Privacy Policy
Mobile online services (CONNECT)
“For us privacy is part of our core business. We design and make cars and mobility products that process big data to make your life enjoyable, so you can enjoy the best driving experience. We give you control at any time over your information and data, so that you, and only you, decide what to share, when to share, and who you share with. It’s a big value that remains our essence”.
1. GENERAL INFORMATION:
This Privacy Policy follows the provisions of regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data in Europe (hereinafter, “GDPR”); as well as the Spanish Data Protection Act 3/2018; and other regulations that complement it.
Personal data is any information that relates to an identified or identifiable natural person.
Processing means any operation or set of operations that are carried out on personal data or on sets of personal data, whether or not by automated means.
We will therefore explain below, in a clear and transparent manner, how and when we access, collect, share and protect your personal data arising from the use of a vehicle with internet access and when using our mobile online services.
2. DATA CONTROLLER:
SEAT, S.A.U. (referred to as SEAT and/or CUPRA) is the entity responsible for the data processing (Data Controller), with VAT number A-28049161, address at Autovía A-2, Km. 585, Martorell, Barcelona (Spain) and contact channels: customercare@seat.com / customercare@cupraofficial.com
3. USERS AND PRIVACY SETTINGS:
We manufacture connected vehicles that generate information and data. We also offer related services through our vehicle app and the CONNECT Online Services. Some services or features may also have their own privacy policies, as they can offer specific services and features in addition to the vehicle’s. If so, please read them before use.
Our vehicles are available to different kinds of users who may log into the vehicle under different roles. Some vehicle services may differ depending on the selected user role. Additionally, the privacy modes of the car allow you to select the desired privacy mode in order to enable or to interrupt the data transmission.
You can manage the user roles and the privacy settings via the vehicle's infotainment, and you can even completely limit the access and data transfer from the services, by selecting “Offline mode”. Communication may only be established to ensure the vehicle's general internet access or in the event of an accident, for activation of the “Emergency Call Service”.
Attention: If you are a fleet vehicle user and your vehicle is registered with and managed by a fleet operator (e.g. your fleet company or employer), the fleet operator is responsible for processing and transferring vehicle data (e.g. geolocation and maintenance data), even if you are in private mode, in order to provide certain contractual services. The fleet operator has the authority to restrict or override the privacy mode settings you have selected in the vehicle. In such cases, the data will be transferred to the fleet operator regardless of the current privacy mode settings. For more information about data processing when the vehicle is registered with a fleet, please contact your fleet operator.
4. TYPES OF PERSONAL DATA WE PROCESS:
Your vehicle is equipped with a SIM card and electronic control unit (ECU) that collects, generates and sends data generated by the vehicle's sensors, which is necessary for the vehicle to operate correctly, to activate certain comfort or infotainment features and to use the online services that you may purchase.
The type of data processed in your vehicle may include the following categories, which may be considered personal data when processed according to certain premises and under certain circumstances.
The specific data and purposes of the data processing depend on the vehicle equipment and the services used. Not all services may be available for your vehicle or your country. The features available in your vehicle and their functional scope can be found in the service description.
The list and specification of all the maximum available features, regardless of your vehicle model and the specific software version, is only for the purposes of this Privacy Policy and does not intend or lead to an expansion of the features or functional scope of your specific vehicle.
Vehicle identification number (VIN): Each vehicle has a unique identification number which can be used to identify the vehicle's owner.
Vehicle master data: Registration number, model, vehicle type, SIM number, IP address, etc.
Vehicle sensors and metrics: e.g. speed, mileage, acceleration, environmental conditions, tyre pressure, battery charge, braking system, etc. This data is necessary for the car’s proper functioning, maintenance, safety and conformity.
Vehicle settings and infotainment features: e.g. seat and steering wheel positions, chassis settings, climate control, driver assistance and driver information systems, instrument cluster and infotainment system settings, etc.
Vehicle location: For the use of legally required services (e.g. emergency call), as well as for some of the app or online services, we will process your GPS/position.
User accounts: Information about user accounts (personal identification) and vehicle logins.
Use of apps, devices and online services: Information about how you use your device (mobile app and vehicle), and the online services offered through it, including location.
5. PURPOSES AND LAWFUL BASES:
Your vehicle is factory fitted with a SIM card for internet access. IT communications are partly necessary to ensure basic functions of the car and are available for the vehicle to run in a technically safe and flawless manner. Additionally, if the vehicle is in online mode, certain data are transmitted from the vehicle to enable some additional services. You will find further information on the processing of data in connection with the use of your vehicle below.
