PRIVACY POLICY

PERSONAL DATA PROTECTION NOTICE

  1. Introduction

Toyota Tanzania Limited, a company registered under the laws of Tanzania with registered office at 5 Nyerere road, Dar es Salaam, Tanzania and registered with the Personal Data Protection Commission  (“Toyota Tanzania Limited”), together with its subsidiaries, affiliates and related companies (together, “we”, “our” or “us”), respect your privacy and are committed to handling personal data responsibly. This Personal Data Protection Notice describes how we collect, use, store, share and otherwise process personal data when you visit our websites or premises, use our products and services, engage with our customer support, participate in our marketing activities, or otherwise interact with us (including through our dealers, agents, distributors, contractors and service providers).

We process personal data in line with the Personal Data Protection Act, 2022 and applicable regulations, and we may update this Notice from time to time. Where required, we will communicate material changes through our website.

  1. Definitions

In this Notice:

personal data” means information relating to an identifiable individual;

sensitive personal data” means personal data that is treated as sensitive under applicable law;

we/us” means Toyota Tanzania Limited and, where relevant, our group companies, authorised representatives, and service providers that process personal data on our instructions; “third party” means a person or organisation other than you or us;

partner organisation” means a third party that supports or complements our services (for example, logistics partners, payment providers, insurers, technology vendors, or professional advisers);

data controller” and “data processor” have the meanings given under the Personal Data Protection Act, 2022 and its regulations; and

“Contact Information” means the Data Protection Officer at compliance.alert@karimjee.com, or by post at 5 Nyerere Road, Dar es Salaam,

  1. Categories of personal data we may process

Contact information: such as your name, postal address, telephone number and email address.

  • Payment and transaction information: for example bank account details, payment references, invoices, and refund information (where applicable and necessary).
  • Location and usage data: where relevant, information about your location or how you use our services, products, websites or facilities (for example, to support dispatch, vehicle tracked locations, security, service delivery, or analytics).
  • Interactions and correspondence: records of enquiries, requests, bookings, complaints, feedback, call notes/recordings (where used), emails and other communications.
  • Access and authentication details: credentials and security information used to access accounts, portals or services.
  • Preferences: your stated choices (for example communication preferences) and, where appropriate, inferred preferences based on interactions.
  • Cookies and similar technologies: technical information collected from websites and applications, as described in the Cookies section below.
  • Browsing and device information: information about how you navigate our sites and the device used (subject to your settings and applicable law).
  • Sensitive personal data: We do not generally collect sensitive personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or data relating to criminal offences) through our websites. Where we do need to process sensitive personal data, we will obtain your explicit consent or rely on another lawful basis permitted under the Personal Data Protection Act, 2022, and apply additional safeguards.
  • Your preferences: for products, services and lifestyle activities, as you tell us, or as we infer based on how you use our products and services.
  1. Sources of personal data

We may collect personal data directly from you, from your authorised representatives, or from other sources where permitted by law. This may occur, for example, when you engage with our sales channels, book or use our services, visit our premises, access our sites, submit forms, sign a contract, attend an event, or communicate with us.

We may also receive personal data from third parties such as employers, dealers/distributors, business partners, professional advisers, regulators, credit reporting agencies (where applicable), and from technical sources such as cookies and similar technologies used on our websites and applications.

  1. Third-party websites and external services

Our websites or applications may include links to third-party websites or services for your convenience. Those third parties operate independently and may have their own privacy practices. We do not control, endorse or accept responsibility for their content, security or data handling. We encourage you to review the privacy notices of any third-party sites you choose to use.

We may also use analytics tools (such as Google Analytics or similar services) to understand, in an aggregated manner, how our websites or applications are used. This information is intended to help us improve user experience, performance and functionality.

  1. Purposes and legal grounds for processing

We use personal data to operate our business, deliver our products and services, administer relationships with customers, guests, suppliers and other stakeholders, maintain safety and security, and meet our legal and regulatory obligations.

We will only process personal data where we have a lawful basis and for specific, explicit and legitimate purposes. Depending on the circumstances, our processing may be based on one or more of the following grounds: (i) to perform a contract with you or to take steps at your request before entering into a contract; (ii) where processing is necessary for our legitimate interests (and those interests are not overridden by your rights); (iii) to comply with a legal obligation; and/or (iv) where required, your consent (which you may withdraw, subject to legal and contractual restrictions).

 

  1. Contractual necessity (service delivery): we may need to process personal data to provide goods or services you request, manage bookings or orders, provide customer support, process payments, and communicate essential service information.

