Privacy and Data Security Statement
This Privacy and Data Security Statement was last updated on November 7, 2022.
Thank you for visiting Route’s online and mobile resources and for viewing this privacy and data security statement. Our privacy statement serves to give notice about the types of personal information we collect, how and why we collect and use it, who we share it with and why, and what we do to store and protect it. We’ll outline those topics below and we encourage you to read each section carefully. For your convenience, we’ve also provided a quick summary below.
Summary of How We Handle Personal Information
What kinds of personal information do we collect and hold? We collect and hold certain personal information from a variety of different data subjects including our workforce, vendors, merchant-customers, consumer-customers, and visitors to and users of our online and mobile resources. Click here to learn about the categories of personal information we collect from all four groups of data subjects.
How and why do we use it? We use personal information received from visitors and users of our online and mobile resources to communicate directly with them. Click here for more information about how we use personal information.
When / with whom do we share it and why? We share personal information when needed to fulfill our legal obligations and when our vendors, business partners, and affiliates need it to perform the contracts we have with them. We provide further detail about our sharing of personal information here. We do not sell or rent any personal information from any data subjects to third party data brokers or marketing companies. We may also share your information with certain overseas recipients.
How do we store and protect it? We store personal information in paper-based files or other electronic record keeping methods. We’ve invested in a Security Program that addresses both technical and operational matters. Our program includes incident response and management and vendor oversight components. You can read about those components here.
Your Privacy Choices and Rights
You do not have to provide personal information to enjoy most of the features of our online and mobile resources. Moreover, you can opt out of certain activities like newsletters and announcements and you are entitled to access, amend and delete your personal information. You can learn more about that here.
Contacting Our Privacy Office
If you have any questions about our privacy and data security policies, procedures, and practices, including anything we say in this privacy statement, or would like to make a complaint we encourage you to contact our Privacy Office.
Attention: Privacy Officer, Legal
Address: 1441 W Innovation Way, Lehi, Utah 84043, United States of America
Email: [email protected]
This privacy statement explains how we address our legal obligations—and your legal rights—regarding personal information. This section defines some words and phrases that have specific meanings whenever you see them in this statement.
This privacy statement applies to Route App, Inc., and our other Route group entities and affiliates (together, “Company”, “we”, “us”, or “our”).
When we reference “this statement”, “this privacy statement” and “our statement”, we mean this Privacy and Data Security Statement you are reading now. The phrase “consumer customers” means individuals who have:
downloaded and use the Route App; or
made a purchase from one of our merchant-customers; and
do not use the Route App, but actively chose to obtain Route-provided shipping protection services from a merchant; or
automatically received Route-provided shipping protection services as a no-cost benefit from a merchant.
The phrase, “merchant-customer” means a business entity that operates an ecommerce platform and to whom we provide the Route merchant technologies and services under a separate contract.
Generally, we use the words “you” and “your” to mean you, the reader, an individual over the age of 18. This age requirement is discussed in more detail later in this statement here. Other places in this privacy statement may define the words “you” and “your” differently, and the more specific definitions of those sections apply where appropriate.
An “affinity action” is when you “follow” us, “like” us, or take a similar or analogous action on our external social media presence.
When we refer to “personal information”, we mean information that can be used to identify or easily be linked to you. In some jurisdictions, such as Australia, “personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in material form or not.
Whom Do We Collect Personal Information From?
We collect personal information from four groups of data subjects:
general visitors to, and users of, our online and mobile resources;
current members of our workforce and those who apply for posted jobs;
our third-party vendors and business partners and affiliates; and
our consumer-customers and merchant-customers.
What Kinds of Personal Information Do We Collect and Hold?
The categories of information we collect and hold from each group of data subjects and the ways in which we collect, use and hold it vary, depending on a few factors. The following paragraphs describe those categories and uses. We note that it’s possible for the same person to fall into more than one group of data subjects. For instance, someone who works for us might visit also use the Route App.
Personal Information Collected from Merchant-Customers
Merchant-customers enter into a contract with us which is separate from this statement and has its own terms and conditions for notice of collection and governing our overall confidentiality, data privacy, and data security obligations with respect to personal information about our merchants’ personnel we collect from them. As a result, those terms also apply to the personal information of merchants and their personnel.