5.1. Vehicle safety/communications
Your vehicle sends certain data to our IT systems or to the IT systems we use. Based on the data sent from your vehicle, we provide you with a service or content that is directly delivered to your vehicle or app. As a minimum, this always requires a technical assignment of a request to a service and to a vehicle. In addition, it is technically necessary for the telematic box (online connectivity unit) installed in the vehicle (which is necessary to establish vehicle connectivity) to be rebooted regularly and dialled into the local radio network so that the vehicle can establish an online connection, as well as connect to the data servers to check the validity and security of the vehicle communication certificates. This is the only way for secure communication with the data server to be established and cyberattacks from third parties to be counteracted.
Personal data processed:
Legal bases: Compliance with legal obligations as the vehicle manufacturer (Art. 6.1.c GDPR), as well as our legitimate interest in eliminating disruptions, maintaining system security and detecting the tracking of inadmissible access attempts (Art. 6.1.f GDPR).
5.2. Emergency Call Service
The “Emergency Call Service” works in online and offline mode and is available in the vehicle even if no mobile online services have been purchased for the vehicle. If you are involved in a traffic accident, an automatic emergency call will be sent to the rescue control centre. Sensors in the air bag and seatbelt tensioner enable the vehicle to detect when an accident has occurred and thus activate the legally required “Emergency Call Service”. You can also manually report your own emergency call at any time. When activated, a voice connection is established with the rescue control centre, via which – depending on the individual case – further data can also be called up and transmitted (e.g. on the type and severity of the accident).
Personal data processed:
Legal bases: Protecting vital interests (Art. 6.1.d. GDPR), as well as compliance with a legal obligation (Art. 6.1.c. GDPR).
5.3. Online Services (CONNECT)
CONNECT gives users a wide suite of online features for media, speech and navigation. E.g. vehicle health status, parking position, alerts and maintenance, routes and destinations etc. You can find out about the types of services and the terms of use of the CONNECT licence in the applicable T&C. To activate and use CONNECT Online Services, you will need to create a user ID account, download the vehicle app and enrol your vehicle. Once you become the main user, you can approve other car users that can also log in to enjoy and use some of the services. If the vehicle is used with the mobile online services activated, we will process personal data from the vehicle as required for the purpose of providing the services. When using mobile online services, the vehicle communicates with our data server. Privacy settings allow you to enable or restrict the connection and therefore the mode and use of personal data processing arising from the online services. (In particular, the use and sharing of the vehicle's GPS position). The services can also be activated and deactivated individually by each user. For instance, even before switching to another privacy level, services to be activated and deactivated for that level can be selected. For more information about the online services available in your vehicle, please consult our official website or contact us via our Customer Service.
Personal data processed:
Legal bases: Performing the CONNECT contract. (Art. 6.1.b GDPR), for the main user; and for all other users, our legitimate interest in providing the online services for all users permitted by the main one (Art. 6.1.f GDPR).
5.4. Identification process and AutoIdent
An identity check is required before using mobile online services that allow access to the vehicle (such as “Lock & Unlock”). AutoIdent is an identification solution that enables you to identify yourself online and in real time. Your biometric data must be processed for this purpose. You will need to upload a machine-readable identification document, such as an identity card, passport or driving licence (depending on the applicable requirements in the customer’s country) and record a short selfie video. The AutoIdent software then automatically checks the authenticity of the document and compares it with the video to ensure you are the person who wishes to be identified. As soon as your identity has been checked successfully, you will be able to verify your identity online and use mobile online services, such as those permitting access to the vehicle. Data will be stored for evidence purposes and erased after a maximum of thirty (30) days.
Personal data processed:
As an alternative, the identification process can be carried out on site at any authorised workshop if it offers this service. On site, our Authorised Service workshop will require your driving license and check and compare your data.
Legal bases: Your previous consent via the SEAT or CUPRA app. (Arts. 6.1.a and 9.2.a GDPR).
5.5. Customer Interaction Centre (Customer Service)
As an alternative, the identification process can be carried out at any authorised workshop as long as it offers this service. Our Authorised Service workshop will require your driving licence in order to check and compare your data. If you have any doubts or queries about our digital products or services, please contact the Customer Interaction Centre (“CIC”) regarding our apps, services and websites (e.g. by post, email, contact form or telephone).
Personal data processed:
Legal bases: Our legitimate interest (article 6.1.f GDPR) in managing your requests and contacting you to fulfil your specific request, enquiry or claim.
5.6. Vehicle updates
In order to ensure the long-term use of the vehicle’s infotainment system, keep the pre-installed in-car apps in the current state of the art, as well as resolve software and technical gaps, the vehicle must receive automatic online remote updates (ORU) regularly. For this, we need to access the vehicle’s master data. These updates require final confirmation for downloading and installing, unless you have selected the option for receiving automatic software downloads in the app. The infotainment system will not be fully operational and unrestricted until the update process has been completed. Data will be kept anonymised after processing without reaching individualised conclusions. You can block these updates by selecting the offline mode.
