Index

Polestar 2 - Car Privacy Notice

11.20.2023

1. Introduction

This privacy notice explains how Polestar (‘we’, ’us’ ‘our’) processes car generated data, when you use a Polestar car and associated connected services provided by Polestar and its partners.

It is important to us to be transparent and that you are informed about how we use your personal data. In this privacy notice, you will find information about the processing of personal data associated with different car features, but you will not find the explanation of the features themselves here – for this, check the owner’s manual. This notice takes precedence, in case of any discrepancy between the notice and the owner’s manual with regard to the processing of personal data. The scope of the data processing activities depends on the services with which your car is equipped, and on the services which you choose to activate. This notice describes the widest extent of processing possible. If you have an older car model, or if a new model is not equipped with a certain feature, the data processing associated with that feature will not occur.

This privacy notice does not cover:

  • The provision of the internet service in your car, which is supplied by a mobile network operator independently from Polestar.

  • Mobile applications provided by Polestar, such as the Polestar App.

  • Google Automotive Services: Polestar 2 comes with Google built-in, meaning that the infotainment system runs on the Android Automotive operating system offering Google Automotive Services (e.g., Google account, Google Maps, Google Assistant and Google Play Store). The infotainment system also offers the possibility to log-in with a Google account. In these instances, Google is the responsible data controller and Polestar is not involved in the processing of your personal data. For more information, see Google Privacy Policy. Your use of the Google Automotive Services is further governed by the Google Terms of Service and Google Maps Terms of Service.

  • Third-party applications and services in the car: the features available in the Google Play Store are offered by independent vendors, similarly with how they operate on a smartphone. When you connect your vehicle with a third-party application, your personal data and the data related to your vehicle is transferred to the third-party providing the application to enable the connection and your use of the third-party service. For further information, refer to the individual service providers’ own terms and conditions as well as their privacy policies.

  • Third-party value-added services based on vehicle data (such as pay-as-you-drive insurance).

2. When do we process your personal data?

2.1 Overview

In this section, you will find information about what personal data we process about you, for what purposes, what our legal basis for the processing is, how long we will process your personal data for, and who is responsible for each processing purpose. We may process your personal data for several of the purposes at once. The information about the processing activities is divided into the following sections:

  1. 1.

    Road safety and mobility management: vehicle functions that inform you about the road conditions and warn you of external hazards, such as connected safety and road sign information; internal responses, such as emergency services (eCall), roadside assistance; and crash investigation devices such as the event data recorder (vehicle’s “black box”) and active safety data recorder. Read more.

  2. 2.

    Maintenance and repair: processing activities related to service bookings, software updates and bug reporting features. Read more.

  3. 3.

    Polestar Connect and Polestar apps in the vehicle: processing of vehicle data necessary to enable remote vehicle features available in the Polestar app and to activate Polestar apps in the vehicle such as the Range app, Performance app, Journey Log and Air Quality app. Read more.

  4. 4.

    Contacts with you: processing activities necessary for vehicle-related customer care. Read more.

  5. 5.

    Development of business, products, and services: processing activities necessary for our continuous work with developing our business, systems, products and services. Read more.

  6. 6.

    Legal obligations and voluntary undertakings and in the event of claims, disputes, supervision etc., processing activities necessary for emissions reporting, monitoring cyber security threats, managing product manufacturer obligations such as recalls, reclamations, warranties and other complaints, data subject requests, personal data breaches and supervision, disputes, bookkeeping, transfer of data in the event of merger and acquisition and sharing of personal data with authorities. Read more.

3. Where do we get your personal data from?

We mainly collect your personal data directly from your vehicle, but in some cases, we also collect personal data from other sources, namely when:

  • service is performed on your vehicle: we collect information about the services performed on your vehicle at a Polestar service point.

  • you are in contact with our Customer Services (e.g., Customer Care; Customer Support): we receive information for example, in case of a Roadside Assistance request.