Personal Information Collected from Consumer-Customers
When our shipping protection services are activated, whether through the Route App, by choosing them on a merchant website or shopping cart, or by having a merchant provide them to you automatically as part of the benefits they offer, you become our consumer-customer and we may collect from you, or receive from our merchant-customer, the following personal information:
- your name and contact information, which may include your phone number.
- information about the products you purchased, including their value.
- the shipping destination you requested, which may be your residential address.
- such other information about you or your order as may be reasonably necessary to provide, inform you about, and improve our tracking, discovery, and protection services.
In addition, depending on how you set-up your access permissions within the Route App and with your third-party mail provider (such as Google’s Gmail, Yahoo! Mail, and the like) and the rules those mail providers set for third party access, we may use certain technologies such as application programming interfaces to parse your email as it relates to your status as a consumer-customer.
Personal Information Collected from Our Workforce and Job Applicants
We collect and retain the types of professional or employment related personal information you would expect an employer to have about its existing and former workforce and new job applicants, including your name, contact details, qualifications and work history. We provide legally required notices of collection and describe our use and sharing of the personal information of our workforce and applicants in greater detail in confidential internal human resource manuals and documents accessible to members of our workforce, or by publication on the proprietary workforce/applicant portals and apps we operate. In some cases, such portals and apps may be operated by third parties who transfer the personal information to us. In those situations, the legal responsibility to provide notice may rest with the relevant third party.
Personal Information Collected from Vendors, Business Partners, and Affiliates
Like all large corporate enterprises, we buy goods and services, lease equipment and office space, and attend industry events. In doing so, we interact with many existing and potential vendors and business partners and affiliates from whom we necessarily collect certain personal information in connection with our contractual and business relationships. This information is typically limited to minimum business contact information. We use and share personal information collected from our vendors and business partners and affiliates to manage, administer, and perform under our contracts with them or share information about our products or services. We describe our use of vendor and business partner personal information in greater detail in our confidential contracts with those parties or on the internal vendor management portals we operate.
Personal Information Collected from Visitors and Users of Our Online and Mobile Resources
If you visit and/or use our online and mobile resources, we collect, retain, and share certain personal information about you.
Generally, we collect your personal information through automated/technical means and when you voluntarily provide it to us. By using our online and mobile resources, you are signifying to us that you agree with this section of our privacy statement and that we may use and disclose your information as described.
Voluntarily Submitted Information
If you choose to participate in or make use of certain activities and features available via our online and mobile resources, you will need to provide us with certain personal information about yourself. The types of personal information you will be submitting to us in those situations is almost always limited to basic identifiers such as your name, email address, mailing address, and phone number. Here are some of the ways you voluntarily give us your personal information:
Emails and Texts—If you choose to send us an email from our “contact us” link or a similar link, you will be giving us your email address and any other personal information that may be in your message or attached to it. The same is true if you send us a text message.
Creating Accounts; Signing up for Newsletters—If we make an account creation feature available to the general public (that is, to visitors/users who are not our customers or workforce members) you will be giving us at least your email address and potentially other identifiers. The same is true if you sign up to receive a newsletter or other informational or marketing material we publish.
Registering for Events—When you register for events, conferences or programs we may host (rather than outsource to a third-party event manager with its own privacy policies), you will be submitting the types of identifiers described above. If the event requires a fee, we may also ask you to submit credit card or other financial information.
Social Media and Community Features—Some of our online and mobile resources may offer social media-like community features, letting users post messages and comments and/or upload image or other files and materials. If you choose to make use of these features, the information you post, including your screen name and any other personal information, will be in the public domain.
If you prefer we not receive the above-described personal information, please don’t submit it. This means you shouldn’t participate in the applicable activities or use the applicable features available from our online and mobile resources. Such participation and use are strictly your choice. By not providing us with your personal information, you may limit your ability to take full advantage of the online and mobile resources, but most of the content in our online and mobile resources will still be available to you.
Automatically Collected Information
When you visit or use our online and mobile resources, basic information about your internet/electronic activity is automatically collected through your browser via tracking technologies, such as cookies. Cookies are small text files downloaded onto your computer or mobile device that allow us to collect your IP address and recognize your computer or mobile device and store some information about your preferences. Examples include:
the type of browser and operating system you use.
the date and time and length of your visit.
the pages visited, graphics viewed, and any documents downloaded.
links to other sites you accessed from our online and mobile resources or used to navigate to our online and mobile resources.
