Effective as of August 1, 2020
Thank you for visiting the CarMax website (including its mobile device-ready version) or using the CarMax mobile app. In this Privacy Notice, we refer to our websites and mobile app together as our “Online Services.” We hope that you find our Online Services to be a useful part of your car-buying experience. This Privacy Notice describes the types of personal information we collect from consumers through our Online Services and in connection with our products and services, including when you visit our CarMax stores. This notice also describes how we use the information, with whom we may share it, the choices available to you regarding our use of the information, the measures we take to protect the security of the information, and how you can contact us about our privacy practices.
Information we obtain
We may obtain information from and about you in different ways. We obtain information from content you submit or provide to us through our Online Services (such as when you research a car) or in surveys, faxes, telephone calls, emails, and other correspondence; from information you provide when you register for a MyCarMax account; from information you provide to us when you test drive a car, buy a car from a CarMax store, have a car appraised, or sell a car to a CarMax store; from information you provide when you apply for financing; and from social media, such as social media handles, content and other data provided through third-party features (such as apps, tools, payment services, widgets, and plug-ins) or posted on social media pages (such as CarMax’s social media page or pages accessible to the public). The types of personal information we may obtain directly from you include:
- Identifiers, such as name, username and password, phone number, fax number, email and postal address, Social Security Number, date of birth, driver’s license number, and social media handle;
- Commercial information, such as information about the transactions you conduct with us (e.g., vehicle purchases, appraisals, and services), information about the vehicles that you have searched for or otherwise expressed or indicated an interest in, payment information you provide through our Online Services or in our CarMax stores, including billing address and payment card details (payment card number, expiration date and security code);
- Professional information, such as information about your job or employer, salary information, and prior work history;
- Demographics, such as military service, age, gender, marital status, and other characteristics you provide to us via the Online Services or in stores;
- Records of your interactions with our call center representatives;
- Internet or other electronic activities, such as internet session information; and
- Preferences, such as preferred store or communications preferences.
Automated Collection of Data
When you visit or interact with our Online Services or open our emails, we may obtain certain information by automated means. CarMax may use a variety of technologies to collect this information, such as browser cookies, flash cookies, web beacons, mobile device identifiers, server logs, and other technologies. A browser “cookie” is a text file that websites send to a visitor’s computer or other Internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser. A “web beacon,” also known as an Internet tag, pixel tag or clear GIF, links web pages to web servers and their cookies and may be used to transmit information collected through cookies back to a web server. These technologies help us (1) remember your information so you will not have to re-enter it; (2) track and understand how you use and interact with our Online Services and third-party digital services; (3) tailor our Online Services around your preferences; (4) measure the usability of our Online Services; (5) understand the effectiveness of our communications; (6) identify, diagnose and resolve technical issues; and (7) otherwise manage and enhance our Online Services, products and services.
The information we obtain in this manner may include:
- Identifiers, such as your device IP address and identifiers associated with your devices and apps;
- Online activities, such as dates and times of website visits and app use, content viewed, your search terms, and how you accessed the Online Services;
- Geolocation data. When you use our Online Services, we may infer your location via your IP address or other information regarding your network connection. In addition, with your consent, our mobile device-ready website or mobile app (our “Mobile Services”) may collect precise information about the geographic location of your device. If your device is equipped with GPS or can connect with wireless access points or hot spots, or if your device is also a phone that communicates with cell towers or satellites, then your device is able to use these features to determine its precise geographic location. If you have consented using your device’s user interface, the geographic location of your device will be transmitted to our servers in real time any time that our mobile app is running (even if you are not actively using the app or it is minimized on your device). Once you set your device to transmit its location information to us, your device will continue to transmit its location information to us (when it is open) until you set your device to no longer do so. You may at any time opt out from further allowing us to have access to your device’s location information by accessing our app’s location settings on your device and setting your device not to share its location with us.
We collect information from third parties, such as social media platforms, government agencies including the DMV, credit reporting agencies, reputation and identify verification services, vehicle history services, insurance companies, skip trace vendors, marketing vendors, data analytics companies and data suppliers. The categories of information that we collect about you from such sources are:
- Financial, medical, or health insurance information;
- Commercial information;
- Biometric information;
- Online activities;
- Geolocation data;
- Professional information;
- Education information; and
How we use the information we obtain
We may use the information we collect to:
- Provide and operate our Online Services, products and services, such as to provide you with the results of your searches;
- Process, evaluate and respond to requests, inquiries and claims we receive in connection with our Online Services, products and services;
- Enter into and finalize our transactions with you, including vehicle purchases, appraisals, and vehicle service;
- Create, manage and administer your MyCarMax account or CarMax Auto Finance account, including identifying and authenticating you so you may access your account or use certain features of our Online Services;
- Provide customer and technical support;
- Provide you with marketing materials, such as to send you information about newly available vehicles and special offers and tell you about new features or updates;
- Provide you with information, notices, offers, brochures and advertising on our and third-party websites and mobile apps, by email and text, and in other ways;
- Communicate with you about, and administer your participation in, surveys, special events, and other offers or promotions;
- Perform data analytics, market research and other processing;
- Operate, evaluate and improve our business and Online Services (including developing new products and services; enhancing and improving our Online Services, products and services; managing our communications; measuring the effectiveness of our sales, advertising, communications and marketing; analyzing our customer base, Online Services, products and services; and performing accounting, auditing and other internal functions);
- Protect against, identify and prevent fraud and other criminal activity, claims and other liabilities; and
We also may use the information we obtain about you in other ways for which we provide specific notice and obtain your consent if required by applicable law.
