Last Updated: October 2017
OnStar Europe Limited (“OnStar”) and its affiliates (collectively, “OnStar” or “we”) provide this Privacy Statement to let you know how we collect, use, and share your information when you use OnStar connected vehicles, products, and services (products and services). This Privacy Statement applies to the products and services offered by OnStar, but excludes products and services with separate privacy statements that do not incorporate this Privacy Statement.
OnStar is the company responsible for data protection (the “data controller”). It is a UK company located at Griffin House, UK1-101-135, Osborne Road, Luton, United Kingdom, LU1 3YT and with Companies House number 8582207 and VAT number GB170 0812 43.
OnStar is a subsidiary of General Motors Holdings LLC (“GM”), 300 Renaissance Drive, Detroit, Michigan 48243 USA. We share information with GM and its subsidiaries and affiliates, including but not limited to OnStar LLC (collectively, the “GM family of companies”). When GM and its controlled subsidiaries and affiliates in the United States, including OnStar LLC, (“OnStar U.S.”) receive personal information from OnStar, it is shared in compliance with applicable legal requirements providing adequate protection for the transfer of personal information to countries outside of the European Economic Area or Switzerland. Please visit the OnStar U.S. privacy statement available at http://www.onstar.com/privacy.com for further information.
Key points about our information practices:
We may collect information about you and your vehicle, such as name, address, vehicle diagnostics, and vehicle location, through your use of our products or services, and through dealers and others who provide information to us. See below to learn more.
We may use your information to improve the quality, safety, and security of our products and services, to develop new products and services, and for marketing. See below to learn more.
We may share your information to provide you with products and services, to improve the quality, safety, and security of products and services, to comply with applicable law, to respond to your requests, and to allow recipients to use for marketing or other purposes subject to your consent where required. See below to learn more.
You have choices regarding how we use and share your information for marketing and other purposes. See below to learn more.
You have rights under applicable data protection law regarding your personal data processed by us. See below to learn more.
Given the nature of our products and services, there may be times when someone other than you is using one of the products and services we provide to you (for example, you let someone else drive your vehicle). We rely on you to inform such person about this Privacy Statement and the privacy choices you have made. See below to learn more.
Cookies and Tracking
Third Party Products and Services
In connection with our products and services, you may be offered the opportunity to use third party products and services that are not owned or controlled by OnStar and are governed by separate user terms and privacy statements. See below to learn more.
Access and Update
You may access your online accounts to update your information or you may contact us to learn about how to do so. See below to learn more.
We maintain reasonable and adequate security controls to protect your information and require our service providers by contract to do the same. See below to learn more.
We keep information for as long as necessary to provide our products and services, operate our business, and comply with legal obligations. See below to learn more.
We do not target or knowingly collect any information from children under the age of 13. See below to learn more.
International Data Transfers
We maintain appropriate protections for cross-border transfers as required by law for international data transfers. See below to learn more.
We will notify you of any material changes by posting the updated version of this Privacy Statement and taking other steps as needed. See below to learn more.
Please contact us by mail, email, or phone with any questions. See below to learn more.
Information we may collect
We may collect the following information through your use of the products and services, and otherwise with your consent if required.
We may also collect your information from GM, our dealers, licensees, partners, service providers, your vehicle’s manufacturer, and independent third party sources.
The types of your information that we may collect include:
Information about you and your accounts with us: such as your name, address, telephone number, date of birth, e-mail address, login information, password, PIN, emergency contact information, information about the acquisition and financing of your vehicle, like whether or not you have financed or leased your vehicle, the lease/financing term, and billing information, like your credit card number, CVV code and expiration date.
Information about your vehicle: such as license plate number, vehicle identification number (VIN), mileage, oil/battery status, fuel or charging history, electrical system function, gear status, diagnostic trouble codes, and information about software updates that have been sent to your vehicle.