  • we receive a request on your behalf from one of Polestar’s affiliates.

  • we need to check the registered owner with authorities (Driver and Vehicle Licensing Agency) in recall matters: we collect your name, address, telephone number and e-mail address from the authority.

  • we receive a request for change of ownership from the registered owner of the vehicle: we collect the new owner’s e-mail address from the registered owner.

4. Disclosure of your personal data

4.1 How we disclose your personal data and who we disclose it to

To provide our products and services and to comply with laws and regulations, we need to disclose your personal data to others, including other companies within the Polestar Group and third parties assisting us in various parts of our business and helping us to deliver our products and services. The categories of recipients are listed below.

  • Polestar affiliates;

  • Polestar service providers: we use others to help us provide our Services (e.g., IT service providers responsible for operation maintenance and technical support of our IT solutions; mail and messaging services; banks and payment service providers; providers of analytics services). They will have access to your information as reasonably necessary to perform these tasks on our behalf and are obligated not to disclose or use it for other purposes;

  • Others’ services: you may connect your vehicle with others’ services e.g., providers of in-car or mobile applications and social media;

  • Authorities: we may need to disclose your data when we believe it is required by law or to help protect the rights and safety of you, us, or others. Every once in a while, we receive requests from law enforcement agencies (e.g., police, customs authorities) to provide various types of data related to Polestar cars;

  • Business partners, e.g., Volvo Car Corporation, workshops and service points, finance and leasing companies, insurance companies, vehicle charging service, legal counsels, advertising agencies/companies, and market research companies, and;

  • Providers of social media platforms.

4.2 Processing of your personal data outside of the US

Polestar Automotive USA Inc. transfers personal data to the European Union and the United Kingdom.

In providing its services to Polestar Automotive USA Inc., Polestar Performance AB also sometimes transfers the personal data to service providers outside of EU/EEA or back into the US. Under EU privacy law this constitutes a reverse transfer. Transfers to the United Kingdom are carried out pursuant to its adequacy decision.

For transfers to other countries outside of EU/EEA that do not have an adequacy decision, we use EU Model Clauses entered into by all relevant third parties (article 46 of the GDPR). In addition, we take additional technical and organizational security measures when needed, such as encryption (TLS) and pseudonymization.

5. Information security

To protect your personal information from loss, theft, and unauthorized access, use, or disclosure, we have implemented technical, administrative, and physical security measures including encryption of transmitted and stored data, and access right concepts. Unfortunately, no method of transmission over the Internet, or method of electronic storage, is 100% secure or impenetrable.

6. Your rights

Below, you can find a list of your rights related to our processing of your personal data under the GDPR and US privacy laws.

We have specified if a certain right only applies to residents in any of the applicable US States.

To exercise any of your rights, fill in this web form, call our toll-free number at (800) 806-2504 or contact us as described in this policy. For requests submitted via telephone or email, other than a request to opt out of sale/sharing, you must provide us with name, e-mail address, zip code and residency to allows us to reasonably verify that you are the person about whom we collected the personal information and describe your request with sufficient detail to allow us to properly evaluate and respond to it. If we are not able to verify your identity for requests to access, delete, or know with the information provided, we may ask you for additional pieces of information.

Only you, or a person that you authorize to act on your behalf, may make a request related to your personal information. If you are an authorized agent making a request on behalf of another individual, you must provide us with signed documentation that you are authorized to act on behalf of that individual.

If you have any objections or complaints about the way we process your personal data, please let us know and we will try to help.

You always have the right to lodge a complaint with the relevant supervisory authority. In Sweden, you have the right to lodge a complaint with the Swedish Supervisory Authority for Privacy Protection (IMY).

6.1 Right to information and a copy of your personal data

You have the right to know if we process personal data about you. If we do, you also have the right to receive information about the personal data we process. Furthermore, you have the right to receive a copy of all personal data we have about you.

