Volvo Cars App Privacy Notice
Effective from:
Published at:
This document describes how Volvo Cars (as defined below), and sometimes other entities, processes your personal data or personal information (collectively referred to in this document as "personal data") when you use the Volvo Cars mobile application (hereinafter "Volvo Cars App") that keeps you connected to your Volvo vehicle.
The Volvo Cars app has several functionalities, which entail different types of personal data processing, as we will explain below. Depending on your market and the type of subscription you have, these functionalities can be grouped as follows:
- Volvo Cars services – this includes the aspects mentioned under sections 2.1 (When you use the Volvo Cars App), 2.2 (Volvo Cars remote vehicle services), 2.3 (Driving Journal), 2.4 (Charging), 2.5 (Car sharing with Guest functionality), 2.6 (App Analytics), 2.7 (Research and development), 2.8 (Your subscription for the Volvo Cars App) below.
You can find the following information below:
- Who is responsible for the processing of your personal data;
- Personal data collected, why, and for how long;
- 2.1 When you use the Volvo Cars App
- 2.2 The Volvo Cars remote vehicle services
- 2.3 Driving Journal
- 2.4 Charging
- 2.4.1 Public charging
- 2.4.2 Plug & Charge
- 2.5 Car sharing with Guest functionality
- 2.6 App Analytics
- 2.7 Research and development
- 2.8 Your subscription for the Volvo Cars App
- 2.9 When you get in touch with us
- 2.10 Marketing communications
- How your personal data are shared;
- Your rights in relation to the processing of personal data;
- Children's Privacy;
- Information Security;
- Contact information;
- Changes to our Privacy Notice.
1. Who is responsible for the processing of your personal data
The responsibility for the processing of your personal data in the Volvo Cars App is divided according to below:
- The entity responsible for the main processing of personal data in relation to Volvo Cars remote vehicle services, Driving Journal, Car sharing with Guest functionality, App Analytics, and Research and development, is Volvo Car Corporation, having its registered office at Assar Gabrielssons Väg, SE-405 31, Gothenburg, Sweden, company registration number 556074-3089, hereinafter referred to as "Volvo Cars." For the purposes of GDPR, Volvo Car Corporation is a data controller for these purposes. Volvo Car Canada Limited is hereinafter referred to as "National Sales Company" as its Service Provider. For the purposes of Canadian law and as pertaining to information of Canadian residents, Volvo Cars facilitates the operation of the App and the collection of information through it for the benefit of Volvo Car Canada Limited, having its registered office at 9130 Leslie St. Suite 101, Richmond Hill, Ontario, Canada, and General Privacy Notice.
- The entity responsible for the processing of personal data when you get in touch with us, as well as for marketing communications, is the National Sales Company.
2. Personal data collected, why, and for how long
As mentioned previously, Volvo Cars App comes with a number of different functions depending on your car model and your market – some of the functions described below might not be applicable to you.
2.1 When you use the Volvo Cars App
When you use the Volvo Cars App, we automatically collect data about your use of the Volvo Cars App in order to monitor its functioning and undertake troubleshooting measures when necessary. In order to do this, we use information such as device information (e.g., device manufacturer, app installation ID), general vehicle information (e.g., vehicle model and type, year, user country) and usage data (e.g., clicks, views and potential issues or errors). This processing is necessary for our legitimate interest to provide you with a secure and functioning Volvo Cars App. The information used for this purpose is retained for 30 days from collection.
2.2 The Volvo Cars remote vehicle services
To activate the remote vehicle services through the Volvo Cars App, we collect personal identifiers (such as your first and last name, phone number, Volvo ID (e-mail address), vehicle identification number (VIN), unique device identifier, and push notification token) and commercial information such as purchase history (ownership period, any subscription services in which you are enrolled, and the model and year of your vehicle and corresponding vehicle specifications).