In addition, we may combine information that we obtain about you. For example, we may combine:
- Information that we have obtained offline with information we obtain through our Online Services;
- Information we obtain through automated means with information you submit to us;
- Information about our transactions and experiences with you with other information we have collected from you;
- Financial information we learn about you with other information we obtain; and
- Information we get from a third-party with information we already have.
Third-Party Web Analytics Services
We use third-party online analytics services on our Online Services, including “Google Analytics” and Google reCAPTCHA v3 to collect information about use of our Online Services. Learn more about how Google uses information from sites or apps that use Google Analytics.
Online Tracking and Interest-Based Advertising
We collect information about your online activities over time and across different websites, apps and devices, including those websites and apps of third parties. We also work with third parties, such as ad networks and other service providers, that collect information about your online activities in this way. To do this, we (including the third parties) may use browser cookies, web beacons, flash cookies, unique identifiers associated with your devices and apps, and other technologies. The information collected via these technologies is described in the Automated Collection of Data section above.
We and certain third parties display interest-based advertising using information gathered about you over time and across devices and third-party websites, apps and platforms. Interest-based advertising or “online behavioral advertising” includes ads served to you after you leave our website, encouraging you to return. They also include ads we think are relevant based on your shopping habits or online activities. These ads might be served on websites or on mobile apps. They might also be served in emails or other ways. We might serve these ads, or third parties may serve ads. They might be about our products or other companies’ products.
To decide what is relevant to you, we and certain third parties, such as our ad networks and other service providers, use information you make available to us when you interact with us, our affiliates, and other third parties. We and certain third parties gather this information using tracking tools, such as those described above. For example, we or the third parties may look at your browsing behaviors across devices. We and the third parties also may look at these activities on our apps and platforms and the platforms and apps of others.
We work with third parties who help gather this information and serve ads. These third parties might link your name, email address and other information to data they obtain. That might include past purchases made offline or online. Or, it might include online usage information.
Some browsers have “do not track” features that allow you to tell a website not to track you. These features are not all uniform. We do not currently respond to such “do not track” signals from browsers. If you block cookies, certain features on our sites may not work. If you block or reject cookies, not all of the tracking described here will stop. Options you select are browser and device specific.
To learn how to opt out of certain ad network interest-based advertising in the U.S., please YourAdChoices and Network Marketing Initiative websites. Choices you make may be browser and device-specific. In addition, your mobile device settings may allow you to limit your device from sharing certain information for advertising purposes. Learn more information on these types of settings by exploring Google Play Help - Advertising ID and limiting your Apple ad tracking.
We may share your personal information with third parties to the extent permitted by applicable law, including:
- We may share information within the CarMax family of companies;
- We may share information with third parties who perform services for us or on our behalf. For example, we share information with vendors who send emails for us. We may also share information with companies that operate our websites or run a promotion. The information we share may include location information. We do not authorize our service providers to use or disclose the information except as necessary to perform services for us or on our behalf or to comply with legal requirements;
- We may share information with third parties to complete your transactions, including Departments of Motor Vehicles and third-party finance companies;
- We may share information if you are a winner of a sweepstakes, contest, or promotion. For example, we may share your information if you win a sweepstakes or contest as part of a winner’s list. We may also publish this winner’s list publicly;
- We may share information with our business partners. For example, we will share information with third parties who co-sponsor a promotion. These partners may send you information about events and products by mail or email;
- We may share information if we think we are required to do so or believe that we have to do so in order to protect ourselves. For example, we may share information to respond to a court order or subpoena. We may share it in response to requests by a government agency or investigatory body. We may share information to establish, exercise or defend our legal rights or when we are investigating suspected or actual illegal activity or fraud;
- We may share information with any successor to all or part of our business. We reserve the right to transfer any information we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a merger, acquisition, joint venture, reorganization, divestiture, dissolution or liquidation); and
- We may share information for other reasons we may describe to you.
