, data is deleted or anonymised.

We take appropriate technical and organisational measures to protect your data against loss, misuse, unauthorised access or disclosure.

Examples include:

• Encrypted connections (HTTPS).

• Restricted access to personal data.

• Secure storage of signed documents.

• Regular checks of our systems.

We follow the principle of data minimisation: only data that is strictly necessary for our services or legal obligations is processed.

We never sell or rent your data to third parties. Data is only shared with parties that need it to deliver our services or when we are legally required to do so.

The categories of third parties we may share data with are:

• External identity verification service – for verification and signing via BankID when entering into the rental agreement.

• Payment service providers – such as Swish, to execute payments securely for rental orders and gift cards.

• Email and communication providers – to send login codes, order confirmations and gift cards.

• Parcel services – for delivering and returning LEGO® sets. Only name, address and (if needed) contact details are shared for the shipping process.

• Hosting, storage and IT service providers – for the technical hosting, security and functioning of our website and account environment.

• Privacy-friendly analytics provider – for aggregated statistics about the use of the website.

• Public authorities – only when required by law (for example for tax or law enforcement).

When a gift card is purchased for someone else, we receive the recipient's personal data from the purchaser and process it only to deliver the gift card and to enable related communication.

With all parties that process personal data on our behalf, we conclude a data processing agreement to ensure that they treat your data confidentially and in accordance with the law.

Under the GDPR and Swedish privacy legislation you have the following rights:

• Access – to know which data we hold about you.

• Rectification – of incorrect or outdated data.

• Erasure – of your data, unless a legal retention obligation applies (for example for a rental agreement or invoice).

• Restriction – of processing in certain cases.

• Objection – to processing based on our legitimate interest.

• Portability – to receive your data in a commonly used format.

You can submit a request via our contact address. We respond as quickly as possible and no later than within one month.

If we have doubts about your identity, we may ask you to confirm it, for example via BankID.

Not satisfied with how we handle your personal data? You can lodge a complaint with the Swedish supervisory authority:

Integritetsskyddsmyndigheten (IMY) – www.imy.se

We may update this privacy policy from time to time, for example if our services or legislation change. The most recent version is always available on our website.

For significant changes we will inform you by email or during your next visit to our site.