We use this information to provide the Volvo Cars remote vehicle services, such as the ability to control your vehicle remotely (e.g. pre-climatization, unlock/lock doors, remote start/stop of engine, current outside temperature, receive theft alarm notifications), allowing you to view the status of your vehicle (e.g. fuel level, windshield washer fluid levels, brake fluid levels, door lock status, tire pressure or maintenance warnings, battery status, or other vehicle status indicators).
We also use this information to send push notifications within the Volvo Cars App related to upcoming maintenance and service reminders for your vehicle. For hybrid and full electric cars, we store data of the charging location to be able to offer a convenient way to schedule the charging. We collect your vehicle location information as well as the location of your mobile device (if you allow this), for you to use the map functionalities in the Volvo Cars App, and to show you your position relative to your Volvo on the map.
Wherever you are not asked specifically whether you agree to any data processing (of which you have been notified in this privacy policy), for the purposes of GDPR the reason why we process this data is in order to perform our contract with you (Art. 6.1. (b) GDPR).
If, through your mobile settings, you grant us access to your location data, calendars, and contacts we will process this data to supply an easy way for you to send the location of a point of interest from your phone to the car based on your contact list, calendars events, or search results. For the purposes of GDPR, the legal basis for this processing is your consent (Art. 6.1.(a) GDPR). This data is not stored in the Volvo Cars App and we do not see it. When allowing access from your phone to other people's data, make sure that they have consented to this.
When your Volvo Cars subscription comes to an end, the details linked with this service, including your personal data, will be deleted after ninety (90) days, unless there is a legal requirement for us to retain certain data. Note that the Volvo Cars subscription follows the car; therefore, if there is a change of ownership you, as a seller, are responsible for disconnecting your car from the app and getting your data deleted. This also applies for the registered primary driver in the case of a car lease. Follow this link for instructions.
2.3 Driving Journal
The Volvo Cars App allows you to choose to log your driving journal. This may be useful to you if, for example, you expense your mileage. The Driving Journal must be activated by you; otherwise, it stays inactive and the data is not collected.
If you do activate the Driving Journal, we collect from you your personal identifiers (such as first and last name, phone number, e-mail address, and VIN) and collect your vehicle location information automatically through your vehicle telematics (start and stop, or continuously, depending on the type of car, as described below) to identify each trip, including trip-related information (time, distance, fuel and/or electricity consumption, electricity generation if hybrid) and mileage. For gasoline and diesel cars, the driving journal only contains the start and finish positions of each driving cycle. However, if you have a hybrid/twin-engine model, the driving journal also includes information about routes taken.
For the purposes of GDPR, we process this data based on your consent (Art. 6.1.(a) GDPR).
As a rule, Driving Journal data is stored for 100 days. In special situations, such as cars benefiting from the , the Driving Journal data is stored for 500 days.
You can any time deactivate the Driving Journal at any time, and in this case the data will stop being collected. This does not, however, automatically trigger the deletion of previously collected information, which is retained and subject to deletion as previously described.
2.4 Charging
2.4.1 Public charging
2.4.2 Plug & Charge
Plug & Charge allows you to charge at a public charger without using an app, RFID or card. Compatible charging stations can identify your vehicle and verify your charging contract without any manual input, which means that you can start charging by just plugging in the cable.
When you use Plug & Charge, we process the following personal data:
- VIN;
- PCID (Provisioning Certificate ID); and
- Contract certificate.
The processing of your personal data in relation to Plug & Charge is necessary to manage our agreement with you.
We will retain the aforementioned data until the contract certificate is removed from the vehicle.
2.5 Car sharing with Guest functionality
When using the car sharing with Guest functionality available through the Volvo Cars App, Volvo Cars processes the following personal data:
- Your and your guest's Volvo ID - for identification and to make it possible to save your individual settings separately.
- Your and your guest's mobile phone number - to send invitations to guests through SMS.
- Car model, model year, car color, license plate, and location of the car to make it easier for the guest to find the car.
- Car door lock status to open and lock the car and make sure that the car is locked after use.
