Privacy policy

Privacy Policy

This Privacy Policy follows the provisions of regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data in Europe (hereinafter, "GDPR"); as well as the Spanish Data Protection Act 3/2018; and other national or local regulations that complement it. To some extent, our Company may also be bound by national legislation of other countries. Please, if applicable, read the detailed information provided below through the corresponding section. We may update our Privacy Policy from time to time. Changes become effective when they are posted on the website/app. Last update: 05/2026.

1. Who is the Data Controller of your data?

SEAT, S.A. (CUPRA) with VAT number A-28049161 and address at Autovía A-2, Km. 585, Martorell, Barcelona (Spain), is the data controller of your personal data.

2. What type of data do we process and what is the origin?

For login you will need to create a CUPRA ID account. The CUPRA ID serves as a central user account in which you can manage your data centrally for many CUPRA services. Please note that some specific legal terms may apply to the use of your account data: https://seatid.vwgroup.io/data-privacy. Finally, in case you wish, you can login as guest user and your data won't be processed for the visiting. When you login or access to our services, we process the following personal data through the following sources:

• Data related to your identification, contact and account: identification data (name, surname), contact (email, telephone), CUPRA ID related data.
• Data related to your purchases: billing data, identification data, contact data, postal address, products purchased, financial services, contract date, purchase price, extras, warranties, etc.
• Transactional data: credit card number, and other payment related information.
• Browsing data: the Services' servers may collect browsing information in an anonymized form, including IP address, domain name, or unique device identifier, without enabling personal identification of the user.
• Cookie data: inserted on the Website and/or in the Services, if applicable, and the use of similar technologies (see Cookie Policy for more information).

3. For what purpose do we process your data, and which is the legal basis?

We may only process your personal data under the adequate purposes and legal basis for doing so.

Registration and login
If you become a registered user, CUPRA will need to process your personal and account data (CUPRA ID) to identify you as a user and grant you access to the platform. Note that you can login as guest user and your data won't be processed for the visiting.
Lawful basis: The performance of the contractual relationship (Art. 6.1.b GDPR).

Purchases and deliveries
We will process your data for the following purposes:

• To manage the purchase, the payment and the delivery of the products that you purchase, regardless of the payment procedure used. For this, CUPRA will need to communicate your data to the Partner who provide services on behalf of CUPRA for the purpose of managing the provision of services.
• To contact you for updates or informative notices related to your delivery and purchases, including quality surveys to be able to establish the degree of customer satisfaction with the provided service.
• To manage potential exchanges, returns after you have purchased and manage requests of availability information for articles, reservations of products through the platform, depending on the availability of such options from time to time.

Lawful basis: The performance of the contractual relationship with the User (Art. 6.1.b GDPR), and our legitimate interest to carry out the necessary verifications to detect and prevent potential fraud or fraudulent uses of the Platform, for example when you make a purchase, and to send you surveys to collect your opinion (Art. 6.1.f GDPR).

Requests to our Customer Service
We will process the personal data strictly necessary to manage or resolve your request or application. If you contact us via telephone, the call may be recorded for quality purposes and so that we can respond to your request.
Lawful basis: our legitimate interest in answering the queries or consultations raised by you through the existing different contact channels (Art. 6.1.f GDPR). If your query is related to your order or the product/service acquired through the Platform, the processing of your data is necessary to perform the purchase contract (Art. 6.1.b GDPR). Finally, we are additionally legally permitted to process your data for compliance with our legal obligations and legal defence (Art. 6.1.c GDPR).

Communications and marketing
We will send you relevant information about your orders and your account status. Additionally, we will send information about our news, products or services. We will be able to contact you through various means (such as e-mail or SMS), based on your contact data.
Lawful basis: The performance of the contractual relationship (Art. 6.1.b GDPR); as well as for marketing purposes based on your previous consent (Art. 6.1.a GDPR).

