Privacy Policy

KlossHyra Sverige AB ("we" or "the lessor") attaches great importance to protecting your personal data. In this privacy policy we explain which data we collect, why we do so, how we secure it and which rights you have.

We process personal data in accordance with the European General Data Protection Regulation (GDPR) and Swedish privacy legislation.

We only collect and process personal data that is necessary to deliver our services.

• Name and address – to draw up the rental agreement and ship LEGO® sets.

• Email address – to communicate about your order and to log in via a one-time passcode (no password is required).

• Identification data via BankID – to confirm your identity when preparing and signing the rental agreement. Your name and personal identity number are processed through an external identity verification service.

• Payment details – to handle payments via Swish or other payment methods.

• Communication data – only if you contact us yourself (for example by email).

We do not collect any other data and we do not use tracking cookies or analytics tools. The website only uses functional cookies that are required for the site to operate; no cookie banner is needed.

We use your personal data exclusively for legitimate purposes:

• Performance of the rental agreement – to process orders, deliver sets and handle returns. The personal data you provide via BankID is also used to legally sign the rental agreement.

• Identity verification – to prevent fraud and to be sure who we are doing business with. Verification takes place through an external identity verification service that uses BankID.

• Retention of the rental agreement – to demonstrate the agreements that were made and to handle any disputes or damage claims.

• Payments – to collect the amounts you owe and process them administratively.

• Customer service – to answer questions or requests that you submit yourself.

• Legal obligations – such as retaining invoice and payment data for accounting and tax legislation.

We do not use your data for marketing, advertising or newsletters unless you have given explicit consent. No profiling takes place.

We do not retain your personal data longer than necessary for the purpose for which it was collected.

Account and rental data are deleted no later than two years after your last rental transaction or account activity.

Identity verification via BankID – the underlying verification data (such as the BankID transaction itself) is not stored for a long period; only the confirmation that verification and signing took place is kept as part of the rental agreement.

Rental agreements and signed documents – are retained for up to ten years after the end of the rental period, in line with Swedish limitation periods for civil agreements (Preskriptionslagen 1981:130). This is necessary to demonstrate the rights and obligations of both parties.

Financial administration (such as invoices and payment receipts) is kept for as long as legally required, currently seven years under Swedish bookkeeping rules (Bokföringslagen).

After these periods expire, your data is securely deleted or anonymised.

We take appropriate technical and organisational measures to protect your data against loss, misuse, unauthorised access or disclosure.

Examples include:

• Encrypted connections (HTTPS).

• Restricted access to personal data.

• Secure storage of signed documents.

• Regular checks of our systems.

We follow the principle of data minimisation: only data that is strictly necessary for our services or legal obligations is processed.

We never sell or rent your data to third parties. Data is only shared with parties that need it to deliver our services or when we are legally required to do so.

The categories of third parties we may share data with are:

• External identity verification service – for verification and signing via BankID when entering into the rental agreement.

• Payment service providers – such as Swish, to execute payments securely.

• Parcel services – for delivering and returning LEGO® sets. Only name, address and (if needed) contact details are shared for the shipping process.

• Hosting and IT service providers – for the technical maintenance and security of our website.

• Public authorities – only when required by law (for example for tax or law enforcement).

With all parties that process personal data on our behalf we conclude a data processing agreement to ensure they treat your data confidentially and in line with the law. This covers our IT hosting, identity verification service and payment providers.

Under the GDPR and Swedish privacy legislation you have the following rights:

• Access – to know which data we hold about you.

• Rectification – of incorrect or outdated data.

• Erasure – of your data, unless a legal retention obligation applies (for example for a rental agreement or invoice).

• Restriction – of processing in certain cases.

• Objection – to processing based on our legitimate interest.

• Portability – to receive your data in a commonly used format.

You can submit a request via our contact address. We respond as quickly as possible and no later than within one month.

If we have doubts about your identity, we may ask you to confirm it, for example via BankID.

Not satisfied with how we handle your personal data? You can lodge a complaint with the Swedish supervisory authority:

Integritetsskyddsmyndigheten (IMY) – www.imy.se

We may update this privacy policy from time to time, for example if our services or legislation change. The most recent version is always available on our website.

For significant changes we will inform you by email or during your next visit to our site.