Index
Customer Privacy Policy
1. Introduction
This privacy policy covers all processing of personal data performed by Polestar Performance AB and/or Polestar Automotive USA Inc. ("Polestar", “our”, “us” or "we"), except for:
processing of your data relating to our cars, which is explained in our Car Privacy Notice [coming soon], and
processing of your data in relation to our apps, which is explained in our privacy notice for each app.
It is important to us that you always feel safe and informed about how we process your personal data. In this privacy policy, you can learn more about what personal data we collect and process about you, why we do it, how we use the personal data and how we ensure that your personal data is handled in accordance with applicable legislation, and what rights you have. You can of course contact us, or our data protection officer, if you have questions about our processing of your personal data. See contact details.
This policy is updated continuously to reflect the measures taken by Polestar in relation to your personal data. Read more.
This privacy policy does not apply to authorized Polestar retailers, or third parties to whom you directly provide your information including, but not limited to, subscription services, or other third parties who may offer special rates or products to Polestar Automotive USA Inc. customers, nor to content posted on their websites or social media channels. These entities are independent of Polestar Automotive USA Inc. and responsible for their own collection of information. Please refer directly to those entities and their particular privacy policies for more information.
This privacy policy uses the term “personal data” in line with the EU General Data Protection Regulation (GDPR). Personal data means any information relating to an identified or identifiable natural person and includes “personal information” as that term is defined in the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
This privacy policy refers to “US State Privacy Laws” which includes the CCPA, CPRA, the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), Nevada’s “An Act relating to Internet privacy” (Nev. SB 220), the Utah Consumer Privacy Act (UCPA) in Utah and the Virginia Consumer Data Protection Act (VCDPA).
The concepts “controller” and “joint controllers” are terms used in the EU GDPR. A controller is the company that determines the purposes (why) and the means (how) of personal data processing – in other words, the controller is responsible for the processing of the personal data. When two or more companies jointly determine the purpose and means of the personal data processing, those companies are called joint controllers. The term “processor” refers to a service provider or third party under US privacy laws, which processes personal data on behalf of the controller. In the text below, you will find who acts as a controller/business, joint controller, or processor/service provider for each processing and we explain their respective roles below.
2. When do we process your personal data?
2.1 Overview
In this section, we will inform you about what personal data we process about you, for what purposes, what our legal basis for the processing is, how long we will process your personal data for, and who the controller/controllers are for each processing purpose. We may process your personal data for several of the following purposes at once. The information is divided into the following parts:
- 1.
Polestar website, which includes information about our processing of personal data related to our chat function, your account on polestar.com and our processing of personal data collected using cookies. Read more.
- 2.
When providing our products and services, which includes information about our processing of personal data relating to your Polestar ID accounts, your purchase of products and services, your reservation of a build slot for a vehicle and our waiting list for such build slots, test drive bookings, service bookings, our referral program, our Polestar Fleet Portal, our administration of request for change of ownership of a vehicle and our Guest Wi-Fi. Read more.
- 3.
When we are in contact with you, which includes information about our processing of personal data relating to our customer support, our contacts with you on social media and on Polestar Community, our virtual and digital consultations, our events and competitions and our contact with you to remind you of non-completed orders. Read more.
- 4.
When marketing our business, brands, products and services, which includes information about our processing of personal data relating to marketing through telephone, e-mail, websites, social media and press releases and our use in marketing material of photos and videos of participants at events. In this section you will also find information about our profiling for marketing purposes. Read more.
- 5.
When developing our business, products and services, which includes information about our processing of personal data relating to our use of surveys and market research, training of our employees and our continuous work with developing our business, systems, products and services. Read more.
- 6.
E-mail analyses. We use technologies such as tracking pixels or click-through links when sending you e-mails. The purpose of using tracking pixels is to analyse if and how many emails are delivered and opened. The purpose of using click-through links is to analyse which links in our emails are clicked, to understand what interest there is in specific content. We use the result to make our e-mails more relevant or to stop them from being sent. By deactivating the display of images in your e-mail client, we will not be able to measure the opening rate of our e-mails using tracking pixels and the e-mail will not be displayed completely. However, if you click on text or graphic links in the e-mail, we will still be able to track whether the e-mail has been opened. To avoid that such data is collected and tracked, do not click on text or graphic links in the e-mails.