- Driving journal data (if enabled) of guest trips is available for both the guest and the Primary driver; all driver journal data for the car is only available for the Primary driver.
The legal basis for the processing of your data is your contract with us (Art. 6.1. (b) GDPR), while the legal basis for the processing of the guest's personal data is our legitimate interest (Art. 6.1. (b) GDPR) to give you the benefit of the car sharing functionality.
We will retain this personal data until 1) the guest is removed by the primary driver, 2) according to driver journal retention rules or 3) until the subscription comes to and end, whichever comes first.
2.6 App Analytics
We measure how our app is being used in order to better understand user behavior and improve the usability and reliability of the app, as well as to gain insights into how the services are used and to improve your experience of these services. We do this by using Google Analytics (in restricted processing mode), and we automatically collect and process personal identifiers, including your device ID, device IP address (pseudonymized immediately after collection), Volvo ID, and vehicle connection status. For more information on how Google Analytics collects and processes information, please visit: https://www.google.com/policies/privacy/partners/. For information about how to opt out of having certain of your information used by Google Analytics, visit: https://tools.google.com/dlpage/gaoptout/.
For the purposes of GDPR, the legal basis for this data processing is our legitimate interest ((Art. 6.1.f) GDPR) to improve the usage and experience of our app and our services. In jurisdictions where legitimate interests are not a basis for processing personal data, this information is processed with your consent.
This data will be stored by us for fourteen (14) months from collection.
2.7 Research and development
For research and development purposes to better understand how to improve our products and services and which new ones to develop, we use a data-driven approach and leverage automatically collected vehicle information (such as VIN), product (such as Volvo Cars App usage (such as how often the Volvo Cars App is used and when), customer personal identifiers (such as Volvo ID, e-mail, and phone number) and commercial information, which is sales data (such as selling or servicing retailer) to inform the direction of the development of our products and services. The processing spans a wide range of analytics, modeling and research performed by our analysts and data scientists.
Volvo Cars conducts analytics for trends in order to model or improve its services, which does not involve building consumer profiles to use in providing services to another business.
The National Sales Company conducts analytics for trends and models, as above, and also uses customer personal identifiers (such as Volvo ID, e-mail, and phone number) and commercial information/sales data (such as selling or servicing retailer) to model or improve its services and also to make determinations and inferences from your information for the purpose of marketing.
For the purpose of GDPR, the legal basis for this processing is our legitimate interest ((Art. 6.1.f) GDPR). Where possible, we restrict analyses to anonymized or pseudonymized data. The processing does not include any automated processing concerning you. In jurisdictions where legitimate interests are not a basis for processing personal data, this information is processed with your consent.
We retain this data for ten (10) years.
2.8 Your subscription for the Volvo Cars App
If you have a subscription for the Volvo Cars remote vehicle services, you will get the opportunity to renew this service in the Volvo Cars App. When you do this, as well as to manage your subscription, we collect from you and process your personal identifiers (such as first and last name, phone number, e-mail address, and VIN) and commercial information, which is your purchase status and history. The purpose of our processing is to administer and monitor your purchase (from purchase to delivery), including any necessary contacts with the authorities for official reporting, administration of your request for related services, follow-up on the delivery, and communication of updates related to the services that you have purchased. We use a third-party payment provider to facilitate payments processing thought another third-party payment processor, which is a separate processing of your personal data by them; you can read more about the privacy practices of our payment processor in section 3 below.
For the purpose of GDPR, the legal basis for our processing of your personal data is that this processing is necessary for the performance of our contract (Art. 6.1. (b) GDPR) with you.
We will retain your personal data for ninety (90) days after your Volvo Cars subscription has expired, in order to enable continuation of the service if you choose to resubscribe. In addition, we will archive data relating to your purchase for ten (10) years in order to comply with accounting and financial reporting legislation – this is a legal obligation (Art. 6.1. (c) GDPR).