Additional information about cookies and tracking technologies is available here.
If you access our online and mobile resources from a phone or other mobile device, the mobile services provider may transmit to us certain information such as uniquely identifiable mobile device information. That, in turn, allows us to collect mobile phone numbers and associate them with the mobile device identification information. Some mobile phone service providers also operate systems that pinpoint the physical location of devices and we may receive this geolocation data as well.
When you use our online and mobile resources, we may allow third-party service providers to place their own cookies or similar technologies to engage in the same types of collection we describe above. For example, we use third-party web analytics services such as those offered by Google Analytics.
For more information on how Google specifically uses this data, go to www.google.com/policies/privacy/partners/. You can learn more about how to opt out of Google Analytics by going to https://tools.google.com/dlpage/gaoptout.
User Beware: External Sites, Apps, Links and Social Media
We maintain a presence on external social media platforms such as Twitter, Facebook, YouTube, and LinkedIn. We may further allow the community features of our online and mobile resources to connect with, or be viewable from, that external social media presence. Similarly, our online and mobile resources may contain links to other websites or apps controlled by third parties.
How and Why Do We Use the Personal Information We Collect and Hold?
We use the personal information we collect only in the manner and through the means allowed by applicable law. That means we determine whether we have a lawful basis / legitimate business purpose to use your personal information before doing so. As stated in applicable law, such lawful bases/legitimate business purposes include receiving express consent, operating our business, performing a contract, and complying with a legal obligation. More specifically, how and why we use the personal information of each group of data subjects as follows, but in all cases for all data subjects, we do not sell or rent personal information.
Visitors and Users of Our Online and Mobile Resources
We use the automatically collected personal information described here to compile generic reports about popular pages/features of our online and mobile resources, and to see how users are accessing our online and mobile resources and, in some cases (such as affinity actions), send materials to you. We use the personal information you voluntarily submitted, as described here, to respond back directly to you and/or send you the information you requested or about which you inquired. We may also use any such personal information you provide to customize our programs and newsletters to make them more relevant to you.
Merchant-Customers, Vendors and Business Partners
We use personal information received from merchant-customers and business partners to communicate with them and satisfy our contractual obligations to them and in such other ways as our separate written contracts with them permit.
We use the personal information collected from consumer-customers as may be reasonably necessary to provide, inform you about, and improve, our shipping protection service.
When / With Whom Do We Share Personal Information and Why Do We Share Personal Information?
We may share your personal information as described below. This sharing applies to the personal information of all four groups of data subjects.
Merchant-Customers and Consumer-Customers
The purposes for which we may share your personal information will depend on the products or services we are providing to you.
We may share personal information with our other corporate affiliates who may use that information in the same way as we can under this statement.
We may disclose personal information to government authorities and to other third parties when compelled to do so by such government authorities, or at our discretion, or otherwise as required or permitted by applicable law, including responding to court orders and subpoenas.
To Prevent Harm
We may disclose personal information when we have reason to believe that someone is causing injury to or interference with our rights or property or harming or potentially harming other persons or property (as permitted by applicable law).
We may disclose your personal information if we or any of our affiliates sell or transfer all or substantially all of our assets, equity interests, or securities, or are acquired by one or more third parties as a result of an acquisition, merger, sale, reorganization, divestiture, consolidation, or liquidation, personal information may be one of the transferred assets.
Vendors and Business Partners
We also share personal information with those of our vendors and business partners who need it to perform under the contracts we have with them. For instance, the insurance brokers and carriers who are involved in the issuance of the policies used in our shipping protection services may require that we share your personal information with them in order to cover your purchases.
As part of our Security Program (defined below), we have adopted standards for those vendors and business partners who receive personal information from us, as reflected in our written contracts. These standards include the expectation that when we share personal information with vendors and business partners, they will comply with all applicable privacy and data security laws and regulations as well as our Security Program. We also expect that they will contractually require and cause their subcontractors and agents to do the same.
