Index

Polestar 2 - Car Privacy Notice

1. Introduction

This privacy notice explains how Polestar (‘we’, ’us’ ‘our’) processes car generated data, when you use a Polestar car and associated connected services provided by Polestar and its partners.

It is important to us to be transparent and that you are informed about how we use your personal data. In this privacy notice, you will find information about the processing of personal data associated with different car features, but you will not find the explanation of the features themselves here – for this, check the owner’s manual. This notice takes precedence, in case of any discrepancy between the notice and the owner’s manual with regard to the processing of personal data. The scope of the data processing activities depends on the services with which your car is equipped, and on the services which you choose to activate. This notice describes the widest extent of processing possible. If you have an older car model, or if a new model is not equipped with a certain feature, the data processing associated with that feature will not occur.

This privacy notice does not cover:

  • The provision of the internet service in your car, which is supplied by a mobile network operator independently from Polestar.

  • Mobile applications provided by Polestar, such as the Polestar App.

  • Google Automotive Services: Polestar 2 comes with Google built-in, meaning that the infotainment system runs on the Android Automotive operating system offering Google Automotive Services (e.g., Google account, Google Maps, Google Assistant and Google Play Store). The infotainment system also offers the possibility to log-in with a Google account. In these instances, Google is the responsible data controller and Polestar is not involved in the processing of your personal data. For more information, see Google Privacy Policy. Your use of the Google Automotive Services is further governed by the Google Terms of Service and Google Maps Terms of Service.

  • Third-party applications and services in the car: the features available in the Google Play Store are offered by independent vendors, similarly with how they operate on a smartphone. When you connect your vehicle with a third-party application, your personal data and the data related to your vehicle is transferred to the third-party providing the application to enable the connection and your use of the third-party service. For further information, refer to the individual service providers’ own terms and conditions as well as their privacy policies.

  • Third-party value-added services based on vehicle data (such as pay-as-you-drive insurance).

2. When do we process your personal data?

2.1 Overview

In this section, you will find information about what personal data we process about you, for what purposes, what our legal basis for the processing is, how long we will process your personal data for, and who is responsible for each processing purpose. We may process your personal data for several of the purposes at once. The information about the processing activities is divided into the following sections:

  1. 1.

    Road safety and mobility management: vehicle functions that inform you about the road conditions and warn you of external hazards, such as connected safety and road sign information; internal responses, such as emergency services (eCall), roadside assistance; and crash investigation devices such as the event data recorder (vehicle’s “black box”) and active safety data recorder. Read more.

  2. 2.

    Maintenance and repair: processing activities related to service bookings, software updates and bug reporting features. Read more.

  3. 3.

    Polestar Connect and Polestar apps in the vehicle: processing of vehicle data necessary to enable remote vehicle features available in the Polestar app and to activate Polestar apps in the vehicle such as the Range app, Performance app, Journey Log and Air Quality app. Read more.

  4. 4.

    Contacts with you: processing activities necessary for vehicle-related customer care. Read more.

  5. 5.

    Development of business, products, and services: processing activities necessary for our continuous work with developing our business, systems, products and services. Read more.

  6. 6.

    Legal obligations and voluntary undertakings and in the event of claims, disputes, supervision etc., processing activities necessary for emissions reporting, monitoring cyber security threats, managing product manufacturer obligations such as recalls, reclamations, warranties and other complaints, data subject requests, personal data breaches and supervision, disputes, bookkeeping, transfer of data in the event of merger and acquisition and sharing of personal data with authorities. Read more.

3. Where do we get your personal data from?

We mainly collect your personal data directly from your vehicle, but in some cases, we also collect personal data from other sources, namely when:

  • service is performed on your vehicle: we collect information about the services performed on your vehicle at a Polestar service point.

  • you are in contact with our Customer Services (e.g., Customer Care; Customer Support): we receive information for example, in case of a Roadside Assistance request.

  • we receive a request on your behalf from one of Polestar’s affiliates.

  • we need to check the registered owner with authorities (Driver and Vehicle Licensing Agency) in recall matters: we collect your name, address, telephone number and e-mail address from the authority.

  • we receive a request for change of ownership from the registered owner of the vehicle: we collect the new owner’s e-mail address from the registered owner.

4. Disclosure of your personal data

4.1 How we disclose your personal data and who we disclose it to

To provide our products and services and to comply with laws and regulations, we need to disclose your personal data to others, including other companies within the Polestar Group and third parties assisting us in various parts of our business and helping us to deliver our products and services. The categories of recipients are listed below.