Information about the use of your vehicle, including operational and safety related information: such as GPS location, speed, air bag deployments, crash avoidance alerts, impact data, safety system status, braking and swerving/cornering events, event data recorder (EDR) data, seat belt settings, vehicle direction (heading), camera image and sensor data, voice command information, stability control or anti-lock events, security/theft alerts, infotainment system usage, and WiFi data usage.
Information about your device and how you interact with our products and services, including apps and websites: such as IP address, browser type, unique device identifier, cookie data, associated identifying and usage information from your mobile phone, laptop, or other device.
How we may use your information
We may use your information in order to:
- provide our products and services
- improve the quality, safety, and security of our products and services
- develop new products and services, including autonomous vehicle and car-sharing products and services
- maintain customer relationships and communicate with you
- administer your account(s) and process your payments for products and services
- operate our websites and applications, including online registration processes
- provide customer and vehicle support and service (for example, recall information, servicing and maintenance or warranty service)
- provide product and service updates
- evaluate the quality, safety, and security of our products and services
- collect outstanding debts for products and services
- for research, evaluation of use, and troubleshooting purposes
- protect the safety of you or others
- verify eligibility for vehicle purchase or incentive programs
- perform marketing, including interest based marketing and advertising (with necessary consents)
- administer your participation in contests, quizzes, surveys, promotions and offers
- customise and improve communication content and your experience with OnStar and
- comply with legal, regulatory or contractual requirements
Where required, we will anonymize your information in a way that it can’t reasonably be associated with you or your vehicle. We may use anonymized information or share it with third parties for any legitimate business purpose.
Communications with you in connection with these uses may be via mail, telephone, e-mail, text message and other electronic messages, through the in-vehicle OnStar system or via our websites and applications. See “Your Choices” below to learn how to manage your communication preferences.
We may also combine the personal data with other information collected online or offline about you, including information provided by third party sources, and it may be used or shared for the purposes described in this Privacy Statement, as permitted by applicable law.
How we may share your information
We may share your information as described below and with the third party service providers listed in the table below this Privacy Statement (as updated from time to time). Where required we will obtain additional consent or anonymize the information:
GM Family of Companies: Within the GM family of companies (for example, OnStar US, Maven) for the above uses.
Emergency Service Providers: With emergency service providers, such as law enforcement, roadside assistance providers, and ambulance providers, in order to deliver related services (for example, Stolen Vehicle Assistance Services).
Business Partners and Independent Third Parties: With business partners, such as the manufacturer of your vehicle (not within the GM family of companies), in connection with our or their products and services, research institutes, for research and development purposes (for example, improving highway safety), dealers, fleet or rental companies, for service maintenance of your vehicle, and marketing activities.
We may also share data with business partners and independent third parties where you have elected to receive a product or service from them and authorized them to request data from OnStar (for example, the manufacturer of your vehicle or financial organizations who offer financing for the purchase or lease of GM vehicles or usage based insurance providers) or for promoting joint marketing programs. Please see their respective privacy policies for information on how they use your personal data.
Service Providers: With our product and service providers who work on our behalf in connection with the above uses, such as wireless service providers, companies that administer our contests and promotions, host and/or operate our website, send communications, perform data analytics, credit card processors, or system providers necessary to process, store, or manage credit card information (we will not otherwise share your credit card information).
Where Required or Permitted by Law: As required or permitted by law, such as in conjunction with a subpoena, government inquiry, litigation, dispute resolution, or similar legal process, when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, to detect, investigate and prevent fraud, or to conduct screening to ensure you are not on any government list of restricted parties.
Business Transfers: With a prospective or completed sale, transfer, or financing of a part of a GM or OnStar business or its assets.
Legal basis for processing
The basis on which we process your information is as follows:
- you have given your consent to the processing of your information for one or more specific purposes (see also “Your Choices” below);
- the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
- the processing is necessary for compliance with a legal obligation to which we are subject;
- the processing is necessary in order to protect your vital interests of you or of another natural person;
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
- processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular if you are a child;
- other applicable legal basis for data processing, especially provisions set out by applicable law.
