California Privacy Policy

Last Updated: January 1, 2020

Introduction

SMARTAUTOWARRANTY.COM (also referred to herein as “we,” “us,” and “our”) supplements the information contained in Privacy Policy with this California Privacy Policy (the “Policy” or “Notice”) which applies solely to visitors, users, consumers, and others who reside in the State of California (“consumers” or “you”). We adopt this Policy to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws. Any terms defined in the CCPA have the same meaning when used in this Policy. We are committed to protecting the privacy and security of the personal information we collect, use, share, and otherwise process as part of our business. This Policy will provide you with a comprehensive description of our practices regarding the collection, use, disclosure, and sale of personal information of California consumers and of the rights you have regarding your personal information.

Notice at Collection

Data Collection: We currently collect the categories of personal information listed in the chart below, and we may use the data for the purposes identified for each category. As permitted by applicable law, we may use and disclose all of the personal information that we collect in order to:

  • Comply with federal, state, or local laws;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
  • Cooperate with law enforcement agencies concerning conduct or activity that we, a service provider, or a third party reasonably and in good faith believe may violate federal, state, or local law;
  • Exercise or defend legal claims; and
  • Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.

 

Category of Personal Information Examples and Purposes
Identifiers Examples: real name, alias, postal address, unique personal identifier, online identifier Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers

Purposes for Which Category Will Be Used: We use this category of personal information to:

  • Quote prices of vehicle service contracts to you;
  • Complete sales of vehicle service contracts;
  • Perform services under vehicle service contracts;
  • Provide customer service for vehicle service contracts;
  • Provide you with information about our services;
  • Establish and maintain your account with us;
  • Manage our relationship with you;
  • Detect fraud and prevent loss;
  • Allow you to contact us and facilitate communication with us;
  • Provide offers to eligible customers;
  • Respond to your feedback, requests, questions, or inquiries; and
  • Operate our business.
Categories of personal information described in California’s data breach notification law Examples: name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information

Purposes for Which Category Will Be Used: We use this category of personal information to:

  • Quote prices of vehicle service contracts to you;
  • Complete sales of vehicle service contracts;
  • Perform services under vehicle service contracts;
  • Provide customer service for vehicle service contracts;
  • Provide you with information about our services;
  • Establish and maintain your account with us;
  • Manage our relationship with you;
  • Detect fraud and prevent loss;
  • Allow you to contact us and facilitate communication with us;
  • Provide offers to eligible customers;
  • Respond to your feedback, requests, questions, or inquiries; and
  • Operate our business.
Internet or other electronic network activity information Examples: browsing history; search history; internet service provider (ISP); type of computer; type of web browser; URLs of any referring or exited webpages; operating system; information about your interaction with the Site or advertisements on it; data about which pages you visit; the date and time of your visit; your domain server; and your browser type

Purposes for Which Category Will Be Used: We use this category of personal information to:

  • Quote prices of vehicle service contracts to you;
  • Complete sales of vehicle service contracts;
  • Perform services under vehicle service contracts;
  • Provide customer service for vehicle service contracts;
  • Provide you with information about our services;
  • Establish and maintain your account with us;
  • Manage our relationship with you;
  • Detect fraud and prevent loss;
  • Allow you to contact us and facilitate communication with us;
  • Provide offers to eligible customers;
  • Respond to your feedback, requests, questions, or inquiries; and
  • Operate our business.

Additional Data Collection and Uses: We will not collect categories of personal information other than those disclosed above without providing a new notice at collection. In addition, we will not use your personal information for any purpose other than those disclosed above. If we intend to use your personal information for a purpose that was not previously disclosed in the notice at collection, we will directly notify you of the new use and obtain consent from you to use it for the new purpose.

Personal Information Collection During Last 12 Months

Personal Information Collected: We have collected the categories of personal information listed below during the preceding 12 months, and we used that data for the purposes identified under each category.