- 7.
When you apply for a job at Polestar. Read more.
- 8.
To comply with laws, legal obligations and voluntary undertakings and in the event of claims, disputes, supervision etc. This part includes information about our processing of personal data relating to recalls, claims and complaints, data subject requests, data subject complaints, data breaches and supervision, disputes, bookkeeping, financial reporting, transfer of data in the event om merger and acquisition and sharing of personal data with authorities. Read more.
2.2 Polestar’s website
2.2.1 Web analytics/cookies
When you visit our website, we collect certain information about you using cookies and other tracking technologies. This is for our website to function, to improve the user experience of our website, to collect visitor statistics and to provide you with relevant marketing in various channels (see more details regarding the marketing purpose). For more information on how we manage cookies, see our Cookie Policy. Polestar Performance AB is controller for the processing relating to web analytics/cookies.
2.2.2 The chat
To chat with you and answer your questions and provide you with requested information, products and services, we process your personal data. Read more about our processing related to the chat under customer support. Polestar Performance AB and Polestar Automotive USA Inc. are joint controllers for processing relating to the chat.
2.2.3 Your Polestar ID account on polestar.com
For you to be able to create and log in to your account on our website and use those web services that require a Polestar ID, we will process your name, e mail address, phone number, password, relevant market and preferred language. Our legal basis for processing your personal data is to perform the contract (GDPR, article 6.1 (b)). We will continue to process your personal data for up to thirty (30) days after you have terminated your account. Polestar Performance AB is controller for the processing relating to your Polestar ID account.
2.5.1 Profiling
We will collect, process and combine certain types of personal data (as explained in the next paragraph) to predict your personal preferences and categorize you into a “segment affiliation”. This is a group of approximately 5,000-15,000 individuals with similar preferences, interests, and behavior. Everyone categorized into the same segment affiliation will receive the same type of marketing. We do this in order to provide you with marketing and other communication which is relevant to you considering your specific situation, needs and interests, The segments we create can for example include “people that visited the product page, started configuration, and chose the color red".
For this purpose, we process your IP address, information on your browsing on our website, e.g. product interest and configuration, device information, unique online identifiers and interaction in relation to our ads on third-party websites (your “Online Web Behavior Data”), in pseudonymized form. If you consent to the use of cookies for targeting and ads, we will combine your Online Web Behavior Data with aggregated data obtained from third party data providers through cookies, such as information about your personal preferences, demographics and content consumption (“Third Party Data”), and data that you provide us with when you interact with us, such as e-mail address, phone number, postal code, country of residence, your interests, purchased products or services and your interactions with us (“Customer Data”). This data will determine your segment affiliation.
Your segment affiliation may also be used to create so-called lookalike audiences, meaning that we create a target audience based on the same characteristics of the individuals belonging to a certain segment affiliation. This enables us to target potential customers with similar interests, behavior or characteristics as the people that already have shown an interest in our products and services. In other words, we will use your segment affiliation to target other individuals with the same characteristics.
We will also use your segment affiliation to get a better general understanding of you and your needs, provide better customer support, and to keep track of your interactions with us.
Your segment affiliation will not produce any legal effects or affect you in any similar way. For UK and EU data protection laws, the legal basis for placing, collecting and having access to the mentioned information from cookies is your consent, read more in our Cookie Policy. For UK and EU data protection laws, the legal basis for creating profiles, placing you in a segment affiliation, creating lookalike audiences and for sending you marketing based on your segment affiliation is your consent to marketing and profiling.
3. Where do we get your personal data from?
We mainly collect your personal data directly from you, but in some cases, we also collect personal data from other sources, namely when:
you decide to finance your vehicle through leasing or a loan: we collect information about the status of your finance or leasing application from the finance or leasing company.
service is performed on your vehicle: we collect information about the services performed on your vehicle in the workshop.
we receive a request for change of ownership from the registered owner of the vehicle: we collect the new owner’s e-mail address from the registered owner.
we create some personal data about you, such as Vehicle Identification Number (VIN) and individual license plate of your purchased vehicle, which will be personal data about you. We may also observe and infer personal data about you, such as your online behavior and segment affiliation. Read more.
recorded phone calls between you and Polestar retailers from the Polestar retailers you have been in contact with via phone.