  • Polestar affiliates;

  • Polestar service providers: we use others to help us provide our Services (e.g., IT service providers responsible for operation maintenance and technical support of our IT solutions; mail and messaging services; banks and payment service providers; providers of analytics services). They will have access to your information as reasonably necessary to perform these tasks on our behalf and are obligated not to disclose or use it for other purposes;

  • Others’ services: you may connect your vehicle with others’ services e.g., providers of in-car or mobile applications and social media;

  • Authorities: we may need to disclose your data when we believe it is required by law or to help protect the rights and safety of you, us, or others. Every once in a while, we receive requests from law enforcement agencies (e.g., police, customs authorities) to provide various types of data related to Polestar cars. As a general approach, we only provide personal data when legally required;

  • Business partners, e.g., Volvo Car Corporation, workshops and service points, finance and leasing companies, insurance companies, vehicle charging service, legal counsels, advertising agencies/companies, and market research companies, and;

  • Providers of social media platforms.

4.2 Processing of your personal data outside of Canada

Because we use service providers that are located in the US, and our service providers in the US also rely on the services of our affiliates in the US and the European Union or United Kingdom, your personal data will be transferred outside the Canadian province where it was collected for these purposes.

Polestar Automotive Canada Inc. transfers personal data to the European Union, the US and the United Kingdom.

In providing its services to Polestar Automotive Canada Inc., Polestar Performance AB also sometimes transfers the personal data to service providers outside if EU/EEA or to the US. Under EU privacy law this constitutes a reverse transfer. Transfers to the United Kingdom are carried out pursuant to its adequacy decision. For transfers to other countries outside of EU/EEA and the US, that do not have an adequacy decision, we use EU Model Clauses entered into by all relevant third parties (article 46 of the GDPR) or they are certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S Data Privacy Framework and/or the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce. In addition, we take additional technical and organizational security measures when needed, such as encryption (TLS) and pseudonymization.

5. Information security

To protect your personal information from loss, theft, and unauthorized access, use, or disclosure, we have implemented technical, administrative, and physical security measures including encryption of transmitted and stored data, and access right concepts. Unfortunately, no method of transmission over the Internet, or method of electronic storage, is 100% secure or impenetrable.

6. Your rights

Below, you can find a list of your rights related to our processing of your personal data under the GDPR and privacy laws in Canada e.g. PIPEDA.To exercise your right, you may submit a request by using our web form, call (800) 806-2507 or email us at dpo@polestar.com. For requests submitted via telephone or email, you must provide us with information to allows us to reasonably verify that you are the person about whom we collected the personal information and describe your request with sufficient detail to allow us to properly evaluate and respond to it. If we are not able to verify your identity for access and deletion requests with the information provided, we may ask you for additional pieces of information.

6.1 Right to lodge complaints

You always have the right to lodge a complaint with the supervisory authority where you live, work or where you believe an infringement has taken place. In Sweden, you have the right to lodge a complaint with the Swedish Supervisory Authority for Privacy Protection (IMY). A list of European supervisory authorities is available here.

Under PIPEDA, you have the right to complain directly to us regarding our alleged noncompliance with PIPEDA. We will review and respond to your complaint. PIPEDA-related complaints can be directed to our Privacy Officer at dpo@polestar.com c/o Polestar Automotive Canada Inc.

6.2 Right to information and a copy of your personal data

You have the right to know if we process personal data about you. If we do, you also have the right to receive information about the personal data we process and why we do it. If we collect your personal information from another person or entity (i.e. not you), you have the right to be informed of our source for your data. Similarly, if we share your information with another person or entity, you have the right to request we disclose to you those parties. Furthermore, you have the right to receive a copy of all personal data we have about you.

If you are interested in specific information, please indicate it in your request. For example, you can specify if you are interested in a certain type of information, such as what specific contact details we have about you, or if you want information from a certain period.

6.3 Right to have erroneous or outdated personal data corrected, updated or completed

If the personal data we hold about you is incorrect, you have the right to have it corrected. You also have the right to supplement incomplete information with additional information that may be needed for the information to be correct.

Once we have corrected your personal data, or it has been supplemented, we will inform those we have disclosed your data to (when applicable) about the update - if it is not impossible or too cumbersome. If you ask us, we will of course also tell you who we have disclosed your data to.

If you request to have data corrected, you also have the right to request that we restrict our processing during the time we investigate the matter.