  1. Identifiers
    1. Examples: real name, alias, postal address, unique personal identifier, online identifier Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers

    2. Categories of Sources: Directly from the consumer or third-party marketing affiliates
    3. Business and Commercial Purposes for Collecting: We use this category of personal information to:
      • Quote prices of vehicle service contracts to you;
      • Complete sales of vehicle service contracts;
      • Perform services under vehicle service contracts;
      • Provide customer service for vehicle service contracts;
      • Provide you with information about our services;
      • Manage our relationship with you;
      • Detect fraud and prevent loss;
      • Allow you to contact us and facilitate communication with us;
      • Provide offers to eligible customers;
      • Respond to your feedback, requests, questions, or inquires; and
      • Operate our business.
    4. Categories of third parties with whom we share personal information: We have shared this category of personal information with the following categories of third parties:
      • Corporate parents, subsidiaries and affiliates; and
      • Service providers (e.g. accounts, attorneys, advisors, mailing, marketing, payment processing, Site administration, technical support, modeling, analytics, third-party administrators for vehicle service contracts, insurance companies).
  2. Categories of personal information described in California’s data breach notification law
    1. Examples: name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information

    2. Categories of Sources: Directly from the consumer or third-party marketing affiliates
    3. Business and Commercial Purposes for Collecting: We use this category of personal information to:
      • Quote prices of vehicle service contracts to you;
      • Complete sales of vehicle service contracts;
      • Perform services under vehicle service contracts;
      • Provide customer service for vehicle service contracts;
      • Provide you with information about our services;
      • Manage our relationship with you;
      • Detect fraud and prevent loss;
      • Allow you to contact us and facilitate communication with us;
      • Provide offers to eligible customers;
      • Respond to your feedback, requests, questions, or inquires; and
      • Operate our business.
    4. Categories of third parties with whom we share personal information: We have shared this category of personal information with the following categories of third parties:
      • Corporate parents, subsidiaries and affiliates; and
      • Service providers (e.g. accounts, attorneys, advisors, mailing, marketing, payment processing, Site administration, technical support, modeling, analytics, third-party administrators for vehicle service contracts, insurance companies).
  3. Internet or other electronic network activity information
    1. Examples: browsing history; search history; internet service provider (ISP); type of computer; type of web browser; URLs of any referring or exited webpages; operating system; information about your interaction with the Site or advertisements on it; data about which pages you visit; the date and time of your visit; your domain server; and your browser type

    2. Categories of Sources: Directly from the consumer or third-party marketing affiliates
    3. Business and Commercial Purposes for Collecting: We use this category of personal information to:
      • Quote prices of vehicle service contracts to you;
      • Complete sales of vehicle service contracts;
      • Perform services under vehicle service contracts;
      • Provide customer service for vehicle service contracts;
      • Provide you with information about our services;
      • Manage our relationship with you;
      • Detect fraud and prevent loss;
      • Allow you to contact us and facilitate communication with us;
      • Provide offers to eligible customers;
      • Respond to your feedback, requests, questions, or inquires; and
      • Operate our business.
    4. Categories of third parties with whom we share personal information: We have shared this category of personal information with the following categories of third parties:
      • Corporate parents, subsidiaries and affiliates; and
      • Service providers (e.g. accounts, attorneys, advisors, mailing, marketing, payment processing, Site administration, technical support, modeling, analytics, third-party administrators for vehicle service contracts, insurance companies).

Personal Information Sold: We do not sell personal information.

Personal Information Disclosed for a Business Purpose: We have disclosed for a business purpose the categories of personal information listed below during the preceding 12 months:

  1. Identifiers
    1. Examples: real name, alias, postal address, unique personal identifier, online identifier Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  2. Categories of personal information described in California’s data breach notification law
    1. Examples: name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information
  3. Internet or other electronic network activity information
    1. Examples: browsing history; search history; internet service provider (ISP); type of computer; type of web browser; URLs of any referring or exited webpages; operating system; information about your interaction with the Site or advertisements on it; data about which pages you visit; the date and time of your visit; your domain server; and your browser type
How Long Do We Store and Use Your Personal Information?

We are required by law to maintain records of consumer requests submitted under the California Consumer Privacy Act and how we responded to such requests for at least 24 months. We only use this information for recordkeeping purposes.

California Consumer Rights

Do Not Sell My Personal Information

Under the California Consumer Privacy Act (CCPA), you have the right to direct us to stop selling your personal information to third parties and to refrain from doing so in the future. For purposes of the CCPA, we do not and will not sell personal information as defined under applicable law.