4. Disclosure of your personal data
4.1 How we disclose your personal data and who we disclose it to
To provide our products and services and to comply with laws and regulations, we need to disclose your personal data to others, including other companies within the Polestar Group and third parties assisting us in various parts of our business and helping us to deliver our products and services. In each table you can find information about whom the data is shared with, and you can also find the categories of recipients listed below.
IT providers, e.g. companies that manage the necessary operation, technical support and maintenance of our IT solutions,
Polestar affiliates,
Subcontractors: mail and messaging services, banks and payment service providers, providers of analytics services,
Authorities. In certain circumstances, we may be legally required to disclose information to government or law enforcement authorities, e.g. the police, privacy protection authorities, tax authorities, public courts, vehicle registration authorities, or enforcement agencies. This may be in response to valid and lawful requests, such as subpoenas, court orders or other legal processes. We may also disclose information when necessary to protect the rights, property, or safety of you, us, or others.
We comply with all applicable laws and regulations regarding the disclosure of information to government authorities. We carefully review each request to ensure its validity and legality, as well as the impact of the data disclosure on the subjects affected by the request before disclosing any information. We strive to protect your privacy and rights to the extent permitted by law.
In the event of a government request for information, we will make reasonable efforts to notify you unless prohibited by law or court order. If you have any questions or concerns about our practice of disclosing information to the authorities, please contact us,
Business partners, e.g. workshops, finance and leasing companies, insurance companies, legal counsels, printing companies (marketing purposes), advertising agencies/companies, market research companies, and
Providers of social media platforms.
4.2 Specific sharing in the Preceding Twelve (12) Months:
4.2.1 Sharing for a business purpose within the preceding twelve (12) months
In the preceding 12 months, we have disclosed for a business purpose:
Your personal identifiers with retailers so that the retailer can respond to your request to schedule a test drive.
Your personal identifiers with retailers so that the retailer can facilitate your vehicle purchase.
Your internet activity information to our IT support to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, identify and repair Website errors, and to maintain and improve the Website.
Your personal identifiers with our service providers that assist us in providing the Website, including IT support, customer service, and website host.
Your personal identifiers with our marketing providers and media agency for our own direct marketing purposes.
4.2.2 Sales within the preceding twelve (12) months
In the preceding 12 months, we have shared your personal identifiers and commercial information with advertising platforms to engage in lookalike advertising to target our communications more accurately to audience segments, provide personalized content communications to existing of perspective consumers, and to generate marketing leads. We also shared internet activity information with advertising platforms via cookies to provide targeted advertising. We have shared your personal identifiers (e-mail address and VIN) with a radio broadcast provider. These advertising platforms and radio broadcast may keep and use your personal information for their own purposes, and is a sale/sharing under CCPA/CPRA. To opt-out of the sale/sharing, submit your request in our web form.
4.3 Processing of your personal data outside of the US
Polestar Automotive USA Inc. transfers personal data to the European Union and the United Kingdom.
In providing its services to Polestar Automotive USA Inc., Polestar Performance AB also sometimes transfers the personal data to service providers outside of EU/EEA or back into the US. Under EU privacy law this constitutes a reverse transfer. Transfers to the United Kingdom are carried out pursuant to its adequacy decision. For transfers to other countries outside of EU/EEA that do not have an adequacy decision, we use EU Model Clauses entered into by all relevant third parties (article 46 of the GDPR) or they are certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce. In addition, we take additional technical and organizational security measures when needed, such as encryption and pseudonymization.
5. Information security
To protect your personal information from loss, theft, and unauthorized access, use, or disclosure, we have implemented technical, administrative, and physical security measures including encryption of transmitted and stored data, and access right concepts. Unfortunately, no method of transmission over the Internet, or method of electronic storage, is 100% secure or impenetrable.
6. Your rights
Below, you can find a list of your rights related to our processing of your personal data under the GDPR and US privacy laws.
We have specified if a certain right only applies to residents in any of the applicable US States.