For any personal information our vendors and business partners process or store at their own locations (including at overseas locations), we further expect them to use a technology infrastructure that meets, at least at the facilities level, the minimum recognized standards for security controls. Such recognized standards include those published by the International Standards Organization, the National Institute of Standards and Technology, or any reasonably equivalent standards.
Please note that we cannot guarantee that all of our vendors and business partners will agree to the above-described contractual requirements, nor can we ensure that even when they do agree they will always fully comply.
For Administration and Management
We will also use and disclose personal information for a range of administrative and operational purposes. This includes: administering billing and payments and debt recovery; planning, managing, monitoring and evaluating our services; quality improvement activities, statistical analysis and reporting; training staff, contractors and other workers; risk management and the management of legal liabilities and claims; responding to enquiries and complaints regarding our products or services; obtaining advice from consultants and other professional advisers; and responding to subpoenas and other legal orders and obligations.
Other Uses and Disclosures
We may use and disclose your personal information for other purposes explained at the time of collection or otherwise as set out in this privacy statement.
Overseas Sharing of Personal Information
We are a global organization and we work with Merchant-Customers, service providers and commercial interests across the globe. It is likely that your personal information will be disclosed to overseas recipients, including in the United States and Australia.
Unless we have your consent, or we are otherwise permitted under applicable privacy and data protection law, we will only disclose your personal information to overseas recipients where we have taken reasonable steps to ensure that the overseas recipient does not breach applicable privacy and data protection law in relation to your personal information.
How Do We Store and Protect Collected Personal Information?
We store information in paper-based files or other electronic record keeping methods in secure databases (including trusted third-party storage providers). We take reasonable steps to protect your personal information from misuse, interference and loss and from unauthorised access, modification or disclosure and maintain physical security over paper and electronic data stores, such as through locks and security systems at our premises. We also maintain computer and network security as set out below.
Our Data Security Program
We have adopted, implemented, and maintain an enterprise-wide corporate information security and privacy program that includes technical, organizational, administrative, and other security measures designed to protect against reasonably anticipated or actual threats to the security of your personal information (the “Security Program”). Our Security Program includes, among other things, procedures for assessing the need for and implementing encryption and multifactor authentication or equivalent compensating controls. We periodically review and update our Security Program, including as required by applicable law.
Our Incident Response and Management Plan
Despite the significant investment we’ve made in the Security Program to protect your personal information, including enforcement of our third-party oversight procedures, we cannot guarantee that your personal information will be free from attempts at unauthorized access, or that loss or accidental destruction will never occur.
As part of our Security Program, we have specific incident response and management procedures that are activated whenever we become aware that your personal information was likely to have been compromised. Those procedures include mechanisms to provide, when circumstances and/or our legal obligations warrant, notice to all affected data subjects within the timeframes required by applicable law, as well as to give them such other mitigation and protection services (such as the credit monitoring and ID theft insurance) as may be required by applicable law. We further require, as part of our vendor and business partner oversight procedures, that such parties notify us immediately if they have any reason to believe that an incident adversely affecting personal information we provided to them has occurred.
Your Rights and Options
When you provide your personal information to us, we may use that personal information to send you marketing materials to keep you informed about our products or services. We will only send marketing materials to you in accordance with applicable privacy, data protection and marketing laws. If we are using your personal information to send you marketing materials, such as newsletters or product or service alerts via text or email, you may opt out by following the opt-out instructions in the email or other communication (e.g., by responding to the text with “STOP”). When we receive your request, we will remove your personal information from our distribution lists in accordance with any timeframes mandated by applicable law. You may still receive materials for any legally permitted period of time after you opt out. Regardless of whether you opt out from receiving any or all marketing materials, we will still communicate with you if we are required by law to provide you with information, or in relation to the products or services we are providing you with. In addition to opting out, you are entitled to access, amend, and delete your personal information by contacting us using the contact information below. After receiving a request from you, we will take reasonable steps to access, amend or delete your personal information. We may decline your request to access, amend or delete your information in certain circumstances in accordance with applicable privacy and data protection laws. If we do refuse your request, we will provide you with a reason for our decision. We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete and up to date. You can help us to do this by letting us know if you notice errors or discrepancies in information we hold about you and informing us of any change in your personal details. Opting out of or changing affinity actions or other submissions or requests made on our external social media presence will likely require that you do so directly on that applicable platform as we do not control their procedures.
Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not specifically respond to browser “do not track” signals.
United States Federal law imposes special restrictions and obligations on commercial website operators who direct their operations toward and collect and use information from children under the age of 13. We take those age-related requirements very seriously and do not intend for our online and mobile resources to be used by children under the age of 18. We do not knowingly collect personal information from minors under the age of 18. If we become aware that anyone under the age of 18 has submitted personal information to us via our online and mobile resources, we will delete that information and do not use it for any purpose whatsoever. We encourage parents and legal guardians to talk with their children about the potential risks of providing personal information over the Internet.
CCPA and GDPR
Privacy and data protection laws vary around the world and among the several United States. Most prominently, residents of California, the European Economic Area, the United Kingdom and Canada have certain additional rights in cases where the party collecting that information is governed by the applicable law.
The California Consumer Privacy Act
When we collect personal information from California residents we become subject to, and those residents have rights under, the California Consumer Privacy Act or “CCPA”. This section explains your rights under the CCPA. For purposes of this section, the words “you” and “your” mean only California residents.
What Did We Collect from California Residents?
We collected the following categories of personal information within the last 12 months:
Identifiers such as name, address, IP address, and other similar identifiers
Personal information under the Customer Records provision of the California Civil Code such as a name, address, or telephone number commercial information such as products or services purchased internet/electronic activity such as browsing history and search history geolocation data including geographic coordinates/physical location audio, video, electronic or other similar information professional or employment related information such as job history and performance evaluations inferences drawn from the foregoing to create a profile about a consumer reflecting the consumer’s preferences, predispositions, behaviour, or attitudes.
What Personal Information Did We Disclose for a Business Purpose?
We may have disclosed the categories of personal information listed above for one or more business purposes permitted by the CCPA during the last 12 months.
What Personal Information Did We Sell?
We do not sell, and within the last 12 months have not sold, personal information to third parties.
What Sources Did We Obtain Personal Information from and Why Did We Collect It?
Please review the Whom Do We Collect Personal Information From? section of this privacy statement to understand the scope of purposes and the sources from which we collect data. Similarly, we urge you to read the How Do We Use the Personal Information We Collect? and When/With Whom Do We Share Personal Information? sections of this statement where we describe the categories of third parties with which we may share your personal information and why.
Rights of California Residents
You have the following rights under the CCPA. It’s important to us that you know that if you exercise these rights, we will not discriminate against you by treating you differently from other California residents who use our sites and mobile resources or purchase our services but did not exercise their rights.
Right to Know—the right to request that we disclose to you, specifically beyond the general statement immediately above, the categories and specific elements of personal information collected including the source of the information, our use of it and, if the information was disclosed or sold to third parties, the categories so disclosed or sold as well as the categories of third party who received or purchased it.
Right to Access—the right to receive a copy of the categories and specific elements of personal information we collected about you in the preceding 12 months.
Right to Delete—the right to request that we delete the personal information we collected about you under certain circumstances.
You, or an authorized agent acting on your behalf, can exercise the Right to Know up to two different times every 12 months. To exercise these rights, contact us at [email protected]. We may ask you to fill out a request form. The CCPA only allows us to act on your request if we can verify your identity and/or your agent’s authority to make the request, so you will also need to follow our instructions for identity verification.
If you make a verifiable request per the above, we will confirm our receipt and respond within 45 calendar days.
The EU General Data Protection Regulation
We continue to develop and grow our compliance with applicable international data privacy laws and regulations. We have, as required by the CCPA and other applicable U.S. laws such as the New York SHIELD Act, and as a good business practice generally, adopted and implemented a data security program that includes technical, organizational and administrative measures reasonably designed to protect, in a manner consistent with accepted industry standards, the privacy of those natural persons with whom we do business and to reduce the likelihood of unauthorized access to or unauthorized use of personal information we collect. We also enter into Data Protection Agreements with those of our merchant-customers who have, or believe they have, GDPR obligations that flow down to us.
For general site visitors, consumer-customers, and regulators who have questions about whether or how the GDPR or other industry- or jurisdiction-specific laws apply to us, you can contact us using the contact information found below.