4. How is your data protected and whom are they communicated to?

All your data will be processed with absolute confidentiality, undertaking to keep them secret and guaranteeing the duty to store them by adopting all necessary and reasonable measures to prevent their alteration, loss and unauthorised access or processing, in accordance with the provisions of the applicable legislation. Our security measures are continuously updated and reviewed in order to improve them in accordance with new technological advances. We do not share the personal information you provide to us with other organisations without your express consent, except as described in this Privacy Policy. In this regard, we disclose your personal information to third parties in the following circumstances:

• Partners who provide services on behalf of CUPRA for the purpose of managing the provision of services. In this case, such access to data on behalf of third parties will be regulated in the corresponding data processing agreement in compliance with applicable regulations, which will state that they will process your data on our behalf and under our instructions, and in no case will they have your data for their own purposes.
• Compliance with legal obligations: we may share certain strictly necessary information with authorities such as the police, tax authorities or other authorities, if required by law.

5. Will your data be transferred outside the European Union?

Your data will be processed within the European Economic Area. However, some of our suppliers may process your data outside the European Economic Area, such as Amazon Web Services, which provides our virtual infrastructure on a "cloud computing" model. This entity is established in the United States of America. CUPRA regulates in accordance with the applicable regulations the relationship with these suppliers in order to guarantee and maintain the adequate level of protection in accordance with European standards. Therefore, in the event that the country receiving the data is not considered to have an adequate level, it will regulate the relationship with the third party recipient by means of the corresponding Standard Contractual Clauses adapted by the European Commission, the content of which can be consulted here.

6. How long we will keep your data?

Your personal data will be kept for the time strictly necessary for the purposes of the processing for which they have been provided, and, in any case, following the principle of data minimisation and the retention periods provided for in the applicable regulations, for a maximum period of 10 years for legal liabilities may arise in relation to the product sold. Your data will be kept for as long as they are necessary to fulfil the corresponding purpose and from the moment you exercise your right of deletion, your data will be kept blocked solely for the purpose of meeting any legal responsibilities that may arise.

7. What are your rights as a data subject?

You may exercise the following data protection rights in accordance with the applicable legal provisions:

Access
You can obtain confirmation as to whether our Company processes your personal data, as well as consult your personal data included in our files.

Rectification
You may modify your personal data if they are inaccurate, as well as complete data if they are incomplete.

Erasure
You may request the elimination or erasure of your personal data when, among other reasons, the data are no longer necessary for the purposes for which they were collected.

Object to processing
You can ask for your personal data not to be processed. We will stop processing the data, except for compelling legitimate reasons, or the exercise or defence of possible claims.

Restrict of processing
You may request the limitation of the processing of your data in the following cases:

• As long as the accuracy of your data is contested.
• When the processing is unlawful, you object to the deletion of your data and request the limitation of its use.
• When our company does not need to process your data, but you need it for the exercise or defence of claims.
• When you have objected to the processing of your data for the fulfilment of a public interest mission or for the satisfaction of a legitimate interest, while it is being verified whether the legitimate grounds for the processing outweigh yours.

Portability
You can receive, in electronic format, the personal data that you have provided to us and the data that has been obtained from your contractual relationship with our company, as well as transmit them to another entity.

Consent withdrawal
If you have given us your consent to process your data for any purpose, you also have the right to withdraw such consent at any time.

The exercise of these rights is free of charge except in the case of manifestly unfounded or excessive requests. In the event of reasonable doubt as to your identity, you may be asked for additional information necessary for CUPRA to confirm your identity and thus be able to respond to your right.

8. How can you exercise your rights?

You may exercise your data protection rights to our Company by this email channel: customercare@cupraofficial.com

The exercise of data protection rights is free of charge except in the case of manifestly unfounded or excessive requests. In the event of reasonable doubts about your identity, we may ask you for additional information in order to confirm your identity and thus be able to respond to you. If you wish to assert your data protection rights against the Importer or their Dealer and Service Partner networks, please contact them directly. If you consider that we have not processed your personal data in accordance with applicable law, you can lodge a complaint with the corresponding supervisory authority, being in Spain the AEPD (www.aepd.es).

9. Data Protection Officer

You can contact our data protection officer (DPO) by sending an email to: dataprotection@seat.es.

10. Country-specific requirements

If applicable, you will find here the corresponding data protection requirements applicable to your country.