To exercise any of your rights, fill in this web form, call our toll-free number at (800) 806-2504 or contact us as described in this policy. To opt out of the sale of your personal information via cookies under applicable US State Privacy Laws, please visit our . For requests submitted via telephone or email, other than a request to opt out of sale/sharing, you must provide us with name, e-mail address, zip code and residency to allows us to reasonably verify that you are the person about whom we collected the personal information and describe your request with sufficient detail to allow us to properly evaluate and respond to it. If we are not able to verify your identity for requests to access, delete, or know with the information provided, we may ask you for additional pieces of information.
Only you, or a person that you authorize to act on your behalf, may make a request related to your personal information. If you are an authorized agent making a request on behalf of another individual, you must provide us with signed documentation that you are authorized to act on behalf of that individual.
If you have any objections or complaints about the way we process your personal data, please let us know and we will try to help.
You always have the right to lodge a complaint with the relevant supervisory authority. In Sweden, you have the right to lodge a complaint with the Swedish Supervisory Authority for Privacy Protection (IMY).
6.1 Right to information and a copy of your personal data
You have the right to know if we process personal data about you. If we do, you also have the right to receive information about the personal data we process. Furthermore, you have the right to receive a copy of all personal data we have about you. If you reside in Quebec, you also have the right to request we provide information about the categories of our employees (or contractors) who have access to your information.
If you are interested in specific information, please indicate it in your request. For example, you can specify if you are interested in a certain type of information, such as what specific contact details we have about you, or if you want information from a certain period.
6.2 Right to have erroneous or outdated personal data corrected, updated or supplemented
If the personal data we hold about you is incorrect, you have the right to have it corrected. You also have the right to supplement incomplete information with additional information that may be needed for the information to be correct.
Once we have corrected your personal data, or it has been supplemented, we will inform those we have disclosed your data to (when applicable) about the update - if it is not impossible or too cumbersome. If you ask us, we will of course also tell you who we have disclosed your data to.
If you request to have data corrected, you also have the right to request that we restrict our processing during the time we investigate the matter (this is in addition to your general right to restriction, described below).
6.3 Right to have personal data deleted
Your right to request the deletion of your personal information that we collect or maintain is subject to certain exceptions. For example, if we are required by law to retain the information that you are asking to be deleted, we would not be able to delete the information until we are legally permitted to delete it. In some cases, you have the right to have your data deleted, including when:
- 1.
the data is no longer needed for the purposes for which we collected it,
- 2.
you withdraw your consent and there is no other legal ground for the processing (if applicable),
- 3.
the data is used for direct marketing, and you unsubscribe from it,
- 4.
you oppose use that is based on our legitimate interest, and we cannot show compelling grounds for the processing which override your interests and rights,
- 5.
the personal data has been used unlawfully, or
- 6.
deletion is required to fulfil a legal obligation.
If we delete personal data following your request, we will also inform those we have disclosed your data to (when applicable) - if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have disclosed your data to.
6.4 Objecting to our use
You have the right to object to processing that is based on our legitimate interest. If you object to the use, we will, based on your situation, evaluate if our interests in using the personal data outweigh your interests in the personal data not being used for that purpose. If we are unable to provide compelling legitimate grounds that override yours, we will stop using the personal data you object to – provided we do not have to use the data to establish, exercise or defend legal claims. If you object to the use, you also have the right to request that we restrict our use during the time we investigate the matter.
You always have the right to object to, and unsubscribe/opt out from, direct marketing.
6.5 Right to withdraw your consent
You have the right to withdraw your consent for a specific processing at any time. You can withdraw your consent by contacting us.
Your withdrawal will not affect processing that has already been carried out.
6.6 Right to request restriction
Restriction means that the data is marked so that it may only be used for certain limited purposes. The right to restriction applies:
- 1.
when you believe the personal data are incorrect/inaccurate and you have requested correction. If so, you can also request that we limit our use while we investigate if the data are correct or not.
- 2.
if the use is unlawful but you do not want the personal data to be erased.
- 3.
when we no longer need the data for the purposes for which we collected it, but you need it to be able to establish, exercise or defend legal claims.
- 4.
if you object to the use. If so, you can request that we limit our use while we investigate if our interest in processing your data outweighs your interests.
