Cruise America Privacy Policy

2.1 Personal Information We Collect Directly from You

We receive personal information as described to you at the point of collection, pursuant to your consent (such as rental confirmations or operational notices), and/or when you voluntarily provide us (including our licensees) with personal information, including:

• Individual information
• Company information
• Other identifying information that you voluntarily choose to provide to us, including, without limitation, unique identifiers such as passwords, and personal information in messages you send to us

More specifically, we collect personal information that is reasonably necessary to provide our services, administer rentals and sales, operate and protect our fleet, comply with legal obligations, and conduct legitimate business activities, including:

• Your name, contact information, date of birth, driver's license number and expiration date
• Rental and transaction details (rental location, dates, vehicle information, authorized drivers)
• Vehicle-related operational, diagnostic, mileage, performance, crash, and location data
• Your credit card details
• Cruise America online user account details
• Financial information that may be necessary to facilitate the purchase of a vehicle
• Additional contact information about you that we may obtain through third parties with whom we do business (e.g., travel agents, tour operators, rental lead providers, or similar providers)

We may also collect additional information, which may be personal information, as otherwise described to you at the point of collection or pursuant to your consent.

2.2 Information We Automatically Collect When You Use Our Site

To access and use certain areas or features of the Cruise America Services, you consent to our collection and use of certain information about your use of the Cruise America Services through the use of tracking technologies or by other passive means, including when you receive, open, engage, forward, and/or click through the Services. Your consent to our access and use of this "passively collected" information includes, but is not limited to, the domain name of the website that allowed you to navigate to the Cruise America Services, search engines used, the internet protocol (IP) address used, the length of time spent on the Cruise America Services, the pages you looked at on the Cruise America Services, other webpages you visited before and after visiting the Cruise America Services, the type of device and/or internet browser you have, the frequency of your visits to the Cruise America Services, and other relevant statistics (collectively "Traffic Data").

2.3 Vehicle Operation and Location Data

You acknowledge that our vehicles may be equipped with manufacturer-provided or certain on-board technology such as OEM equipment ("On Board Technology"). Some or all on-board functionality may or may not be active during rental periods.

Categories of Vehicle Data Collected:

• Crash and collision data, including airbag deployment and impact severity
• Operational condition and diagnostic information (engine performance, tire pressure, fluid levels)
• Mileage and odometer readings
• Performance metrics (speed, acceleration, braking patterns)
• GPS location data (real-time and historical routes)
• Geofencing alerts when vehicles enter or exit designated areas

You acknowledge and agree that our On Board Technology may provide us use of, disclosure of, or access to this vehicle data ("On Board Data"), all to the extent permitted by applicable law. This data may be transmitted in real-time or stored on the vehicle and retrieved periodically.

Third-Party Access to Vehicle Data:

Vehicle manufacturers may have independent access to certain On Board Data through their own systems. We may share On Board Data with:

• Insurance companies for claims processing and underwriting
• Law enforcement when required by law or court order
• Roadside assistance and towing providers
• Fleet maintenance and service providers

2.4 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information from consumers:

• Identifiers (name, postal address, email address, IP address, driver's license number, account name)
• Categories listed in Cal. Civ. Code § 1798.80(e) (signature, physical characteristics, telephone number, passport number, financial account information, credit card number)
• Commercial information (rental transaction history, purchase history)
• Internet or network activity (browsing history, search history, information regarding interaction with our website)
• Geolocation data (precise location from vehicle GPS)
• Audio, electronic, visual, or similar information (call recordings for customer service)
• Inferences drawn from the above to create consumer profiles (rental preferences, travel patterns)

2.5 Sources of Personal Information

We collect personal information from the following sources:

• Directly from you when you make a reservation, rent a vehicle, or contact us
• Automatically through your use of our website and services
• From our vehicles through on-board technology
• From third parties such as travel agents, tour operators, rental lead providers, credit reporting agencies, and identity verification services
• From public records and databases

2.6 Sensitive Personal Information

We collect the following categories of sensitive personal information, as defined under applicable state privacy laws:

• Government-issued identification numbers (driver's license number)
• Financial account information (credit card and debit card numbers)
• Precise geolocation data (GPS coordinates from vehicle location tracking)

Purposes for Using Sensitive Personal Information:

We use and disclose sensitive personal information only for the following purposes allowed under the CCPA/CPRA:

• To perform services reasonably expected (processing rental payments, verifying driver eligibility, locating and recovering vehicles)
• To prevent, detect, and investigate security incidents, fraud, and illegal activity
• To resist malicious, deceptive, fraudulent, or illegal actions and prosecute those responsible
• To ensure physical safety (roadside assistance, emergency response)
• To verify or maintain the quality or safety of our services and vehicles
• For short-term, transient use (displaying your payment card type during checkout)
• To perform services on our behalf (payment processing, identity verification)
• To comply with legal obligations

We do not use or disclose sensitive personal information for purposes of inferring characteristics about you.