 

  1. Legitimate interests: we may process personal data to run and improve our operations (for example, enhancing service quality, preventing fraud, promoting our products and services, ensuring network and premises security, conducting internal audits, and understanding how our products and services are used). Where we rely on legitimate interests, we consider the potential impact on you and apply safeguards.

 

  • Legal and regulatory obligations: we may process and retain personal data to comply with applicable laws and lawful requests (for example tax, accounting, record-keeping, health and safety, and lawful requests from competent authorities), subject to appropriate internal controls.

 

Purpose of processing

Typical data involved

Legal basis

To process your order and provide you with your products and services

·    To process the products and services you’ve bought from us, and keep you updated with the progress of your order.

·    To provide the relevant products or services to you and to contact you about changes to the products or services.

E.g., Contact details

Physical Address

Account information

Financial details

Necessary to perform our contract / provide requested services

Billing and Customer Care

·     To bill you for using our products and services,

·     To respond to any questions or concerns you may have about our products or services.

Account information

Financial details

Contract performance / service administration

Service messages

·     We will contact you with messages to keep you updated on current information about products and services you’ve purchased. For example: new offerings; notifications to service your vehicle; changes to accessories; instructions to manage your account credentials on our portals; changes to our addresses; or the launch of new locations.

Contact details

Account information

Contract performance / essential communications

Improving and innovating our products and services through third parties

·     We collect and combine information to monitor your use of products and services (and that of our other customers) and to help us improve the quality of our products and services. We may share this information with third parties that we work with to provide you with our services.

Account information

Legitimate Interest

Marketing

·     We process this data for the purpose of sending you marketing communications. As our customer, we will keep you informed about new products and services, send you newsletters, invite you to participate in surveys, or let you know about offers, promotions, prize draws or competitions. We may contact you online, by phone, by SMS, or via push notifications.

Contact details

 

Your preferences

 

Browsing history

 

Account information

 

Location data

 

Legitimate Interest

Security

·     We will process your traffic data to protect against and detect fraud, to protect and detect misuse or damage to our sites, to recover debts or trace those who owe us money resulting from the use of our services.

Traffic data

Account information

Financial details

Legitimate interest

Credit checks and ID

·     We may carry out credit checks when you apply for any products or services with us that require them.

 

Financial details

Account information

Credential information

Contractual steps / credit assessment (where applicable)

 

Accounting and tax requirements

 

Compliance with mandatory legal obligation

Law enforcement purposes

 

Compliance with mandatory legal obligation

Complaint handling purposes

 

Compliance with mandatory legal obligation

 

In addition, we may process personal data (as applicable) to:

  1. process and reconcile payments, refunds and other financial transactions connected to our services;
  2. conduct internal controls, audits, investigations and security monitoring;
  • meet legal, regulatory and compliance requirements relevant to our business;
  1. optimise the presentation, functionality and security of our websites and digital channels across devices; and
  2. create and maintain accurate internal records and documentation.

 

  1. Marketing preferences

We may use your contact details and related information to send updates about our products, services, events and offers, and to personalise communications where appropriate. Where consent is required by law for a particular marketing channel, we will request it; otherwise, we may rely on our legitimate interests, and you can object at any time.

You can manage marketing communications at any time by using the “unsubscribe” option included in our emails or messages, or by contacting us using the details in this Notice, including at compliance.alert@karimjee.com. You may also object to processing for direct marketing.

  1. Third parties we may share personal data with

We do not trade or sell personal data. We may, however, disclose personal data to our group companies, authorised dealers/agents, and carefully selected third parties that support our operations and help us deliver services (for example ICT providers, logistics partners, payment processors, insurers, professional advisers and auditors), or where disclosure is required or permitted by law.

Where we engage a service provider to process personal data on our behalf, we require them to use the information only for the contracted services, to apply appropriate security safeguards, and to follow applicable data protection requirements. Access is limited to what is necessary for the relevant task.

We may disclose personal data to the categories of recipients below (in Tanzania or, where permitted, outside Tanzania) for the purposes set out in this Notice, to support service delivery, to protect our rights and safety, or where required or authorised by law. When sharing personal data, we take steps to ensure recipients apply appropriate confidentiality and security measures.