Personal data processed:
Legal bases: Our legitimate interest in enabling the ORU for resolving vehicle gaps is to ensure vehicle conformity (Art. 6.1.f GDPR) and your specific consent (Art. 6.1.a GDPR), if you are enrolled in the car and you select the option to receive and download automatic vehicle updates.
5.7. Vehicle developments and innovations
We will analyse your vehicle's information and data related to the systems of the vehicle with the aim of improving some services and features, such as semi-automated driving, advanced driver assistance features (ADAS), electric charging services and infrastructure, and the vehicle's infotainment and media system. For this, we will collect your data based on specific campaigns in a specific, previously-defined term and scope previously. We will not use this data to create profiles or evaluate them based on individualised vehicles. Furthermore, no data attributes will be used to create profiles or draw conclusions about your behaviour or behaviour patterns during the use of your vehicle. As soon as this information has been collected, appropriate security measures will be applied to ensure the security of the data processed, including, if possible, its pseudo-anonymisation or anonymisation, unless this is strictly necessary for imperative reasons.
Personal data processed:
Legal bases: Your previous consent though the app's services. (Art. 6.1.a GDPR).
5.8. Vehicle alerts, maintenance and conformity
We will monitor the vehicle’s status and the alerts transmitted by it in order to ensure safety-related aspects and also to detect possible errors, analyse them, propose and implement improvements and solutions. Once collected, these data may be linked to technical production data and previous visits to the garage, in order to draw conclusions that are important for the safety and proper functioning of the vehicle. Appropriate security measures will always be applied to ensure the security of the data processed, including its anonymisation, unless this is strictly necessary for imperative reasons. Additionally, data may be processed by us, as well as by the Importer in your country in case of roadside or vehicle’s maintenance events and may be communicated to the Official Service Network (dealers and garages) and other third parties such as insurance companies (in case of accidents or breakdown incidents), in order to manage the services, repairs and assistance activities.
Personal data processed:
Legal bases: Your previous consent though the app's services. (Art. 6.1.a GDPR).
5.9. Fraud, legal and tax compliance
We process your data in order to support law enforcement authorities in the event of vehicle theft by tracking vehicles, for the prevention of fraud and money laundering, for the prevention, control and investigation of terrorist financing and criminal offences that endanger assets, comparisons with European and international anti-terror lists, for compliance with control and reporting obligations under environmental, digital/consumer, or tax law, the archiving of data and as part of official/judicial measures for the purposes of gathering evidence, law enforcement and enforcing civil claims. As manufacturers, we also use operating data from the vehicle for liability issues, such as vehicle recalls. This data may also be used to review warranty and guarantee claims by customers.
Personal data processed:
Legal bases: Compliance with legal obligations (Art. 6.1.c GDPR), as the vehicle manufacturer, as well as our legitimate interest (Art. 6.1.f GDPR) in ensuring safe purchasing of our products.
5.10. Data analytics and data licensing
We may process your data and communicate it to Volkswagen Group entities for the purpose of quality control and optimising our internal group sales and after-sales processes and channels (e.g. to build new data products). As soon as this information has been collected, appropriate security measures will be applied to ensure the security of the data processed, including, if possible, its pseudo-anonymisation or anonymisation, unless it is strictly necessary for imperative reasons.
Personal data processed:
Legal bases: Our legitimate interest (Art. 6.1.f GDPR) in optimising our after-sales processes, as well as the execution of contractual measures (Art. 6.1.c GDPR). For more information, please contact us at dataprotection@seat.es.
6. ARTIFICIAL INTELLIGENCE
SEAT/CUPRA leverages the power of artificial intelligence (AI) in many of our products and services. We may use Artificial Intelligence (AI) and machine learning technologies in various aspects of the vehicle’s related services to deliver more efficient and personalised content. AI allows us to analyse data efficiently and enhance the user experience, improving functionality in certain services such as the vehicle’s online predictive maintenance, online voice control or remote authentication (autoident).
The use and implementation of AI, as well the collection and use of personal data is subject to the applicable EU legal and compliance framework. We implement technical and organisational security measures to ensure that data processed by our AI technologies is protected against unauthorised access, alteration, disclosure or destruction.
7. DATA STORAGE
We store your data for as long as necessary in order to fulfil the purposes for processing personal data as described in this privacy policy (e.g. providing our online services to you, as long as we have a legitimate interest to do so or in order to comply with a legal obligation). We only store the data that we require for the respective purpose. As soon as personal data is no longer required for the purpose(s) for which it was collected, we pseudonymise or anonymise the data that is processed beyond the provision of our services until it is deleted. Under certain circumstances, your data may also need to be retained for a longer period of time, such as when a legal hold applies in connection with an administrative or judicial proceeding.
