We are an electric performance car brand, determined to improve the society we live in. We innovate to drive progress and create a better future. At Polestar we value security and recognise the importance of ensuring the integrity and confidentiality of global communications.
We are an electric performance car brand, determined to improve the society we live in. We innovate to drive progress and create a better future. At Polestar we value security and recognise the importance of ensuring the integrity and confidentiality of global communications.
If you believe you have discovered a vulnerability or have a security issue to report, please submit a report (See below for participation requirements). Polestar information security or product security team will make best efforts to meet the following response timelines for researchers participating in our programme:
If you believe you have discovered a vulnerability or have a security issue to report, please submit a report (See below for participation requirements). Polestar information security or product security team will make best efforts to meet the following response timelines for researchers participating in our programme:
Participation in the programme is a voluntary initiative. By participating in the programme, you agree to be bound by the terms specified in this programme. If you do not wish to, or cannot comply with these terms, you cannot participate in the programme.
Participation in the programme is a voluntary initiative. By participating in the programme, you agree to be bound by the terms specified in this programme. If you do not wish to, or cannot comply with these terms, you cannot participate in the programme.
You must meet the following criteria to be eligible to participate:
You must meet the following criteria to be eligible to participate:
- You must be either the legal age of majority in your country or at least 15 years of age with permission from your legal guardian that you may participate in the programme;
- When acting as a participant, you are not violating any other agreement to which you may be a party - we are not liable for any breach of such third party agreement by you and disclaim any knowledge of or responsibility for your conduct;
- You are not listed under or resident in a country that is under a US, Switzerland, European Union, or United Nations embargo or sanctions list; and
- You are not an employee, contractor, representative, or a family member of a Polestar employee, contractor, or representative
Polestar wishes to thank and acknowledge the security researchers who are the first to identify vulnerabilities. Thanks to their support and the countermeasures developed by us, we continue to enhance the security of our products and services.
Polestar wishes to thank and acknowledge the security researchers who are the first to identify vulnerabilities. Thanks to their support and the countermeasures developed by us, we continue to enhance the security of our products and services.
Any information that you access, acquire, receive or collect about us, our affiliates or any of our users, consumers, employees or agents (“Confidential Information”) must be kept confidential and used only to provide us with the specific reporting that is requested in these Terms. You may not use, disclose or distribute any such Confidential Information in any other manner without our prior written consent.
Any information that you access, acquire, receive or collect about us, our affiliates or any of our users, consumers, employees or agents (“Confidential Information”) must be kept confidential and used only to provide us with the specific reporting that is requested in these Terms. You may not use, disclose or distribute any such Confidential Information in any other manner without our prior written consent.
You agree that the Submission and the described Vulnerability shall be deemed the Confidential Information of Polestar and you shall not publish, discuss or disclose the Submission or the Vulnerability in any manner or to any third parties. You may publish and discuss the Vulnerability only after receiving notice that the Vulnerability is fixed, subject to the prior written consent of Polestar, which shall not be unreasonably withheld. Any publication shall not name Polestar or reveal any Confidential Information.
You agree that the Submission and the described Vulnerability shall be deemed the Confidential Information of Polestar and you shall not publish, discuss or disclose the Submission or the Vulnerability in any manner or to any third parties. You may publish and discuss the Vulnerability only after receiving notice that the Vulnerability is fixed, subject to the prior written consent of Polestar, which shall not be unreasonably withheld. Any publication shall not name Polestar or reveal any Confidential Information.
For the purposes of this programme “Intellectual Property Rights” means: including without limitation, rights in patents, trademarks, service marks, trade names, other trade-identifying symbols and inventions, copyrights, design rights, database rights, rights in know-how, trade secrets and any other intellectual property rights arising anywhere in the world, whether registered or unregistered, and applications for the grant of any such rights.
For the purposes of this programme “Intellectual Property Rights” means: including without limitation, rights in patents, trademarks, service marks, trade names, other trade-identifying symbols and inventions, copyrights, design rights, database rights, rights in know-how, trade secrets and any other intellectual property rights arising anywhere in the world, whether registered or unregistered, and applications for the grant of any such rights.
Nothing in this programme grants you any Intellectual Property Rights or any other rights or licenses in our products. You acknowledge and agree that Polestar shall own any and all content or data that is revealed, discovered, or accessed as a result of your participation in the programme.
Nothing in this programme grants you any Intellectual Property Rights or any other rights or licenses in our products. You acknowledge and agree that Polestar shall own any and all content or data that is revealed, discovered, or accessed as a result of your participation in the programme.
1. How do we handle your personal data?
This section describes how Polestar processes your personal data when when you contact and report a vulnerability to us (hereinafter “Vulnerability Reporting”).
This section describes how Polestar processes your personal data when when you contact and report a vulnerability to us (hereinafter “Vulnerability Reporting”).
2. Who we are
Polestar Performance AB, a Swedish legal entity with company registration number 556653-3096 with address Assar Gabrielssons Väg 9, SE-405 31 Gothenburg, Sweden, hereinafter referred to as “Polestar”, “we” and “our”, will as controller process your personal data as described below.
Polestar Performance AB, a Swedish legal entity with company registration number 556653-3096 with address Assar Gabrielssons Väg 9, SE-405 31 Gothenburg, Sweden, hereinafter referred to as “Polestar”, “we” and “our”, will as controller process your personal data as described below.