4.1 Tracking Tools

We may use tools outlined below in order to provide the Cruise America Services, advertise to, and better understand users.

Cookies: "Cookies" are small computer files transferred to your device that contain information such as user ID, user preferences, lists of pages visited, and activities conducted while using the Cruise America Services. We use Cookies to: (i) improve and tailor the Cruise America Services, (ii) customize advertisements, (iii) measure performance, (iv) store authentication so re-entering credentials is not required, (v) customize user experiences, and for (vi) analytics and fraud prevention. For more information on Cookies, including how to control your Cookie settings and preferences, visit http://www.allaboutcookies.org. You can also manage Cookies in your web browser (for example, Edge, Explorer, Chrome, Safari). If you choose to change your settings, you may find that certain functions or features of the Cruise America Services will not work as intended. The following details the types of Cookies we use and why we use them:

Absolutely Necessary Cookies: These Cookies are essential to enable you to move around a website and use its features. Without these Cookies, services you have asked for, like adding items to an online order, cannot be provided.

Performance Cookies: These Cookies collect information about how you use the Cruise America Services. Information collected includes the Internet browsers and operating systems used, the domain name of the website previously visited, the number of visits, average duration of visit, and pages viewed. These Cookies do not collect information that personally identifies you and only collect aggregated and anonymous information. Performance Cookies are used to improve website usability and enhance your experience.

Functionality Cookies: These Cookies allow Cruise America Services to remember choices you make (such as your username, language preference, or the area or region you are in) and provide enhanced, more personal features. These Cookies can also be used to remember changes you have made to text size, fonts, and other customizable parts of the Cruise America Services. The information these Cookies collect may be anonymized, and they cannot track your browsing activity on other websites.

Web Beacons: "Web Beacons" (a.k.a. clear GIFs or pixel tags) are tiny graphic image files embedded in a web page or email that may be used to collect information about the use of the Cruise America Services. The information collected by Web Beacons allows us to analyze how many people use the Cruise America Services, use selected publishers' websites, or open emails, and for what purposes.

Web Service Analytics: We may use third-party analytics services in connection with the Cruise America Services, including, for example, to register mouse clicks, mouse movements, scrolling activity, and text typed into the Cruise America Services. We use the information collected from these services to help make the Cruise America Services easier to use and as otherwise outlined in Section 5 (How We Use Your Information). These analytics services generally do not collect personal information unless you voluntarily provide it.

Mobile Device Identifiers: As with other Tracking Tools, mobile device identifiers help Cruise America learn more about our users' demographics and Internet behaviors in order to personalize and improve the Cruise America Services. Mobile device identifiers are data stored on mobile devices that may track activities occurring on and through them, as well as the applications installed on them. Mobile device identifiers enable the collection of personal information (such as media access control address and location) and Traffic Data.

4.2 Behavioral Advertising and Sharing for Cross-Context Behavioral Advertising

We may use a type of advertising commonly known as interest-based or online behavioral advertising. This means that some of our partners use Tracking Tools to collect information about a user's online activities to display Cruise America ads to the user based on the user's interests ("Behavioral Advertising"). Our partners may include third-party advertisers and other third-party service providers, and such partners may collect information when you use the Cruise America Services, such as IP address, mobile device ID, operating system, and demographic information. These Tracking Tools help Cruise America learn more about our users' demographics and Internet behaviors.

Sharing of Personal Information for Targeted Advertising:

We share certain categories of personal information with third-party advertising partners to display personalized advertisements to you on other websites and platforms. Under California law and other state privacy laws, this sharing constitutes "sharing" for cross-context behavioral advertising.

Categories of personal information shared for targeted advertising:

• Identifiers (IP address, cookie IDs, device identifiers)
• Internet or network activity information (pages visited, ads clicked)
• Inferences about preferences and interests

Categories of third parties with whom we share this information:

• Advertising networks and platforms (e.g., Google Ads, Facebook Ads)
• Social media companies
• Data analytics providers

We do not sell personal information for monetary consideration. However, the sharing described above may be considered a "sale" or "sharing" under certain state privacy laws. You have the right to opt out of this sharing, as described in Section 4.3 below.

4.3 Options for Opting Out of Cookies, Behavioral Advertising, and Sale/Sharing

Opt-Out of Sale/Sharing of Personal Information:

You have the right to opt out of the sharing of your personal information for targeted advertising purposes. To exercise this right:

• Click the "Do Not Sell or Share My Personal Information" link in the footer of our website
• Enable the Global Privacy Control (GPC) signal on your browser or device

If we process Cookies based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any point in time by contacting us at privacy@cruiseamerica.com. Please note that if you exercise this right, you may have to provide your consent on a case-by-case basis to enable you to utilize some or all of the Cruise America Services.