  1. our group entities, subsidiaries, holding companies and affiliated companies, and outsourcing partners;
  2. actual or prospective purchasers, transferees or successors of all or part of our business (and their advisers) in connection with a reorganisation, merger, acquisition or disposal;
  • authorised dealers, distributors, agents and service centres involved in providing products or services to you;
  1. business partners and service providers (for example insurers, banks/financial institutions where relevant, logistics partners, technology vendors and payment processors);
  2. government bodies, statutory authorities and industry regulators;
  3. law enforcement agencies and other competent authorities, where we are required or permitted to disclose information;
  • professional advisers and third parties we appoint to support our operations (for example auditors, lawyers, company secretaries, telecoms providers, printers, events/training organisers and other consultants).
  1. Retention

We keep personal data only for as long as necessary for the purposes described in this Notice, and in line with applicable legal, regulatory, contractual and operational requirements. In determining retention periods, we consider: (a) the nature and sensitivity of the data; (b) the purposes for which it is processed; (c) applicable legal or regulatory requirements (for example, tax and accounting records are retained for the period prescribed by the Tanzania Revenue Authority); and (d) whether the purpose can be achieved by other means. When retention is no longer required, we will securely delete, anonymise or otherwise dispose of the information in accordance with our internal procedures and the law.

  1. Security of personal data

We apply organisational and technical safeguards designed to protect personal data against loss, misuse, unauthorised access, alteration or disclosure. Our controls include access management, staff awareness, secure systems, and periodic review of security measures. While we take reasonable steps to protect information, no method of transmission or storage is completely secure. In the event of a personal data breach that is likely to affect your rights, we will notify the Personal Data Protection Commission and, where required, affected individuals, in accordance with the Personal Data Protection Act, 2022.

If you follow a link to a third-party website, please note that we do not manage that site’s security or content. Review the third party’s privacy and cookies information before providing your details through their platforms.

  1. Capacity

Our websites are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a person under 18, please contact us using the details in this Notice so that we can take appropriate steps.

  1. Transfers of personal data (within or outside Tanzania)

We may store or access personal data using systems, group companies or service providers located outside the United Republic of Tanzania (for example where certain IT infrastructure or support services are hosted abroad, or where you use our services while travelling). Where a cross-border transfer is required, we will take steps to ensure the transfer is carried out in compliance with the Personal Data Protection Act, 2022 and applicable regulations, including where necessary obtaining any required approvals/permissions and applying appropriate safeguards.

  1. Your rights

 

  1. Right of access: to request access to personal data we hold about you.
  2. Right to rectification: to request correction of inaccurate, incomplete, outdated or misleading personal data.
  • Right to object to or restrict certain processing: including where processing is likely to cause unwarranted harm or distress or where permitted by law.
  1. Right to object to direct marketing: to ask us to stop using your personal data for direct marketing purposes.
  2. Rights relating to automated decision-making: to request review where decisions are made solely by automated means, where applicable.
  3. Right to request erasure, blocking or destruction: in certain circumstances, as provided under applicable law.
  • Right to lodge a complaint: you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) if you believe your personal data has been processed in violation of the Personal Data Protection Act, 2022. The PDPC can be contacted at P.O.Box 1105, 1 Moshi Street, Viwandani, 41102 Dodoma/ https://www.pdpc.go.tz/en/ /dg@pdpc.go.tz.
  • Right to compensation: if you suffer damage as a result of a contravention of the Personal Data Protection Act, 2022, you may be entitled to compensation from the data controller or data processor responsible.

To exercise any of the rights above, or to ask questions about how we handle personal data, please contact the Data Protection Officer at compliance.alert@karimjee.com.

Cookies

We use cookies and similar technologies (small text files stored on your device) on our websites. Cookies fall into the following categories:

Strictly necessary cookies: required for the website to function (for example, session management and security). These cannot be disabled.

Performance / analytics cookies: help us understand how visitors use our websites (for example, pages visited, time on site) so we can improve functionality and content. We may use tools such as Google Analytics for this purpose.

Functionality cookies: remember your preferences (for example, language or region) to provide a more personalised experience.

Marketing / targeting cookies: used to deliver relevant advertisements and track campaign effectiveness. These are only set with your consent.

Where required by law, we will ask for your consent before setting non-essential cookies. You can manage your cookie preferences at any time through [our cookie banner / your browser settings]. Subject to your settings, we may collect information such as the domain from which you accessed our site or your internet protocol (“IP”) address, together with usage details including:

  • the date and time you accessed our website;
  • the page you visited before navigating to our website (where available); and
  • your browser type and the pages you viewed while on our site.

Some webpages may ask you to provide limited information (for example your name, email address or telephone number) so that we can respond to your message or provide a requested service. Where you choose to submit such information, we will use it for the stated purpose and handle it in line with this Notice.

This Notice was last updated on  May 2026.

Compare