Even if you have requested that we restrict our use of your data, we have the right to use it for storage, if we have obtained your consent to use it, to assert or defend legal claims or to protect someone’s rights. We may also use the information for reasons relating to an important public interest.
We will let you know when the restriction expires.
If we limit our use of your data, we will also inform those we have disclosed your data to (when applicable) - if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have disclosed your data to.
6.7 Right to data portability
If the processing is based on your consent or an agreement between us, you have the right to obtain personal data that you have provided to us in a structured, commonly used, machine-readable format and transfer it to another controller (“data portability”).
6.8 Right to opt-out of sale/sharing
If you are a resident of California, Colorado, Nevada, Utah, Virginia, or Connecticut, you have the right to opt out of the sale or sharing of your personal information to third parties.
The definition of a sale/sharing in California, Colorado, and Connecticut is: Any selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, of a consumer's personal information by the business to another business or a 3rd party for monetary or other valuable consideration.
The definition of a sale in Virginia and Utah is: Exchange of personal data for monetary consideration to a third party.
The definition of a sale in Nevada is: Exchange of personal data for monetary consideration to a recipient for that recipient to license or sell that information (such as the sale of information to data brokers).
To exercise your right to opt out of the sale or sharing of your personal information through cookies or other trackers, please visit our . To opt out of the sale or sharing of your personal information more generally, visit our web form.
6.9 Right to non-discrimination
You have the right to not receive discriminatory treatment if and when you exercise your data subject rights under applicable US State Privacy Laws.
6.10 Right to limit use of sensitive personal information
If you are a resident of California, you have the right to limit how we collect, use, and disclose your sensitive personal information to only what is necessary to perform the services or provide the goods reasonably expected by an average consumer, with some narrow exceptions. Sensitive information includes Social Security number, driver’s license number, biometric information, precise geolocation, and racial and ethnic origin.
6.11 Right to appeal
If you are a resident of Virginia, Colorado, or Connecticut and you submit a request to exercise any rights (under VCDPA, CPA, or CTDPA) and we do not take action on your request, you have the right to appeal our decision in accordance with the information provided in our privacy notice.
6.12 Right to opt out of profiling or targeted ads
If you are a resident of California, Virginia, Colorado, or Connecticut, you have the right to opt out of profiling or targeted ads under certain scenarios.
7. Do not track
We do not respond to Do Not Track (DNT) signals. DNT is a preference you can set on your web browser to inform websites that you do not want to be tracked. You can enable or disable DNT by visiting the preferences or settings page of your web browser.
8. Contacts
Polestar Performance AB is the primary point of contact for data subjects that wish to exercise their rights and the main responsible for providing information to data subjects, for the uses of data where the controller is a company in the Polestar Group. You are of course entitled to exercise your rights under the GDPR in respect of and against each controller mentioned in this policy.
Each controller’s identity and contact details are listed below.
Polestar Performance AB is a Swedish legal entity with company registration number 556653-3096, with mailing address Assar Gabrielssons Väg 9, 405 31 Gothenburg, Sweden, and visiting address Polestar HQ, Assar Gabrielssons Väg 9, 418 78 Göteborg.
Polestar Automotive USA Inc is a US legal entity with company registration number 82-5420108 having its address at 1 Volvo Dr., Rockleigh, NJ 07647, United States. Polestar Automotive USA Inc is – within the joint controllership – generally responsible for marketing, sales and customer relations as well as market specific services in its market.
Polestar has appointed a Data Protection Officer for the Polestar Group who can be reached via e mail or via post as set out below:
E-mail address: dpo@polestar.com
Postal address: Polestar Performance AB, Attention: The Data Protection Officer, 405 31 Göteborg, Sweden
Prominate Ltd., a UK legal entity with company registration number 07795532, with address 21 Lombard Street, London, ECV3 9AH, United Kingdom.
9. Changes to this privacy policy
We reserve the right to change this privacy policy from time to time. We will inform you of any changes by posting the updated privacy policy on our website (including clarification of updates). If we make any material changes to our privacy policy, we will send a notification by e-mail and obtain your consent, if required. We encourage you to contact us if you have any questions about the privacy policy or about how we process your personal data.