You may be able to reject Cookies and/or mobile device identifiers by activating the appropriate setting on your browser or device. Although you are not required to accept Cruise America's Cookies or mobile device identifiers, if you block or reject them, you may not have access to all features available through the Cruise America Services.

You may opt out of receiving certain Cookies by visiting the Network Advertising Initiative (NAI) opt-out page, the Digital Advertising Alliance (DAA) opt-out page, or by installing the DAA's AppChoices app (for iOS; for Android) on your mobile device. When you use these opt-out features, an "opt-out" Cookie will be placed on your device indicating that you do not want to receive interest-based advertising from NAI or DAA member companies. If you delete Cookies on your device, you may need to opt out again. For information about how to opt out of interest-based advertising on mobile devices, please visit https://thenai.org/opt-out/mobile-opt-out/. You will need to opt out of each browser and device for which you desire to apply these opt-out features.

Even after opting out of Behavioral Advertising, you may still see Cruise America advertisements that are not interest-based (i.e., not targeted toward you). Also, opting out does not mean that Cruise Amrica is no longer using Tracking Tools. Cruise America still may collect information about your use of the Cruise America Services even after you have opted out of Behavioral Advertising and may still serve advertisements to you via the Cruise America Services based on information it collects through the Cruise America Services.

This Privacy Policy does not cover the use of Cookies and other Tracking Tools by any third parties, and we are not responsible for the privacy practices of any third party. Please be aware that some third-party Cookies can continue to track your activities online even after you have left the Cruise America Services.

4.4 "Do Not Track" (DNT) and Universal Opt-Out Preference Signals

Some web browsers (including Safari, Internet Explorer, Firefox, and Chrome) include a "Do Not Track" (DNT) or similar feature that signals to web services that a visitor does not want their online activity tracked. If a web service operator elects to respond to a particular DNT signal, the web service operator may refrain from collecting certain personal information about the browser's user. Not all browsers support the DNT option, and there is currently no industry consensus on what constitutes a DNT signal. For these reasons, many web service operators, including Cruise America, do not proactively respond to DNT signals. For more information about DNT signals, visit https://fpf.org/thank-you-for-visiting-allaboutdnt-com/.

Global Privacy Control (GPC):

We recognize and honor the Global Privacy Control (GPC) signal as a valid request to opt out of the sale or sharing of your personal information. The GPC is a technical specification that allows users to broadcast a privacy preference signal from their browser or device.

When we detect a GPC signal from your browser or device, we will:

• Treat it as a request to opt out of the sharing of your personal information for targeted advertising
• Apply the opt-out to the specific browser or device from which the signal is sent
• Not require additional verification steps to honor the signal

To enable GPC, you can download a GPC-enabled browser extension or use a browser that supports GPC (such as Brave, DuckDuckGo, or Firefox with appropriate extensions). For more information about GPC, visit globalprivacycontrol.org.

10.1 Information You Provide

You can choose whether or not to provide personal information through the Cruise America Services. We will not discriminate against you for exercising any of your rights relating to your personal information and will not (i) deny you goods or services, (ii) provide you with a different level or quality of services, or (iii) charge you different prices for services for doing so.

10.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

Right to Know/Access: You have the right to request that we disclose to you:

• The categories of personal information we have collected about you
• The categories of sources from which your personal information is collected
• Our business or commercial purpose for collecting, selling, or sharing personal information
• The categories of third parties with whom we share personal information
• The specific pieces of personal information we have collected about you

Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions under the CCPA/CPRA.

Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.

Right to Opt-Out of Sale/Sharing: You have the right to opt out of the sale or sharing of your personal information for targeted advertising. See Section 4.3 for how to exercise this right.

Right to Limit Use of Sensitive Personal Information: You have the right to limit our use and disclosure of your sensitive personal information to purposes specified in Section 2.6 of this Privacy Policy. Because we only use sensitive personal information for these permitted purposes, there is currently no additional limitation available.

Right to Non-Discrimination: You have the right to be free from unlawful discrimination for exercising any of your CCPA/CPRA rights.

Submitting Requests:

To exercise your California privacy rights, you may:

• Email us at privacy@cruiseamerica.com
• Call us toll-free at 1-800-671-8042
• Mail us at: Cruise America, Inc., 11 W. Hampton Ave., Mesa, AZ 85210, USA, Attn: Privacy Officer

We will respond to your request within 45 days of receipt. If we require more time (up to 90 days total), we will inform you of the reason and extension period in writing.

Verification:

To protect your privacy, we will verify your identity before fulfilling your request. The verification process may require you to provide:

• Your name, email address, and phone number
• Rental confirmation number or account information
• Government-issued ID for requests involving sensitive personal information

Authorized Agents:

You may designate an authorized agent to make requests on your behalf. To designate an authorized agent, you must:

• Provide the authorized agent written permission to act on your behalf
• Verify your own identity directly with us

We may deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf, or if we cannot verify your identity.