As part of the Volkswagen Group (VW), we use data servers provided by the Volkswagen Group, which also provides maintenance and technical support for the IT systems.
8. DATA RECIPIENTS
As part of the Volkswagen Group, we give access to your data to other VW companies and third parties such as IT service providers, acting as data processors and subprocessors for the purpose of being able to offer certain online functions and services related to your vehicle.
Third-party services: You may be able to connect your smartphone to the vehicle in order to control it through the in-vehicle system (using apps such as Android Auto or Apple CarPlay). This integration allows the use of selected smartphone apps. This data processing is determined by the provider of the respective app. More information is available in the respective app and/or your smartphone's operating system. Additionally, according to certain premises, you may be able to use apps for which third parties are responsible, for example, Google or Spotify, Apple etc.
We will also be able to communicate your personal and vehicle data to our official Dealer & Service Network, acting as independent data controllers, in the following cases:
Vehicle recalls: In cases, covered by law, such as vehicle repairs and legal recalls.
Online vehicle maintenance: If you have voluntarily selected an Official Dealer or Service in the app, they will be able to receive automatic maintenance alerts regarding your vehicle, including alerts based on the vehicle's predictive models, in order for them to detect the corresponding maintenance actions and schedule a service arrangement with you.
Concluding sales process: If you were advised by your Service Partner, when your contract is concluded for mobile online services, the Service Partner will receive a premium payment. This is processed via the sales company (the Importer in your country) responsible for your country. For this purpose, the Service Partner and the Importer receive the VIN to assign the premium payments to the respective contracts and receive the corresponding payment. (art. 6.1 f. GDPR).
9. DATA TRANSFERS
Generally, all of the processing of your data will be carried out within the European Economic Area or it will receive the same level of protection as in the European Economic Area. In this sense, we inform you that our Entity, as part of the VW Group, has contracted some subprocessors such as SalesForce, Inc. Amazon Web Services (AWS) and Microsoft Corporation in order to provide data hosting services. These companies encrypt the data and process it exclusively on data servers located in the European Union. As these entities are based in the US, access to the data from the US cannot be ruled out. Therefore, the US has been declared to have an adequate level of protection according to the European Commission and these entities are members of the Data Privacy Framework. For more information, please visit this link: https://www.dataprivacyframework.gov/.
10. DATA PROTECTION RIGHTS
Right to Access: You can obtain confirmation as to whether SEAT/CUPRA processes your personal data, as well as consult your personal data included in our files.
Right to Rectification: You may modify your personal data if they are inaccurate, as well as complete data if they are incomplete.
Right to Erasure: You may request the elimination or erasure of your personal data when, among other reasons, the data are no longer necessary for the purposes for which they were collected.
Right to Object to processing: You can ask for your personal data not to be processed. SEAT/CUPRA will stop processing the data, except for compelling legitimate reasons, or the exercise or defence of possible claims.
Right to Restrict processing: You may request the limitation of the processing of your data in the following cases:
Right to Portability: You can receive, in electronic format, the personal data that you have provided to us and the data that has been obtained from your contractual relationship with SEAT/CUPRA, as well as transmit them to another entity.
Right to Withdraw consent: If you have given us your consent to process your data for any purpose, you also have the right to withdraw such consent at any time.
The exercise of these rights is free of charge except in the case of manifestly unfounded or excessive requests. In the event of reasonable doubts about your identity, we may ask you for additional information in order to confirm your identity and thus be able to respond to you.
Note: We process the VIN to offer certain features and services related to your vehicle. This means that we are only obliged to fulfil your rights if, when exerting your rights, you have provided us with additional information which puts us in a position to be able to fulfil your right, according to art. 11 of the GDPR.
Contact channels: You can manage your privacy and personal data at any time in the vehicle’s infotainment and in the User ID Portal: https://cupraid.vwgroup.io/. If you prefer, you can also contact customercare@seat.com or customercare@cupraoffical.com directly. If you wish to assert your data protection rights against the Importer or their Dealer and Service Partner networks, please contact them directly.
Finally, if you consider that we have not processed your personal data in accordance with applicable law, you can lodge a complaint with a supervisory authority, in Spain the Spanish Data Protection Authority, www.aepd.es.
11. DATA PROTECTION OFFICER
If you have any doubts about data protection or wish to get in touch with our data protection officer (“DPO”), please send an email to dataprotection@seat.es.
12. PRIVACY POLICY CHANGES
We may update our Privacy Policy from time to time. We encourage you to review the Privacy Policy periodically for any changes. Changes become effective when they are posted on the website/app.
Version: January 2025