If you are interested in specific information, please indicate it in your request. For example, you can specify if you are interested in a certain type of information, such as what specific contact details we have about you, or if you want information from a certain period.

6.2 Right to have erroneous or outdated personal data corrected, updated or supplemented

If the personal data we hold about you is incorrect, you have the right to have it corrected. You also have the right to supplement incomplete information with additional information that may be needed for the information to be correct.

Once we have corrected your personal data, or it has been supplemented, we will inform those we have disclosed your data to (when applicable) about the update - if it is not impossible or too cumbersome. If you ask us, we will of course also tell you who we have disclosed your data to.

If you request to have data corrected, you also have the right to request that we restrict our processing during the time we investigate the matter.

6.3 Right to have personal data deleted

In some cases, you have the right to have your data deleted, namely when:

  1. 1.

    the data is no longer needed for the purposes for which we collected it,

  2. 2.

    you withdraw your consent and there is no other legal ground for the processing (if applicable),

  3. 3.

    the data is used for direct marketing, and you unsubscribe from it,

  4. 4.

    you oppose use that is based on our legitimate interest, and we cannot show compelling grounds for the processing which override your interests and rights,

  5. 5.

    the personal data has been used unlawfully, or

  6. 6.

    deletion is required to fulfil a legal obligation.

If we delete personal data following your request, we will also inform those we have disclosed your data to (when applicable) - if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have disclosed your data to.

6.4 Objecting to our use

You have the right to object to processing that is based on our legitimate interest. If you object to the use, we will, based on your situation, evaluate if our interests in using the personal data outweigh your interests in the personal data not being used for that purpose. If we are unable to provide compelling legitimate grounds that override yours, we will stop using the personal data you object to – provided we do not have to use the data to establish, exercise or defend legal claims. If you object to the use, you also have the right to request that we restrict our use during the time we investigate the matter.

You always have the right to object to, and unsubscribe from, direct marketing.

6.5 Right to withdraw your consent

You have the right to withdraw your consent for a specific processing at any time. Depending on the connected service provided by Polestar, you can withdraw your consent either by changing your Privacy Settings in the car or by contacting us.

Your withdrawal will not affect processing that has already been carried out.

6.6 Right to request restriction

Restriction means that the data is marked so that it may only be used for certain limited purposes. The right to restriction applies:

  1. 1.

    when you believe the personal data are incorrect/inaccurate and you have requested correction. If so, you can also request that we limit our use while we investigate if the data are correct or not.

  2. 2.

    if the use is unlawful but you do not want the personal data to be erased.

  3. 3.

    when we no longer need the data for the purposes for which we collected it, but you need it to be able to establish, exercise or defend legal claims.

  4. 4.

    if you object to the use. If so, you can request that we limit our use while we investigate if our interest in processing your data outweighs your interests.

Even if you have requested that we restrict our use of your data, we have the right to use it for storage, if we have obtained your consent to use it, to assert or defend legal claims or to protect someone’s rights. We may also use the information for reasons relating to an important public interest.

We will let you know when the restriction expires.

If we limit our use of your data, we will also inform those we have disclosed your data to (when applicable) - if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have disclosed your data to.

6.7 Right to data portability

If the processing is based on your consent or an agreement between us, you have the right to obtain personal data that you have provided to us in a structured, commonly used and machine-readable format and transfer it to another controller (“data portability”).

6.8 Right to opt-out of sale/sharing

Using cookies, web beacons, device identifiers, and other tracking technologies to gather analytics and to deliver advertising and content that is tailored to your interests commonly known as “targeted advertising” (a practice California calls “sharing” data), and some states also treat this activity as a “sale” of your information.

If you are a resident of California, Colorado, Nevada, Utah, Virginia, or Connecticut, you have the right to opt-out of disclosure of your personal information about you to third parties for monetary or other valuable consideration. You also have the right to opt-out of the sharing of personal information about you for cross-context behavioral advertising and targeted advertising.