10.3 Colorado Privacy Rights (CPA)

If you are a Colorado resident, you have the following rights under the Colorado Privacy Act (CPA):

• Right to Access: You have the right to confirm whether we are processing your personal data and to access such personal data
• Right to Correct: You have the right to correct inaccuracies in your personal data
• Right to Delete: You have the right to delete personal data you have provided to us
• Right to Data Portability: You have the right to obtain a copy of your personal data in a portable and readily usable format
• Right to Opt-Out: You have the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects
• Right to Appeal: If we decline to take action on your request, you have the right to appeal that decision

Appeal Process:

If we deny your request, you may appeal by:

• Emailing us at privacy@cruiseamerica.com with "Colorado Privacy Appeal" in the subject line
• Providing your original request details and the reason you believe the denial was in error

We will respond to your appeal within 45 days. If we deny your appeal, we will provide you with information about how to contact the Colorado Attorney General to submit a complaint.

To exercise your Colorado privacy rights, please contact us using the methods listed in Section 15.

10.4 Connecticut Privacy Rights (CTDPA)

If you are a Connecticut resident, you have rights under the Connecticut Data Privacy Act (CTDPA) that are substantially similar to those described in Section 10.3 for Colorado residents, including the right to appeal denials of your requests. To exercise these rights, please contact us using the methods listed in Section 15.

10.5 Virginia Privacy Rights (VCDPA)

If you are a Virginia resident, you have rights under the Virginia Consumer Data Protection Act (VCDPA) that are substantially similar to those described in Section 10.3 for Colorado residents, including the right to appeal denials of your requests. To exercise these rights, please contact us using the methods listed in Section 15.

10.6 Utah Privacy Rights (UCPA)

If you are a Utah resident, you have rights under the Utah Consumer Privacy Act (UCPA), including the right to access, delete, and obtain a copy of your personal data, and to opt out of the sale of personal data and targeted advertising. Unlike other state laws, Utah does not provide a right to correct personal data or a right to appeal. To exercise these rights, please contact us using the methods listed in Section 15.

10.7 Canada, European Union, and United Kingdom Privacy Rights

If our processing of your personal information (used interchangeably with "personal data" and similar terms of art outside the United States) is subject to GDPR (European Union), UK GDPR (United Kingdom), and/or PIPEDA (Canada), and unless subject to an exemption, you may have the following rights with respect to your personal information:

• Right of Access: You have the right to view and request copies of your personal information
• Right to Rectification: You have the right to request that your inaccurate or outdated personal information be updated or corrected
• Right to be Forgotten/Right to Erasure: You have the right to request your personal information be deleted, upon providing verification to us
• Right to Restrict Processing: You have the right to request the restriction or suppression of our processing of your personal information
• Right to be Informed: You have the right to be informed about the collection and use of your personal information
• Right to Data Portability: You have the right to ask for your personal information to be transferred to you or to another controller
• Right to Withdraw Consent: You have the right to withdraw previously given consent to process your personal information
• Right to Object: You have the right to object to the processing of your personal information
• Right to Object to Automated Processing: You have the right to object to decisions being made with your personal information solely based on automated decision making or profiling

We will need to verify your identity to process any requests described in this Section and may deny your request if we are unable to verify your identity. Government or other identification may be required.

Legal Basis for Processing (GDPR/UK GDPR):

If you are a resident of the European Economic Area ("EEA") or United Kingdom, when we process your personal information, we will only do so in the following situations:

• Performance of a Contract: We need to use your information to perform our responsibilities under our agreement with you (e.g., to provide rental services)
• Legitimate Interests: We have a legitimate interest in processing your personal information. For example, we may process your personal information to send you marketing communications, to communicate with you about the Cruise

America Services, to provide and improve the Cruise America Services, to prevent fraud, and to ensure network and information security:

• Consent: We have your consent to do so
• Legal Obligation: We need to comply with a legal obligation

International Data Transfers:

If your personal information is subject to GDPR or UK GDPR, we will transfer personal information from the EEA or United Kingdom to a location outside the EEA or United Kingdom only when:

• There has been a documented adequacy determination by the European Commission or UK authorities
• We have implemented appropriate safeguards such as Standard Contractual Clauses approved by the European Commission or UK authorities
• The transfer is necessary for the performance of a contract between you and us, or you have explicitly consented to the transfer

If your personal information is subject to PIPEDA, we will transfer personal information from Canada to locations outside Canada only where we have confirmed adequate privacy protections. If we transfer personal information to a third party acting as our agent, we will also obligate the third party to have adequate privacy protections in place.

Complaints to Supervisory Authorities:

If you are located in the EEA or United Kingdom, you have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable law. If you are located in Canada, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.