CCPA Requests to Know and Requests to Delete

As described in more detail below, the CCPA gives consumers the right to request that we (1) disclose what personal information we collect, use, disclose, and sell, and (2) delete certain personal information that we have collected or maintain. You may submit these requests to us as described below, and we honor these rights where they apply.
However, by way of example, these rights do not apply where we collect or sell a consumer’s personal information if: (1) we collected that information while the consumer was outside of California, (2) no part of a sale of the consumer’s personal information occurred in California, and (3) no personal information collected while the consumer was in California is sold. In addition, de-identified information is not subject to these rights.
If a request is submitted in a manner that is not one of the designated methods for submission, or if the request is deficient in some manner unrelated to our verification process, we will either (1) treat the request as if it had been submitted in accordance with the designated manner, or (2) provide you with specific directions on how to submit the request or remedy any deficiencies with the request, as applicable.

Request to Know
As described below, you have the right to request: (1) the specific pieces of personal information we have collected about you; (2) the categories of personal information we have collected about you; (3) the categories of sources from which the personal information is collected; (4) the categories of personal information about you that we have sold and the categories of third parties to whom the personal information was sold; (5) the categories of personal information about you that we disclosed for a business purpose and the categories of third parties to whom the personal information was disclosed for a business purpose; (6) the business or commercial purpose for collecting, disclosing, or selling personal information; and (7) the categories of third parties with whom we share personal information. Our response will cover the 12-month period preceding our receipt of a verifiable request.

Submission Instructions. You may submit a request to know via our toll-free telephone number, 877-287-4285 or privacy@carchex.com, a form submitted in person, and a form submitted through the mail.
Verification Process. We are required by law to verify the identities of those who submit requests to know, and our verification process is described in detail below. We will inform you if we cannot verify your identity.

  • If we cannot verify the identity of the person making a request for categories of personal information, we may deny the request. If the request is denied in whole or in part for this reason, we will provide a copy of, or direct you to, our privacy policy.
  • If we cannot verify the identity of the person making the request for specific pieces of personal information, we are prohibited from disclosing any specific pieces of personal information to the requestor. However, if denied in whole or in part for this reason, we will evaluate the request as if it is seeking the disclosure of categories of personal information about the consumer.
  • If there is no reasonable method by which we can verify the identity of the requestor to the degree of certainty required, we will state this in our response and explain why we have no reasonable method by which we can verify the identity of the requestor.

Response Process. Upon receiving a request to know, we will confirm receipt of the request within 10 days and provide information about how we will process your request. The information provided will describe our verification process and when you should expect a response from us (unless we have already granted or denied the request). In general, we will respond to the request within 45 days from the day we receive it; but, if necessary, we may take up to an additional 45 days to respond to your request. If an extension is needed, we will notify you of the extension and explain the reasons that responding to your request will take more than 45 days.

Once verification is complete, we will associate the information provided by you in the verifiable consumer request to any personal information previously collected by us about you. We will promptly take steps to disclose and deliver, free of charge to you, the information requested. We will provide an individualized response to requests regarding categories of personal information as required by applicable law; but, we may refer you to our general practices outlined in this Policy when our response would be the same for all consumers and all the information that is otherwise required to be in a response is presented here.

If you do not have a password-protected account with us, we may respond to a request to know related to household personal information by providing aggregate household information. If all consumers of a household jointly request access to specific pieces of personal information for the household, we will comply with the request if we can verify the identity of each consumer.

Delivery. Except as otherwise provided by applicable law, the information will be provided in writing and may be delivered through your account with us. If you do not maintain an account with us, we will respond by mail or electronically (at your option) in a portable and, to the extent technically feasible, readily-useable format that allows you to transmit the information to another entity. Alternatively, we may offer a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information. If we do not take action on your request, we will, without delay and, at the latest, within the time period permitted for our response, inform you of the reasons that we did not take action and any rights you may have to appeal the decision.

Limitations. We are committed to responding to requests to know in accordance with applicable law. However, your rights are subject to the following limitations:

  • We are only required to respond to requests to know twice in a 12-month period.
  • We are not permitted to provide specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to (1) the security of that personal information, (2) the consumer’s account with us, or (3) the security of our systems or networks.
  • We are prohibited from disclosing Social Security numbers, driver’s license numbers, other government-issued identification numbers, financial account numbers, health insurance numbers, medical identification numbers, account passwords, and security questions and answers.

Denials. If we deny a verified request to know specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or an exception under applicable law, we will inform the requestor and explain the basis for the denial. If the request is denied only in part, we will disclose the other information sought by the consumer.

Request to Delete
You have a right to request the erasure/deletion of certain personal information collected or maintained by us. As described below, we will delete your personal information from our records and direct any service providers (as defined under applicable law) to delete your personal information from their records.