2.9 When you get in touch with us
When you use the contact option in the Volvo Cars App, the National Sales Company will collect from you and process your personal identifiers relevant for the channel you use (such as first and last name, phone number/e-mail address, VIN, unique device identifier, and push notification token), as well as any data you supply in connection with your enquiry.
The data related to your requests will be retained for thirty-six (36) months from the receipt of your enquiry.
2.10 Marketing communications
Through the Volvo Cars App you can receive marketing communications related to the Volvo Cars products, if you have consented to this. To do this, the National Sales Company collects from you and processes your personal identifiers (such as first and last name, phone number, and e-mail address), your vehicle specification information (such as model, engine, and VIN), and personal identifiers, such as Volvo ID data and device ID, in order to tailor the marketing to the products and services you use.
You can opt out of receiving e-mails at any time by clicking the "unsubscribe" button included in all marketing e-mails or by contacting us at the contact information provided here. You can opt out of receiving phone or SMS marketing communications by [opt-out method] or replying STOP to such SMS marketing communications.
If you withdraw your consent, as described above, the processing of your relevant data will be restricted to operating a suppression list in order to make sure you don't unintentionally receive marketing communication.
3. How your personal data is shared
The processing by Volvo Car Corporation mentioned above involves the processing of your personal data with the following categories of third parties, on a need-to-know basis:
Processing by processors
Our categories of processors that support delivering the Volvo Cars App are:
- cloud connectivity service provider;
- data hosting;
- push notifications;
- distribution of e-mails;
- chat functionality and customer care handling; and
- subscription invoice handling provider.
They are limited by contract in their ability to use your personal data for any purpose other than to provide services for us in compliance with each data processing agreement in place. In some of these situations the use of processors involves limited transfers of personal data outside of the European Union, Canada, or your jurisdiction of reference. We have taken precautions that such transfers are limited to the minimum necessary.
Sharing with other members of the Volvo Car Group
Data mentioned under sections 2.7 and 2.8 above are collected via the Volvo Cars App on behalf of the National Sales Company, for the following purposes:
- Assessing retailer performance;
- Customer care;
- Research and Development;
- Marketing segmentation;
- Assessing subscription extensions and reactivations.
Sharing with other third parties (separate controllers)
We process payments through third parties that collect payment data directly from you and do not share it with us:
- A service provider that facilitates our payment processing through Stripe Inc and Ken Cook (provider of payment service, billing, invoicing and subscription administration). You can view their privacy policy at https://stripe.com/en-se/privacy
The Volvo Cars App uses Google Maps to show you and your car's location to be able to utilize the "send destination to car" function, to suggest the closest route to a destination, and to show the car location. You can view their privacy policy at https://policies.google.com/privacy.
General sharing
We may share the personal data collected from the Volvo Cars App in the following circumstances:
- as a result of a change in our corporate structure: in the event that we enter into, or intend to enter into, a transaction that alters the structure of our business, such as a reorganization, merger, acquisition, sale, joint venture, assignment, consolidation, transfer, change of control, or other disposal of all or any part of our business, assets, or stock, we would share any personal data collected about you with third parties, including the buyer or target (and their agents and advisors) for the purpose of facilitating and completing the transaction. We would share personal data with third parties if we undergo bankruptcy or liquidation, in the course of such proceedings.
- to prevent harm: we will share personal data if we believe it is necessary to detect, investigate, prevent, or act against illegal activities, fraud, or situation(s) involving potential threats to the rights, property, or personal safety of any person.
- for legal purposes: we will share personal data where we are legally required to do so, such as in response to court orders, law enforcement, or legal process, including for national security purposes; to establish, protect, or exercise our legal rights, as required to enforce our terms of service or other contracts; to defend against legal claims or demands; or to comply with the requirements of any applicable law.
- with your consent: apart from the reasons identified above, we may ask for your permission to share your personal data for a specific purpose. We will contact you and ask for your consent before you give us your personal data or before the personal information you already provided is shared for such purpose.
