Privacy Notice

Times Mobility Co., Ltd., (hereinafter the “Company”) collects and uses the personal information of its customers (hereinafter “Customers”) who make reservations or use the rental car service provided by the Company through the Website (hereinafter the “Service”) under this Privacy Notice (hereinafter the “Notice”) in accordance with the applicable laws and regulations (including, but not limited to, the General Data Protection Regulation [Regulation (EU) 2016/679] in the European Union and the European Economic Area [hereinafter the “EEA”] and the UK Data Protection Act [hereinafter collectively the “GDPR”]). When renting a car in Japan, the Customer is required to separately consent to the Handling of Personal Information under the Times Car Rental Terms and Conditions in accordance with the Personal Information Protection Act and other relevant laws and regulations in Japan.

1. Items of personal information collected by the Company

The Company will process the following items of Customers’ personal information in connection with the Service:

• Customer information (name, date of birth, nationality, email address, telephone number, etc.)
• Reservation and usage information (stores of departure/arrival, dates/times, flight information, etc.)
• Payment and contract information (payment method, credit card information, optional purchase information, insurance information, etc.)
• Information on driver’s licenses (license type, issuing country, etc.)
• Other items of personal information necessary for the purposes stated in Section 2 of this Notice.

2. Purpose of using personal information and legal basis for processing

The Company will process Customers’ personal information for the following purposes under the applicable data protection laws in performing contracts, fulfilling legal obligations, under legitimate interests, or upon Customers’ explicit consent.

Performing contracts (Article 6, Paragraph 1(b)) or fulfilling legal obligations (Article 6, Paragraph 1(c))

• To manage rental car reservations, reservation changes, and cancellations
• To verify identities and ages
• To confirm and notify reservations (e.g., reminders or check-in notices)
• To manage car rental and returns, billing, and late returns
• Otherwise to perform contracts and fulfill legal obligations

Processing under legitimate interests of the Company (Article 6, Paragraph 1(f))

• To implement the necessary measures for the maintenance and operation of the Service, including security and the prevention of wrongful use
• To share the information with contractors (processors) or affiliated companies (for the details, refer to 3. “Recipients of personal information” below)
  *Before processing the information, the Company will confirm that its pursuit of legitimate interests will not unduly infringe Customers’ rights.

*Cookies and trackers
The Company may process Customers’ personal information by using cookies and other trackers collected when they visit the Company’s website. Such processing of the information will be made under the Cookie Policy. Please check the Policy. A Customer may choose to accept or reject cookies and trackers by following the instructions in the Cookie Policy.

To prevent leakage, loss, corruption, and other accidents of Customers’ personal data, the Company will process the information by implementing appropriate safety management measures (access control, encryption, security audits, etc.).

3. Recipients of personal information

The Company may share or provide Customers’ personal information with or to the following third parties. The purpose and scope of such sharing will be limited to the minimum extent necessary under the applicable laws and regulations.

Contractors (processors) for service provision

The Company entrusts the operations necessary for providing the Service to external service providers, and these providers may process personal information on behalf of the Company.

For example, the Company entrusts the following operations:

• Development and maintenance of operational applications
• Hosting and business applications
• User support

Sharing within the Company’s group

To the extent necessary for its business operations, the Company may share personal information with group companies and franchise businesses. This includes sharing for ensuring operational consistency, optimizing customer service, and implementing internal management.

Disclosure under legal obligations

The Company may disclose or provide personal information to third parties according to needs under the applicable laws and regulations:

• To comply with requirements by a court, supervisory authority, or administrative agency
• To exercise, protect, or examine legal claims
• To make necessary protection of life, body, or property

Sharing incidental to corporate transactions

Because of the sale, merger, reorganization, liquidation, or other transactions of all or part of its business, the Company may transfer personal information to a third party. In this case, it will implement the appropriate measures under the applicable laws.

4. Sources of personal information collection

The Company will obtain Customers’ personal information in the following ways:

Provision by Customers themselves

• Information provided by direct input through the Company website, reservation forms, or customer service
• Information provided when the Company responds to inquiries in person, by telephone, or via email

Acquisition through contractors and business partners

• Information provided by agents, sales partners, and partner companies (reservation information, payment information, etc.)