Submission Instructions. You may submit a request to delete via 877-264-8058, privacy@carchex.com, a form submitted in person, and a form submitted through the mail. We may present you with the choice to delete select portions of your personal information, but a global option to delete all personal information will be offered and more prominently presented.

Verification Process. We are required by law to verify the identities of those who submit requests to delete, and our verification process is described in detail below. We will inform you if we cannot verify your identity.

  • If we cannot verify the identity of the person making a request to delete, we may deny the request. We will, however, treat the request as a request to opt-out of sales of personal information.
  • If there is no reasonable method by which we can verify the identity of the requestor to the degree of certainty required, we will state this in our response and explain why we have no reasonable method by which we can verify the identity of the requestor.

Response Process. Upon receiving a request to delete, we will confirm receipt of the request within 10 days and provide information about how we will process your request. The information provided will describe our verification process and when you should expect a response from us (unless we have already granted or denied the request). We will use a two-step process for online requests to delete in which you must first, clearly submit the request to delete and then second, separately confirm that you want your personal information deleted. In general, we will respond to the request within 45 days from the day we receive it; but, if necessary, we may take up to an additional 45 days to respond to your request. If an extension is needed, we will notify you of the extension and explain the reasons that responding to your request will take more than 45 days.

Once verification is complete, we will take one of the following actions: (1) permanently and completely erase the personal information on our existing systems (with the exception of archived or back-up systems); (2) de-identify the personal information; or (3) aggregate the personal information. For personal information stored on archived or backup systems, we may delay compliance with your request to delete for that data until the archived or backup system is next accessed or used.

If you do not have a password-protected account with us, we may respond to a request to delete related to household personal information by providing aggregate household information. If all consumers of a household jointly request deletion for the household, we will comply with the request if we are able to verify the identity of each consumer.

Delivery. In our response to you, we will specify the manner in which we deleted your personal information. We will also inform you of our obligation to maintain a record of the request under California law.

Limitations. We are committed to responding to requests to delete in accordance with applicable law. However, we are not required to delete your personal information if it is necessary for us (or our service providers) to maintain your personal information in order to:

  • Complete the transaction for which the personal information was collected;
  • Fulfill the terms of a written warranty or product recall conducted in accordance with federal law;
  • Provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you;
  • Otherwise perform a contract between us and you;
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
  • Debug to identify and repair errors that impair existing intended functionality;
  • Exercise free speech, ensure the right of another consumer to exercise his/her right of free speech, or exercise another right provided for by law;
  • Comply with the California Electronic Communications Privacy Act;
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent;
  • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
  • Comply with a legal obligation; and
  • Otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which the information was provided.

Denials. If we deny your request, we will (1) inform you that we will not comply with the request and describe the basis for the denial, including any applicable statutory and regulatory exceptions; (2) delete the personal information that is not subject to the exception; and (3) not use the personal information retained for any other purpose than provided for by the applicable exception(s).

Verification Procedures
To determine whether the individual making the request is the consumer about whom we have collected information, we will verify your identity by matching the identifying information provided by you in the request to the personal information that we already maintain about you. As a part of this process, you will be required to provide your full name, phone number, email address, and or zip code.

If we cannot verify your identity based on the information already maintained, we may request additional information from you. We will try to limit the information collected, and we will only use this information to verify your identity and for security or fraud-prevention purposes. Except as required by law, we will delete any new personal information collected for the purposes of verification as soon as practical after processing the request.

We require different levels of authentication based upon the nature of the personal information requested. A more stringent verification process is applied when (1) sensitive or valuable personal information is involved, (2) there is a greater risk of harm to the consumer, and/or (3) there is a higher likelihood that fraudulent or malicious actors would request the information.

Password-Protected Account. If you have a password-protected account with us, we may verify your identity through our existing authentication practices for the account. We will require you to re-authenticate yourself before disclosing or deleting your data. If we suspect fraudulent or malicious activity on or from the password-protected account, we will not comply with the request until further verification procedures determine that the request is authentic and that the consumer making the request is the person about whom we have collected information.

Request to Know Categories. For a request to know categories of personal information, we will verify the identity of the consumer making the request to a “reasonable degree of certainty” by matching at least two (2) data points provided by the consumer with data points maintained by us, which we have determined to be reliable for the purpose of verifying the consumer.