4. Your rights in relation to the processing of personal data
4.1 Your rights under GDPR
As a data subject, you have specific legal rights granted by the General Data Protection Regulation relating to the personal data we process about you. These are briefly explained below, and you can exercise them by filling out the dedicated form indicated below.
- Right to withdraw consent: Where you have given consent for the processing of your personal data, you may withdraw your consent at any moment with effect for the future.
- Right to access your personal data: You may ask us for information regarding personal data that we hold about you. We will provide you with a copy of your personal data upon request. If you request further copies of your personal data, then we can charge you a reasonable fee that we base on administrative costs. You have the right to information about our safeguards for the transfer of your personal data to a country that is outside the EU and the EEA if you request that we confirm whether or not we process your personal data and we transfer your personal data to a country that is outside the EU and the EEA.
- Right to rectification: You may obtain our rectification of incorrect or incomplete personal data concerning you. We make reasonable efforts to keep personal data in our possession or control which are used on an ongoing basis, accurate, complete, current and relevant, based on the most recent information available to us.
- Right to restriction: You may obtain our restriction of the processing of your personal data, if:
- you contest the accuracy of your personal data, for the period we need to verify the accuracy,
- the processing is unlawful and you request the restriction of processing rather than erasure of your personal data,
- we no longer need your personal data for the processing purpose but you require them for the establishment, exercise, or defense of legal claims, or
- you object to their processing while we verify whether our legitimate interests override yours.
- Right to portability: You have the right to receive your personal data that you have provided to us and, where technically feasible, to request that we transmit your personal data (that you have provided to us) to another organization, if:
- we process your personal data by automated means;
- we base the processing of your personal data on your consent or our processing of your personal data is necessary for the execution or performance of a contract to which you are a party;
- your personal data are provided to us by you; and
- your right to portability does not adversely affect the rights and the freedoms of other persons.
- You have the right to receive your personal data in a structured, commonly used and machine-readable format. Your right to receive your personal data must not adversely affect the rights and the freedoms of other persons. Your hold the right to have your personal data transmitted from us to another organization if such transmission is technically feasible.
- Right to erasure: You have the right to request that we delete the personal data we process about you. We must comply with this request if we process your personal data, unless processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation that requires processing by European Union or Member State law or other applicable law to which we are subject;
- for archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes; or
- for the establishment, exercise, or defense of legal claims.
- Right to object: You may object to the processing of your personal data at any time due to your particular situation, provided that the processing is not based on your consent but on our legitimate interests or those of a third party. In this event we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds and an overriding interest for the processing, or for the establishment, exercise, or defense of legal claims. If you object to the processing, please specify whether you also request the erasure of your personal data; otherwise we will only restrict it. You also have the right to object at any time, regardless of the reason, to the processing of your personal data for direct marketing (which includes profiling to the extent that it is related to such direct marketing), if such processing was based on our legitimate interest. If the marketing was based on your consent, you can withdraw consent (see above).
- Right to lodge a complaint: You can lodge a complaint to your local data protection supervisory authority or with any other data protection authority in the EU. However, we would appreciate it if you first contact us to try and solve your problem – you can find our contact details below.
You can exercise your rights in relation to us by filling out this form, which will help us to deal with your request properly. The online form contains the information that we need to verify your identity and review your request. For requests submitted by telephone or email, you will need to provide us with sufficient information that allows us to reasonably verify that you are the person whose personal data we collected and describe your request in sufficient detail to allow us to properly evaluate and respond to it. If we are not able to verify your identity for access and deletion requests with the information provided, we may ask you for additional pieces of information.
You can exercise these rights in relation to all of the joint controllers mentioned in this notice.