The provision of your information may be required due to a statutory or contractual obligation, may be necessary to enter into a contract with us or to receive our services/products as requested by you, or may otherwise be voluntary for you. Not providing your information may result in disadvantages for you, e.g. you may not be able to use certain products and services or may accept limited functionality. However, unless otherwise specified, not providing your information will not result in legal consequences for you.
You have certain choices regarding how we use and share your information, such as for marketing and related purposes. To the extent required by applicable law, we will obtain your consent to provide you with direct marketing. You can withdraw your consent at any time. In certain cases we may lawfully use your information for marketing purposes of marketing via email without your prior consent. You can unsubscribe at any time. See “How To Contact Us” below.
If you exercise choices regarding certain marketing communications, your information may still be used for the other purposes described in this Privacy Statement (for example, vehicle support and service), including marketing communications where you have not exercised choice, or communications we are required or permitted by law to send to you (for example, certain types of transactional or account-related messages).
You can also mask and unmask vehicle location data collection by pressing the Privacy Button in your vehicle (certain vehicles also may be equipped to permit masking by clicking through the settings on your radio screen). Please note that pressing the Privacy Button to mask the collection of vehicle location data will have no effect in an emergency situation (e.g. SOS Button push or emergency service request, Automatic Crash Response, Theft Alert Notification, or Stolen Vehicle Assistance).
In addition, some collection and sharing practices are tied to the products and services we offer. To stop the collection or sharing of some information, you may have to decline those products and services or be willing to accept limited functionality.
If you are a resident of the European Economic Area, you have the following rights in respect of your personal data:
- If you have given consent to the processing of your personal data, you have the right to withdraw your consent at any time. If you withdraw your consent, this does not affect the lawfulness of the processing of your personal data prior to the withdrawal of your consent. Note that if you do this, it may impact our ability to provide certain products and services to you.
- You have the right to request access to your personal data. However, please note that we do not provide access to records of service events (for example, when you request service, an OnStar advisor calls in to your vehicle, or when we provide crash, theft, or emergency services). We generally do not release those records (including audio records) unless we receive a subpoena or are otherwise required by applicable law.
- You have the right (i) to request rectification of your personal data, (ii) to request erasure of your personal data, (iii) to request restriction of processing of your personal data, (iv) to request data portability, (v) to object to the processing of your personal data (including objection to profiling), and (vi) to object to automated decision making (including profiling). Note that if you do this, it may impact our ability to provide certain products and services to you.
Please note, that we may need to retain certain personal data for recordkeeping purposes to complete any transactions that you began prior to your request or for other purposes as required or permitted by applicable law.
If you have any questions or if you want to exercise your rights, please contact us at the details below.
You also have the right to lodge a complaint with the competent data protection supervisory authority.
You can also access your online account to view or update certain of your personal data in that account.
The nature of our products and services means that there may be circumstances where you might let someone else use a product or service that we provide to you (for example, you let someone else drive your OnStar equipped vehicle). It is important that if you do let someone else use one of our products or services that you inform them of this Privacy Statement and of the privacy choices that you have made.
If you sell or otherwise transfer your vehicle, it is your responsibility to delete all information (such as contacts, address look-ups, saved map addresses) from the vehicle’s system and contact us to transfer or cancel your account. If you do not delete this information, it may remain on the vehicle’s system and may be accessible to future users of the vehicle. For instructions on how to delete information from your vehicle’s system, please refer to your vehicle owner’s manual.
Cookies and other tracking technologies
Similarly, we may also place cookies in our emails to measure the effectiveness of our email campaigns by identifying the individuals who open or act upon an email message, when an email message is opened, how many times an email message is forwarded, the type of software, device, operating system and browser used to deliver the email and any URL accessed through our email message.