Request to Know Specific Pieces. For a request to know specific pieces of personal information, we will verify the identity of the consumer making the request to a “reasonably high degree of certainty” by matching at least three (3) pieces of personal information provided by the consumer with personal information maintained by us, which we have determined to be reliable for the purpose of verifying the consumer, together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. We are required by law to maintain all signed declarations as part of our record-keeping obligations.

Request to Delete. For a request to delete, we will verify the identity of the consumer to a “reasonable degree of certainty” or a “reasonably high degree of certainty,” depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. For example, the deletion of family photographs and documents may require a reasonably high degree of certainty, while the deletion of browsing history may require a reasonable degree of certainty.

Authorized Agents
You may designate an authorized agent to make requests on your behalf through any of the methods described in this policy. If you use an authorized agent to submit a request to know or a request to delete, we may require you to: (1) provide the authorized agent with written permission to do so; and (2) verify your identity directly with us. However, we will not require these actions if you have provided the authorized agent with power of attorney pursuant to the California Probate Code. We may deny a request from an agent that does not submit proof that they have been authorized by the consumer to act on their behalf.

Excessive Requests
If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, we may either (1) charge a reasonable fee, or (2) refuse to act on the request and notify the consumer of the reason for refusing the request. If we charge a fee, the amount will be based upon the administrative costs of providing the information or communication or taking the action requested.

CCPA Non-Discrimination

You have the right not to receive discriminatory treatment by us due to your exercise of the rights provided by the California Consumer Privacy Act. We do not offer financial incentives and price or service differences, and we do not discriminate against consumers for exercising their rights under the CCPA.

California Shine the Light

Under California Civil Code Section 1798.83, California residents who provide personal information in obtaining products or services for personal, family, or household use may be entitled to request and obtain from us once a calendar year information about the information we shared, if any, with other businesses for direct marketing uses. At present, we do not share your personal information with third parties for those third parties’ direct marketing purposes. Please be aware that not all information sharing is covered by the “Shine the Light” requirements and only information on covered sharing, if any, will be included in our response. As part of the California Online Privacy Protection Act, all users of our Site may make any changes to their information at any time by contacting us at privacy@carchex.com.

Third-Party Sites

This Policy is applicable only to the Site, and it does not apply to any third-party websites.
The Site may contain links to, and media and other content from, third-party websites. These links are to external websites and third parties with which we may have no relationship. Because of the dynamic media capabilities of the Site, it may not be clear to you which links are to the Site and which are to external, third-party websites. If you click on an embedded third-party link, you will be redirected away from the Site to the external third-party website. You can check the URL to confirm that you have left this Site.

We cannot and do not (1) guarantee the adequacy of the privacy and security practices employed by or the content and media provided by any third parties or their websites, (2) control third parties’ independent collection or use or your personal information, or (3) endorse any third-party information, products, services or websites that may be reached through embedded links on this Site.

Any personal information provided by you or automatically collected from you by a third party will be governed by that party’s privacy policy and terms of use. If you are unsure whether a website is controlled, affiliated, or managed by us, you should review the privacy policy and practices applicable to each linked website.

Updates and Changes to this Policy

We reserve the right, at any time and without notice, to add to, change, update, or modify this Policy to reflect any changes to the way in which we treat your personal information or in response to changes in law. Should this Policy change, we will post all changes we make to this Policy on this page. If we make material changes to how we treat your personal information, we will also notify you through a notice on the home page of the Site for a reasonable period of time. Any such changes, updates, or modifications shall be effective immediately upon posting on the Site. The date on which this policy was last modified is identified at the beginning of this Policy.

You are expected to, and you acknowledge and agree that it is your responsibility to, carefully review this Policy prior to using the Site, and from time to time, so that you are aware of any changes. Your continued use of the Site after the “Last Updated” date will constitute your acceptance of and agreement to such changes and to our collection and sharing of your personal information according to the terms of the then-current Policy. If you do not agree with this Policy and our practices, do not access, view, or use any part of the Site.

Contact Us

For more information, or if you have any questions or concerns regarding this Privacy Policy, wish to exercise your rights, or wish to lodge a complaint with us, you may contact us using the information below, and we will do our best to assist you. Please note, if your communication is sensitive, you may wish to contact us by postal mail or telephone.

In Writing: 118 Shawan Road, Suite 210, Baltimore, MD 21030

By Telephone: 1-877-227-2439

By Email: privacy@carchex.com