4.2 Your rights under Canadian law
If our processing of your personal data is subject to Canadian law, the following section applies to you:
- Accessing and correcting your personal data: For residents of Canada, you have a right to request access to your personal data and to request a correction to it if you believe it is inaccurate. If you would like to have access to the personal data we have about you, or if you would like to have it corrected, please fill out this form, which will help us to handle your request properly. In some cases, we may not be able to allow you to access certain personal data in certain circumstances: for example, if it contains personal data of other persons, or for legal reasons. To help protect against fraudulent requests for access to your personal data, we may ask you for information to allow us to confirm that the person making the request is you or is authorized to access your information before granting access. You will need to provide us with sufficient information that allows us to reasonably verify that you are the person whose personal data we collected, and you must describe your request in sufficient detail to allow us to properly evaluate and respond to it. If we are not able to verify your identity for access and correction requests using the information provided, we may ask you for additional pieces of information.
- Right to withdraw consent: If you have given consent for the processing of your personal data, you may withdraw your consent with effect for the future. Please note that if you withdraw consent that in necessary for us to provide you with products or services, we may no longer be able to provide those products or services to you. You may withdraw any consent you have provided to our use of personal data to market to you without withdrawing consent needed to provide our goods and services. Your withdrawal of consent does not have retroactive effect, and there may be cases where we are permitted under the applicable law to process certain personal data without consent.
- Car sharing with Guest functionality: You may only provide the contact information of friends or family if you have received permission to provide their e-mail address or phone number to us. You may only provide contact information of friends with whom you have had direct, voluntary two-way communication and for whom it is reasonable to conclude that you have a personal relationship, considering shared interests, experiences, opinions, and other relevant factors. You may only provide contact information of family members to whom you are related by marriage, common-law partnership, or a parent-child relationship and with whom you have had direct, voluntary two-way communication.
- Security: In order to help prevent unauthorized access to or disclosure of personal data, we have put in place physical, electronic, and organizational procedures to help safeguard and secure the personal data we collect. Personal data may be accessed by persons within our organization or our third-party service providers who require such access to carry out the purposes described in this Privacy Notice or are otherwise permitted or required by applicable law. Personal data we collect is managed from our offices in the United States and the European Union. Even though we have taken steps to help protect the personal data in our control, you should know that we cannot fully eliminate security risks associated with personal data. No security measures can provide absolute protection. We cannot ensure or warrant the security of any information you provide to us.
- International Data Transfers: Personal data that we collect may be stored and processed in Canada or any other country in which we or our service providers maintain facilities, including in the United States and the European Union. Personal data processed and stored in another country may be subject to disclosure or access requests by the governments, courts, or law enforcement or regulatory agencies in that country, according to its laws. By providing us with personal data, you consent to any such transfer of information outside of your country.
5. Children's Privacy
Our products and services are not intended to be used by children. We do not knowingly solicit or collect any personal data about children under the age of sixteen (16) or knowingly allow children to order our products, communicate with us, or use any of our online services or mobile applications. If a child has provided us with personal data, a parent or guardian of that child may contact us to have that data deleted from our records. If you believe that we might have any data from a child under the age of sixteen (16), please tell us using the Contact Information listed below. We will take all reasonable steps to delete the child's data as soon as possible except where necessary to protect the safety of the child or others as required by law. We do not have actual knowledge that we sell the personal data of minors under the age of sixteen (16).
6. Information Security
To protect your personal data from loss, theft, and unauthorized access, use, or disclosure, we have implemented technical, administrative, and physical security measures, including, for certain data, 256-bit encryption, access controls, and secure development processes. Unfortunately, no method of transmission over the Internet, or method of electronic storage, is 100% secure or impenetrable.
7. Contact information
In order to exercise your rights, please see section 4 above. If you have any other questions regarding the subject matter of personal data protection, you can contact us at the following contact details:
Volvo Car Corporation
Data Protection Officer
Mailing address: Assar Gabrielssons väg, SE-405 31, Gothenburg, Sweden
Email address: globdpo@volvocars.com
8. Changes to our Privacy Notice
We reserve the right to modify our privacy practices and update and make changes to this privacy notice at any time and at our discretion. Whenever we make substantial changes to this notice, and in particular when this notice underlies your consent, we will inform you of the changes. This privacy notice is current as of the date which appears at the top of the document.