Changes to This Privacy Statement
We reserve the right to change or update this statement from time to time. Please check our online and mobile resources periodically for such changes since all information collected is subject to the statement in place at the time of collection. Typically, we will indicate the effective/amendment date at the beginning of this statement. If we feel it is appropriate, or if the applicable law requires, we’ll also provide a summary of changes we’ve made near the end of the new statement.
If you have any questions or concerns about our privacy statement or privacy practices, you can contact us using the contact information found below.
You may make a complaint about privacy to us using our contact information found below. We will first consider your complaint or determine whether there are simple or immediate steps which can be taken to resolve the complaint. We will generally respond to your complaint within a week. If your compliant requires more detailed consideration or investigation, we will acknowledge receipt of your complaint within a week and endeavour to complete our investigation into your complaint promptly. We may ask you to provide further information about your complaint and the outcome you are seeking. We will then typically gather facts, locate and review documents and speak with individuals involved. In most cases, we will investigate and respond to a complaint within 30 days of receipt of the complaint. If the matter is more complex or our investigation may take longer, we will let you know.
If you are not satisfied with our response to your complaint, or you consider that we may have breached applicable data protection or privacy laws, you have the right to contact or lodge a complaint with your local data protection authority or privacy regulator.
If you are based in Australia, the local privacy regulator is the Office of the Australian Information Commissioner, which can be contacted by telephone on 1300 363 992 or by using the contact details set out on the website www.oaic.gov.au.
If you have questions about our privacy statement or privacy practices, please contact our Privacy Office:
Attention: Privacy Officer, Legal
Address: 1441 W Innovation Way, Lehi, Utah 84043, United States
Email: [email protected]
This privacy statement is effective as of the date listed at the top of this page. The English language version of this privacy statement is the controlling version regardless of any translation.
Scope of This Notice
Like many companies, we have a general website available from both computers and mobile devices and an app that allows you to use our services. We also interact with you when our merchants and shopping carts give you the benefit of our shipping protection service for a small fee or even, in some cases, for free. We want to be clear that this Notice applies only to our general website and direct consumer-customer users of our Route App. As for the third situation, we do not control, and can’t be responsible, for the cookies (defined below) placed by those third-party merchants and shopping carts, even if we did authorize them to offer our shipping protection service to you. Consequently, they are responsible for notifying you of their cookie uses and practices.
What is a Cookie?
Websites can use different types of cookies including ‘first-’ and ‘third-’ party cookies and session or persistent cookies. We briefly explain those different types of cookies below:
First-party cookies are cookies set by the website visited by a user (i.e., the website displayed at the top of the browser).
Third-party cookies are cookies that are set by a domain other than the one being visited by a user. If you visit a website but another company sets a cookie through that website, it would be a third-party cookie.
Session cookies allow websites to link a user’s actions during their browser session. Session cookies are temporary and remain on your device until you leave the website you are currently visiting.
Persistent cookies, unlike session cookies, remain on a user’s device in between browser sessions and remember the user’s actions and preferences on a website or even potentially across different websites. Persistent cookies may be used to remember your preferences.
Additional information about cookies and tracking technologies is available here.
What Types of Cookies Do We Use?
We use both session and persistent cookies and which are set by our third-party service providers. For example, we use Google Analytics, a web analytics service provided by Google, Inc. (“Google“). For more information on how Google uses this data, see www.google.com/policies/privacy/partners/. You can learn more about how to opt out of Google Analytics by visiting https://tools.google.com/dlpage/gaoptout. If you do not allow cookies to be set on your computer or device, you may be unable to access certain parts of our online and mobile resources or certain parts of our online and mobile resources may have reduced functionality.
Cookies are used on our online and mobile resources in order to:
personalize and enhance your experience on our online and mobile resources;
track, compile, and analyze your use of our online and mobile resources (including which pages or portions of our online and mobile resources you are viewing and where you are viewing them from); and
secure and optimize our online and mobile resources.
Updates to This Cookie Notice
We reserve the right to update this Notice from time to time. Please check our online and mobile resources periodically for such updates since all information collected as described herein is subject to the Notice in place at the time of collection. Typically, we will indicate the effective/amendment date at the beginning of the above Privacy Statement. If we feel it is appropriate, or if the applicable law requires, we will also provide a summary of changes we have made in the new Notice.