We share the following categories of your personal information for business and operational purposes, such as auditing transactions, data security, debugging and product improvement, customer service, fulfillment, marketing, advertising, analytics, processing transactions, and servicing and maintaining accounts:
- Commercial information;
- Online activities;
- Professional information;
- Geolocation data;
- Education information;
- Records of your interactions with us;
- Demographics; and
California law requires that we describe certain disclosures of personal information where we receive valuable consideration. California law considers such disclosures a “sale” even if no money is exchanged. In the course of supporting CarMax digital advertising activities, we “sell” information to digital marketing partners. They use this information to provide us with digital advertising services and may use the information to improve the services and offerings they provide to us and other businesses. The information we “sell” in this manner includes information collected when you engage with our website, mobile application, and other digital offerings.
We offer you certain choices in connection with the personal information we obtain about you. To update your preferences or limit the communications you receive from us, please contact us as specified in the How to Contact Us section of this Privacy Notice.
When you use our mobile device-ready website or mobile app (our “Mobile Services”), we may assign a unique identifier to your mobile device which will enable us to identify your device and send you push notifications. If you wish to turn off push notifications, go to your device’s settings and turn off push notifications from the CarMax mobile app or turn off push notifications directly through the CarMax mobile app. You can stop all collection of information by our mobile app by uninstalling it. You may use the standard uninstall process on your mobile device or the mobile app marketplace or network.
Notice to California residents
Subject to certain limits under California law, California residents have the following rights:
- Right to access personal information: Individuals exercising this right may request access to the categories and specific pieces of their personal information we have collected in the prior 12-month period and information about our handling of such information;
- Right to deletion: Individuals exercising this right can ask us to delete their personal information we have collected, though we may be permitted to retain personal information for certain purposes; and
- Right to opt-out of sales: CarMax does not monetize your personal information, but we may share information with third parties in exchange for receiving insights, advertising or other valuable services. The California Consumer Privacy Act treats some of these disclosures as “sales.” You may request to opt out of such “sale” of your personal information to those third parties.
You may exercise these rights without fear of being denied goods or services. We may, however, provide a different level of service or charge a different rate reasonably relating to the value of your personal information. If you are a California resident, you can exercise your rights online or by calling us at (833) 987-1241.
Due to the sensitive nature of the personal information CarMax may collect or maintain about you, to exercise your rights described above, you will need to answer a few questions to validate your identity. CarMax uses a third party to administer the identity validation process. CarMax does not have access to the information included in the questions. Should you desire to have an authorized agent submit requests on your behalf, the authorized agent will need to complete the identity validation as if you were answering the identity validation questions.
Shine the Light
Subject to certain limits under California law, California residents may ask us to provide them with (1) a list of certain categories of personal information we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year, and (2) the identity of those third parties. If you are a current CarMax customer in California, you may make this request for such information from CarMax by sending an email correspondence noting your name, address, and email address. You must also include a request that CarMax provide such information to you using the following or similar verbiage. “I request that CarMax provide its third-party information sharing disclosures required by section 1798.83 of the California Civil Code." Press the link at the end of this sentence to create your message: firstname.lastname@example.org. The same request may be made by regular mail by sending the above information to CarMax, 12800 Tuckahoe Creek Parkway, Richmond, VA 23238, ATTENTION: Legal Department.
Other online services and third-party features
Our Online Services may transfer you or provide links to other online services (such as websites) for your convenience and information, and may include third-party features such as apps, tools, payment services, widgets and plug-ins (e.g., Facebook, LinkedIn or Twitter buttons). These online services and third-party features may operate independently from us. The privacy practices of the relevant third parties, including details on the information they may collect about you, is subject to the privacy statements of these parties, which we strongly suggest you review. To the extent any linked online services or third-party features are not owned or controlled by us, CarMax is not responsible for these third parties’ information practices.
We maintain presence on several social networking and blogging platforms, such as Facebook and Twitter, and we also incorporate some third-party social networking features into our Online Services. Through these platforms and features, we may receive information about you, and this Privacy Notice applies to that information as well. In addition, third-party social networking platforms and blogging platforms have their own privacy policies which explain how the third parties that provide them will use and protect your information.
How we protect personal information
We maintain administrative, technical and physical safeguards designed to protect personal information against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.
The Online Services are not directed to children under the age of thirteen and we do not knowingly collect personal information from children under the age of thirteen through our Services. We encourage parents and legal guardians to help enforce our Privacy Notice by instructing children under the age of thirteen not to download or use the Online Services.
Updates to our privacy notice
From time to time we may change our privacy practices. This Privacy Notice may be updated periodically and without prior notice to you to reflect changes in our personal information practices. We will post an updated copy on our website and indicate at the top of the Privacy Notice when it was most recently updated. Please check our site periodically for updates. If we make a material change to our Privacy Notice, we will take reasonable steps to notify you, such as sending an email or posting notice on the Online Services.
How to contact us
If you have any questions about this Privacy Notice or our privacy practices, or if you would like us to limit the communications from us or exercise other applicable privacy rights, please contact us by e-mail at WebOptOut@carmax.com or write to us at: CarMax, 12800 Tuckahoe Creek Parkway, Richmond, Virginia 23238, ATTENTION: Legal Department.