3. What personal data we collect and why
While reporting a vulnerability to us, we will process the following categories of personal data:
While reporting a vulnerability to us, we will process the following categories of personal data:
- Your name, phone number (including country code) and organization (if applicable). This data is used in order for Polestar to contact you during the investigation / coordination.
- Any information provided by you relating to the reported vulnerability, herein included, but not limited to VIN, etc.
- Any information obtained during the communication between Polestar and you in relation to the Vulnerability Reporting.
4. How long we keep your data
The collected data is kept for a period of 1 (one) year after the vulnerability investigation / coordination has been concluded. We will however keep on our systems the conclusions of the investigation / coordination in an anonymized format.
The collected data is kept for a period of 1 (one) year after the vulnerability investigation / coordination has been concluded. We will however keep on our systems the conclusions of the investigation / coordination in an anonymized format.
5. Disclosure of your personal data
We will disclose your personal data with the following categories of recipients, on a need-to-know basis:
We will disclose your personal data with the following categories of recipients, on a need-to-know basis:
- Our service providers (processors) supporting Polestar’s activities in general, such as providers of IT solutions
- Companies within the Polestar group – for managing vulnerabilities relating to their systems.
6. Transfer of your personal data
We strive to process your personal data within the EU/EEA area. However, your personal data will be transferred outside the EU/EEA in some situations, such as when we share your information with a business partner or subcontractor operating outside the EU/EEA.
We strive to process your personal data within the EU/EEA area. However, your personal data will be transferred outside the EU/EEA in some situations, such as when we share your information with a business partner or subcontractor operating outside the EU/EEA.
We transfer personal data to the following countries outside of the EU/EEA: the United States and the United Kingdom.
We transfer personal data to the following countries outside of the EU/EEA: the United States and the United Kingdom.
We always ensure that the same high level of protection applies to your personal data according to the GDPR, even when the data is transferred outside of the EU/EEA. As regards the United Kingdom, the Commission has decided that it ensures an adequate level of protection (article 45 of the GDPR), but regarding transfers to the United States we have entered into EU Model Clauses with all relevant third parties (article 46 of the GDPR) or they are certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S Data Privacy Framework and/or the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce. In addition, we take additional technical and organisational security measures when needed, such as encryption (TLS) and pseudonymisation.
We always ensure that the same high level of protection applies to your personal data according to the GDPR, even when the data is transferred outside of the EU/EEA. As regards the United Kingdom, the Commission has decided that it ensures an adequate level of protection (article 45 of the GDPR), but regarding transfers to the United States we have entered into EU Model Clauses with all relevant third parties (article 46 of the GDPR) or they are certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S Data Privacy Framework and/or the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce. In addition, we take additional technical and organisational security measures when needed, such as encryption (TLS) and pseudonymisation.
7. Your rights
You have specific legal rights granted by the General Data Protection Regulation relating to the personal data we process about you. You can withdraw your consent or object to our processing of your data, access the data we hold about you, ask for rectification or restriction of your data, request to have your data ported to another entity, request that we delete your data, and finally you can file a complaint with a data protection supervisory authority. For more information about your rights, see our Customer Privacy Policy.
You have specific legal rights granted by the General Data Protection Regulation relating to the personal data we process about you. You can withdraw your consent or object to our processing of your data, access the data we hold about you, ask for rectification or restriction of your data, request to have your data ported to another entity, request that we delete your data, and finally you can file a complaint with a data protection supervisory authority. For more information about your rights, see our Customer Privacy Policy.
In order to exercise your rights, please use this web form. If you have any other questions regarding the subject matter of personal data protection, you can contact us or our Data Protection Officer on the contact details stated on polestar.com/privacy-policy.
In order to exercise your rights, please use this web form. If you have any other questions regarding the subject matter of personal data protection, you can contact us or our Data Protection Officer on the contact details stated on polestar.com/privacy-policy.
8. Contact information
Polestar Performance AB is a Swedish legal entity with company registration number 556653-3096, with mailing address Assar Gabrielssons Väg 9, 405 31 Gothenburg, Sweden, and visiting address Polestar HQ, Assar Gabrielssons Väg 9, 418 78 Göteborg.
Polestar Performance AB is a Swedish legal entity with company registration number 556653-3096, with mailing address Assar Gabrielssons Väg 9, 405 31 Gothenburg, Sweden, and visiting address Polestar HQ, Assar Gabrielssons Väg 9, 418 78 Göteborg.
9. Changes to our Privacy Notice
We reserve the right, at our discretion, to modify our privacy practices and update and make changes to this privacy notice at any time. For this reason, we encourage you to refer to this privacy notice on an ongoing basis. This privacy notice is current as of the date which appears at the top of the document. We will treat your personal data in a manner consistent with the privacy notice under which they were collected, unless we have your consent to treat them differently.
We reserve the right, at our discretion, to modify our privacy practices and update and make changes to this privacy notice at any time. For this reason, we encourage you to refer to this privacy notice on an ongoing basis. This privacy notice is current as of the date which appears at the top of the document. We will treat your personal data in a manner consistent with the privacy notice under which they were collected, unless we have your consent to treat them differently.