Acquisition from group companies of the Company

• Information provided by group companies in Japan and overseas cooperated with the Company to the extent necessary

Sources that are publicly or legitimately available

• Acquisition of public information (e.g., registers or public records on the Internet)

5. Transfer of personal information to third-country businesses

Currently, the Company does not transfer Customers’ personal data to any third country or international organization outside the EEA. If the Company transfers personal data in the future to any third country or international organization outside the EEA, it will implement the appropriate protection measures in accordance with Chapter 5 of the GDPR and provide additional information as required.

6. Retention period of personal information

The Company will retain personal information only during the period required for achieving the purpose of its collection. The retention period will be determined under the following standards:

• Nature and confidentiality of personal information
• Potential risks from unauthorized use or leakage
• Necessary period for achieving the purpose of processing
• Existence of relevant legal obligations and accounting/tax requirements

After the expiration of a retention period, the Company will delete or anonymize personal information in a secure and irreversible manner.

7. Rights of data subjects

The Company recognizes the following rights of Customers, who are the subjects of personal information, under the applicable data protection laws. A Customer may exercise these rights in accordance with the conditions provided in laws and regulations.

• Right of access: The right to request access to and copies of personal information retained by the Company
• Right to rectification: The right to request the rectification of inaccurate or incomplete personal information
• Right to erasure: The right to request the deletion of personal information under given conditions, known as the “right to be forgotten”
• Right to restriction of processing: The right to request the temporary suspension or restriction of processing under specific conditions
• Right to data portability: The right to receive personal information in a structured, commonly used and machine-readable format to be transferred to another controller
• Right to withdraw consent: The right to withdraw consent at any time regarding consented processing (this does not affect the legality of processing before withdrawal)
• Right to object: The right to object to processing based on legitimate interests or otherwise
• Right to be excluded from automated decision-making: The right to refuse decisions based solely on automated processing, such as profiling
  The Personal Information Protection Act in Japan also recognizes the following rights for requests regarding retained personal data:
• Notification of purpose of use, disclosure, correction, addition, deletion, discontinuation of use, erasure, discontinuation of third-party provision, and disclosure of third-party provision records

If you wish to exercise these rights, please contact the desk stated in 10. “Inquiries.” After verification of your identity, the Company will respond to your request appropriately in accordance with laws and regulations.

8. Personal information required to be provided

The items of personal information required to be provided when using the various services of the Company are specified on the form that the Customer fills out. A Customer is not liable for providing these items of personal information. However, without them, the Company is not able to provide the Service to the Customer.

9. Right to file a complaint with the supervising bodies

Under the applicable laws and regulations, the Customer may be entitled to file a complaint with the supervising bodies. The supervising bodies, to which a complaint can be filed, may include those in the EU member states and those in the UK where the Customer’s place of residence or workplace is located, or a GDPR violation complaint is filed.

10. Inquiries

If you have any questions or complaints or request the exercise of rights regarding this Notice or the Company’s handling of personal information, please contact us below.

Office in charge of personal information protection in the Park24 Group

Address: 2-20-4 Nishi-Gotanda, Shinagawa-ku, Tokyo 141-8924

E-mail: kojinjoho@park24.co.jp

For the address and representative of Times Mobility Co., Ltd., please refer to the Corporate Outline.

Agent in the EEA, the UK, and Switzerland

The Company has appointed Data Protection Representative Limited (hereinafter “DataRep”) as its data protection agent. To submit an inquiry to the Company regarding the GDPR or the data protection laws in the UK and Switzerland, or to exercise a right regarding the personal data, the Customer may contact DataRep in the relevant country by one of the following methods:

• Inquiry by email
  Please send an email to datarequest@datarep.com, making sure to include “Times Mobility Co., Ltd.,” in the subject line.
• Inquiry via the Web form
  Please submit your inquiry at https://www.datarep.com/data-request.

If you have any concerns about DataRep’s handling of personal data as required in providing the agent service, please refer to the DataRep Privacy Notice (https://www.datarep.com/privacy-policy).

11. Changes to the Notice

The Company may review or revise this Notice from time to time in response to amendments to laws and regulations or changes in the service contents. Any revision to the Notice will be announced by the appropriate means, such as publication on the Company’s website. Unless otherwise provided, a revised Notice will take effect when published on the website. When the Notice is changed, the Company may revise all or a part of the Notice or make additions to it by giving notice of it in a manner the Company finds appropriate (or any other manner required by the applicable laws and regulations, if any).

Date of establishment: October 28, 2025