Please also refer to your browser Help instructions to learn more about cookies and other technologies and how to manage their use. If you elect to refuse or delete cookies, you will need to repeat this process if you use another computer, or change browsers. If you choose to decline cookies, some of the functionality of a website may be impaired.
Third party services, applications and websites
Certain third party services or applications (for example, your carrier data plan, navigation services) you download, that are pre-installed, or which you may sign up for may have separate user terms and privacy statements, which are independent of our Privacy Statement. OnStar is not responsible for the personal information practices of these third party services or applications. We recommend that you carefully review the user terms and privacy statement of each third party service or application prior to signing up, downloading, or using them.
Similarly, our sites may contain links to independent sites outside of and not controlled by GM or OnStar, such as those belonging to GM dealers, GM licensees, or independent product review sites. OnStar is not responsible for these sites, their omissions, policies, or content of the websites or for the personal information practices of such third parties. We recommend that you read the privacy policies of these third parties before making a decision to use the site or provide your personal information to the site operators.
How we safeguard your information
We maintain appropriate technical, administrative, organizational and physical security and confidentiality measures designed to protect your information from unauthorized access or acquisition and to ensure a level of security appropriate to the risk of varying likelihood and severity for your rights and freedoms related to personal data. We also require by contract (other than in an emergency situations) that third party services providers acting on our behalf or with whom we share your information also undertake to provide such measures.
How long we keep your information
Your personal data will be retained as long as necessary to provide you with the services and products requested. Once you have terminated the contractual relationship with us, we will either delete your personal data or anonymize your personal data, unless statutory retention requirements apply (such as for taxation purposes). In this case, we may be required by applicable law to retain certain of your personal data for a period of 10 years after the relevant taxation year. We may also retain your personal data after the termination of the contractual relationship if your personal data are necessary to comply with other applicable laws or if we need your personal data to establish, exercise or defend a legal claim, on a need to know basis only. To the extent possible, we will restrict the processing of your personal data for such limited purposes after the termination of the contractual relationship.
GM does not target or knowingly collect any information from children under the age of 13.
International data transfers
We store your information in the United States, the European Economic Area (EEA), and other locations where we or our service providers maintain servers. If you are a resident of the EEA, your information may be transferred to a country outside of the EEA which may not provide the same level of data protection from a European perspective as your home country. This may also include the transfer to a country which is not covered by an adequacy decision by the European Commission. We provide appropriate protections for cross-border transfers as required by law for international data transfers. With respect to such transfers from the EEA to the United States and other non-EEA jurisdictions, we implement standard contractual clauses. You can ask for a copy of these by contacting us as set out below.
Changes to the privacy statement
We may need to update this Privacy Statement from time to time as our business and products or services expand or change, or as required to by law. If we do, we will post the updated version of the Privacy Statement on our website.
How to contact us
You can contact us as follows:
OnStar Europe Limited
Griffin House, UK1-101-135, Osborne Road
Luton, United Kingdom, LU1 3YT
Our customer service department is available to address any concerns you may have regarding the OnStar Services.
Unless you tell us otherwise, we will send notices to you at the contact details you provide. You may change your e-mail address for notification purposes at any time by accessing your online account to update certain of your personal data in that account or contacting us at the phone number or email address provided under the “Contact” section of the User Terms.
Third party processors
Last Updated: October 2017
The third party provider categories and entities listed below (as updated from time to time) may process your information as described below and in connection with your use of the OnStar connected vehicle, products, and services.
OnStar may share your information with your vehicle manufacturer (when not in the GM family of companies) as described in the Privacy Statement, including for purposes in connection with our or their products and services (for example, to provide, improve upon, make updates to products and services, including software updates, and for safety reasons), and for marketing (where required we will obtain additional consent).