6.4 Right to have personal data deleted

In some cases, you have the right to have your data deleted, namely when:

  1. 1.

    the data is no longer needed for the purposes for which we collected it,

  2. 2.

    you withdraw your consent and there is no other legal ground for the processing (if applicable),

  3. 3.

    the data is used for direct marketing, and you unsubscribe from it,

  4. 4.

    you oppose use that is based on our legitimate interest, and we cannot show compelling grounds for the processing which override your interests and rights,

  5. 5.

    the personal data has been used unlawfully, or

  6. 6.

    deletion is required to fulfil a legal obligation.

If we delete personal data following your request, we will also inform those we have disclosed your data to (when applicable) - if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have disclosed your data to.

6.5 Objecting to our use

You have the right to object to processing that is based on our legitimate interest. If you object to the use, we will, based on your situation, evaluate if our interests in using the personal data outweigh your interests in the personal data not being used for that purpose. If we are unable to provide compelling legitimate grounds that override yours, we will stop using the personal data you object to – provided we do not have to use the data to establish, exercise or defend legal claims. If you object to the use, you also have the right to request that we restrict our use during the time we investigate the matter.

You always have the right to object to, and unsubscribe from, direct marketing.

6.6 Right to withdraw your consent

You have the right to withdraw your consent for a specific processing at any time. Depending on the connected service provided by Polestar, you can withdraw your consent either by changing your Privacy Settings in the car or by contacting us.If you withdraw your consent, we will also instruct our processors to, if possible, end any processing of relevant information that we have shared with them.

Your withdrawal will not affect processing that has already been carried out.

6.7 Right to request restriction

Restriction means that the data is marked so that it may only be used for certain limited purposes. The right to restriction applies:

  1. 1.

    when you believe the personal data are incorrect/inaccurate and you have requested correction. If so, you can also request that we limit our use while we investigate if the data are correct or not.

  2. 2.

    if the use is unlawful but you do not want the personal data to be erased.

  3. 3.

    when we no longer need the data for the purposes for which we collected it, but you need it to be able to establish, exercise or defend legal claims.

  4. 4.

    if you object to the use. If so, you can request that we limit our use while we investigate if our interest in processing your data outweighs your interests.

Even if you have requested that we restrict our use of your data, we have the right to use it for storage, if we have obtained your consent to use it, to assert or defend legal claims or to protect someone’s rights. We may also use the information for reasons relating to an important public interest.

We will let you know when the restriction expires.

If we limit our use of your data, we will also inform those we have disclosed your data to (when applicable) - if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have disclosed your data to.

6.8 Right to data portability

If the processing is based on your consent or an agreement between us, you have the right to obtain personal data that you have provided to us in a structured, commonly used and machine-readable format and transfer it to another controller (“data portability”).

6.9 Rights under Quebec 64

If you are a resident of Quebec, you have some additional rights as described below:

Decisions based on automated processing. If we use your personal information to render a decision based exclusively on automated processing, you have the right to be informed of this at or before the time of the decision.

7. Contacts

Polestar Performance AB is the primary point of contact for data subjects that wish to exercise their rights and the main responsible for providing information to data subjects, for the uses of data where the controller is a company in the Polestar Group. You are of course entitled to exercise your rights under the GDPR in respect of and against each controller mentioned in this notice.

Each controller’s identity and contact details are listed below.

Polestar Performance AB is a Swedish legal entity with company registration number 556653-3096, with mailing address Assar Gabrielssons Väg 9, 405 31 Gothenburg, Sweden, and visiting address Polestar HQ, Assar Gabrielssons Väg 9, 418 78 Göteborg.

Polestar Automotive Canada Inc. is a Canadian legal entity with company registration number 2021859588 having its address at 2500, 10303 Japser Avenue, Edmonton, Alberta, T5J 3N6, Canada.

Polestar has appointed a Data Protection Officer for the Polestar Group who can be reached via e mail or via post as set out below:

  • E-mail address: dpo@polestar.com

  • Postal address: Polestar Performance AB, Attention: The Data Protection Officer, 405 31 Göteborg, Sweden

Volvo Car Corporation is a Swedish legal entity with company registration number 556074-3089, with address 405 31 Gothenburg, Sweden.

8. Changes to this privacy notice

We reserve the right to change this privacy notice from time to time. We will inform you of any changes by posting the updated privacy notice on our website (including clarification of updates). If we make any material changes to our privacy notice, we will send a notification by e-mail. We encourage you to contact us if you have any questions about the privacy notice or about how we process your personal data.