To opt-out from the sale of personal information for valuable consideration to analytics, social media, and advertising partners, please use our Data Subject Request Form.

We do not sell or use for targeted advertising personal information on individuals we know are younger than 16 years old.

6.9 Right to non-discrimination

You have the right to not receive discriminatory treatment if and when you exercise your data subject rights under applicable US State Privacy Laws.

6.10 Right to limit use of sensitive personal information

Precise geolocation information is considered “sensitive” under the state privacy laws in California, Virginia, Connecticut and Utah. As described above, we collect vehicle location data to enable remote vehicle services, in the event of an incident or for safety and road sign information. This data is not used to pinpoint your specific location, only to provide services associated with your operation of the vehicle. You always have an option to disable car location data sharing through the Privacy Settings available in the car. If disabled, location data will not leave the car, except when required by law or to support third parties’ apps and services which you have independently agreed to.

6.11 Right to appeal

If you are a resident of Virginia, Colorado, or Connecticut and you submit a request to exercise any rights (under VCDPA, CPA, or CTDPA) and we do not take action on your request, you have the right to appeal our decision by contacting the DPO at the email address provided in the Contacts section below. In your email, please put in the subject line that you are making a “Consumer Rights Appeal”.

6.12 Right to opt out of profiling or targeted ads

If you are a resident of California, Virginia, Colorado, or Connecticut, you have the right to opt out of profiling under certain scenarios. We do not perform profiling with legal or similarly significant effects.

7. Do not track

We do not respond to Do Not Track (DNT) signals. DNT is a preference you can set on your web browser to inform websites that you do not want to be tracked. You can enable or disable DNT by visiting the preferences or settings page of your web browser.

8. Children's privacy

Our products and services are not intended to be used by children. We do not intentionally or knowingly solicit, collect or sell any personal data about children under the age of sixteen (16) nor intentionally or knowingly allow children to order our products, communicate with us, or use any of our online services or mobile applications. If a child has provided us with personal data, a parent or guardian of that child may contact us to have that data deleted from our records. If you believe that we might have any data from a child under the age of sixteen (16), please tell us using the contact information listed below. We will take all reasonable steps to delete the child’s data as soon as possible except where necessary to protect the safety of the child or others as required by law.

9. Contacts

Polestar Performance AB is the primary point of contact for data subjects that wish to exercise their rights and the main responsible for providing information to data subjects, for the uses of data where the controller is a company in the Polestar Group. You are of course entitled to exercise your rights under the GDPR in respect of and against each controller mentioned in this policy.

Each controller’s identity and contact details are listed below.

Polestar Performance AB is a Swedish legal entity with company registration number 556653-3096, with mailing address Assar Gabrielssons Väg 9, 405 31 Gothenburg, Sweden, and visiting address Polestar HQ, Assar Gabrielssons Väg 9, 418 78 Göteborg.

Polestar Automotive USA Inc is a US legal entity with company registration number 82-5420108 having its address at 1 Volvo Dr., Rockleigh, NJ 07647, United States. Polestar Automotive USA Inc is – within the joint controllership – generally responsible for marketing, sales and customer relations as well as market specific services in its market.

Polestar has appointed a Data Protection Officer for the Polestar Group who can be reached via e mail or via post as set out below:

  • E-mail address: dpo@polestar.com

  • Postal address: Polestar Performance AB, Attention: The Data Protection Officer, 405 31 Göteborg, Sweden

Prominate Ltd., a UK legal entity with company registration number 07795532, with address 21 Lombard Street, London, ECV3 9AH, United Kingdom.

10. Changes to this privacy notice

We reserve the right to change this privacy notice from time to time. We will inform you of any changes by posting the updated privacy notice on our website (including clarification of updates). If we make any material changes to our privacy notice, we will send a notification by e-mail. We encourage you to contact us if you have any questions about the privacy notice or about how we process your personal data.