OnStar currently uses the services of Covisint Corporation, Detroit, Michigan, for identity management. Your account information, including name, e-mail address, password, PIN and identity questions will be stored and processed on Covisint servers in Frankfurt, Germany, with back-up servers in Chicago. Covisint’s parent company Compuware Corp., Detroit, Michigan (or any successor) will comply with applicable legal requirements providing adequate protection for the transfer of personal information to countries outside of the European Economic Area or Switzerland.
OnStar may route your SMS connection data through third party servers, currently Jasper Technologies, Inc., 189 North Bernardo Avenue, Suite 150, Mountain View, CA 94043, USA, as a backup, or to provide services such as door unlock requests, horn/light activate requests and vehicle location requests. Jasper Technologies (or any successor) will comply with applicable legal requirements providing adequate protection for the transfer of personal information to countries outside of the European Economic Area or Switzerland.
Billing and Payments
We currently use a third party billing partner, Zuora Inc., 1051 E Hillside Blvd., Suite 600, Foster City, CA 94404 USA for billing processing, and provide your contact and account billing data to Zuora for that purpose. Zuora (or any successor) will comply with applicable legal requirements providing adequate protection for the transfer of personal information to countries outside of the European Economic Area or Switzerland.
We currently use a third party payment processor, Adyen BV, Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, The Netherlands for payment processing. The payment details you provide are input directly into the Adyen payment page, where Adyen collects, stores and processes them in order to process your payment of OnStar services. Adyen (or any successor) may transfer payment data to the respective payment card or service company or the bank issuing the card, also outside the EEA, if your card requires such transfer to complete the transaction. Adyen may share payment data with the GM family of companies, including OnStar U.S., for payment-related support, maintenance, and troubleshooting purposes. Adyen (or any successor) will comply with applicable legal requirements providing adequate protection for the transfer of personal information to countries outside of the European Economic Area or Switzerland.
Important note: Some countries require an identity check for mobile data usage. If applicable, the payment details you provide are received directly by Adyen (or any successor), who collects, stores and processes them to verify your identity on behalf of your mobile network operator and provides a verified or not verified token to your mobile network operator.
Automatic Crash Response
In the event of an emergency we may share Automatic Crash Response data, vehicle location and information from the OnStar Advisor voice call with you with the local emergency assistance provider (112 or 999) so the emergency assistance provider can better respond and find your vehicle.
Vehicle Infotainment and Personalization
On equipped vehicles, we currently use a third party partner, Salesforce.com, Inc., to provide infotainment and personalization features, which allow you to create a customized profile in your vehicle that can be applied across multiple vehicles with personalization capabilities. To support this feature, we provide your profile information, such as your user name, first name, last name, email address, VIN, country, and language, your installed apps, and your personalization settings, such as saved navigation points of interest, HVAC settings, such as max fan speed, automatic defogger, and other vehicle settings, such as seat memory recall.
Unless you have opted out of Dealer Maintenance Notification or similar services, your vehicle data (including monthly diagnostics report e.g., mileage and oil life, real-time alerts and OnStar package data) will be shared with your selected dealer, for vehicle service related purposes. You may opt out of Dealer Maintenance Notification services on your Vehicle Profile page or by contacting an OnStar advisor.
Mobile Network Operators
We share Wi-Fi data with the mobile network operator from which you have ordered a data plan and receive Wi-Fi Hotspot services.
We may give anonymized data (data that cannot be traced back to you) to third party service providers for statistical purposes and for analysing and improving our services.
We use a variety of third party suppliers to provide products and services to you. We will update this list from time to time with changes to the third parties that process your personal information. You may also contact us with specific questions. See How To Contact Us in the Privacy Statement.
Note that certain third party services or applications (for example, your carrier data plan, navigation services, such as the services provided by Telenav, Inc. in equipped vehicles) you download, that are pre-installed, or which you may sign up for, may have separate user terms and privacy statements, which are independent of our Privacy Statement. OnStar is not responsible for the personal data practices of these third party services or applications. We recommend that you carefully review the user terms and privacy statement of each third party service or application prior to signing up, downloading, or using them.