CarMax General Privacy Policy
Revised December 15, 2023

Thank you for visiting the CarMax website (including its mobile device-ready version) or using the CarMax mobile app. In this Privacy Notice, we refer to our websites and mobile apps together as our “Online Services.” We hope that you find our Online Services to be a useful part of your car-buying experience. This Privacy Notice describes the types of personal information we collect from consumers through our Online Services and in connection with our products and services, including when you visit our CarMax stores. This notice also describes how we use the information, with whom we may share it, the choices available to you regarding our use of the information, the measures we take to protect the security of the information, and how you can contact us about our privacy practices.;

Residents of California and individuals from other states interested in learning about rights they may have should read the Your Rights section.

Please note that this Privacy Notice describes our overall privacy practices for our Online Services that link to this notice. The Privacy Notice does not apply to any website or mobile app operated by CarMax that has a separate privacy policy or notice. This Privacy Notice does apply to information about consumers collected in CarMax stores and in other ways.

Edmunds is an affiliate of CarMax that operates as a separate business with respect to the handling of personal information. Except as expressly addressed in this Policy or in other disclosures presented to you, Edmunds and CarMax do not share consumer personal information with each other. If you would like to exercise your rights with respect to Edmunds, please visit Edmunds.com.

Information we obtain

We may obtain information from and about you in different ways. We obtain information from content you submit or provide to us through our Online Services (such as when you research a car) or in surveys, faxes, telephone calls, chat messages, emails, and other correspondence; from information you provide when you register for a MyCarMax account; from information you provide to us when you submit a lead about a car; test drive a car, buy a car from a CarMax store, have a car appraised, or sell a car to a CarMax store; from information you provide when you apply for financing; and from social media, such as social media handles, content and other data provided through third-party features (such as apps, tools, payment services, widgets, and plug-ins) or posted on social media pages (such as CarMax’s social media page or pages accessible to the public). The types of personal information we may obtain directly from you include:

  • Identifiers, such as name, username and password, phone number, fax number, email and postal address, Social Security Number, driver’s license number, and social media handle;
  • Sensitive Personal Information, including your government identification number, such as social security number, login credentials, race or ethnic origin, marital status, payment information, and precise geolocation;
  • Commercial information, such as information about the transactions you conduct with us either online or in our stores (e.g., vehicle purchases, appraisals, and services), information about the vehicles that you have searched for or otherwise expressed or indicated an interest in, and payment information;
  • Professional information, such as information about your job and employer, salary information, and prior work history;
  • Demographics, such as military service, age, gender, marital status, date of birth, and other characteristics you provide to us via the Online Services or in our stores;
  • Records of your interactions with our call center representatives, such as audio recordings;
  • Internet or other electronic activities, such as internet session information;
  • Preferences, such as preferred store and communications preferences; and
  • Inferences drawn from the categories of personal information described above.

We also may collect other information in connection with our Online Services, products and services in ways that we describe at the time of collection or otherwise with your consent. As a reminder, if you are a consumer who provides personal information to us in connection with our financing services, please read our Financial Privacy Policy.

Automated Collection of Data

When you visit or interact with our Online Services or open our emails, we may obtain certain information by automated means. CarMax may use a variety of technologies to collect this information, such as browser cookies, flash cookies, web beacons, mobile device identifiers, server logs, and other technologies. A browser “cookie” is a text file that websites send to a visitor’s computer or other Internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser. A “web beacon,” also known as an Internet tag, pixel tag or clear GIF, links web pages to web servers and their cookies and may be used to transmit information collected through cookies back to a web server. These technologies help us (1) remember your information so you will not have to re-enter it; (2) track and understand how you use and interact with our Online Services and third-party digital services; (3) tailor our Online Services around your preferences; (4) measure the usability of our Online Services; (5) understand the effectiveness of our communications; (6) identify, diagnose and resolve technical issues; and (7) otherwise manage and enhance our Online Services, products and services.

The information we obtain in this manner may include:

  • Identifiers, such as your device IP address and identifiers associated with your devices and apps;
  • Online activities, such as dates and times of website visits and app use, content viewed, your search terms, operating system and browser used, mouse clicks, and how you accessed the Online Services;
  • Geolocation data. When you use our Online Services, we may infer your location via your IP address or other information regarding your network connection. In addition, with your consent, our mobile device-ready website or mobile app (our “Mobile Services”) may collect precise information about the geographic location of your device. If your device is equipped with GPS or can connect with wireless access points or hot spots, or if your device is also a phone that communicates with cell towers or satellites, then your device is able to use these features to determine its precise geographic location. If you have consented using your device’s user interface, the geographic location of your device will be transmitted to our servers in real time any time that our mobile app is running(even if you are not actively using the app or it is minimized on your device). Once you set your device to transmit its location information to us, your device will continue to transmit its location information to us(when it is open) until you set your device to no longer do so. You may at any time opt out from allowing us to have access to your device’s location information by accessing our app’s location settings on your device and setting your device not to share its location with us.

Third-party Sources

We collect information from third parties, such as social media platforms, government agencies including the DMV, credit reporting agencies, reputation and identify verification services, vehicle history services, insurance companies, skip trace vendors, marketing vendors, data analytics companies and data suppliers. The categories of information that we collect about you from such sources are:

  • Identifiers;
  • Financial, medical, or health insurance information;
  • Demographics;
  • Commercial information;
  • Biometric information;
  • Online activities;
  • Geolocation data;
  • Professional information;
  • Education information;
  • Preferences; and
  • Sensitive information, such as precise geolocation, government identifiers, and race or ethnic origin.

We receive from Edmunds information regarding your online activities on Edmunds.com, though we do not receive information that directly identifies you.

How we use the information we obtain

We collect and use your personal information for the following business purposes:

  • Providing and operating our Online Services, products and services, such as to provide you with the results of your searches;
  • Processing, evaluating, and responding to requests, inquiries, and claims we receive in connection with our Online Services, products and services;
  • Entering into and finalizing our transactions with you, including vehicle purchases, appraisals, and vehicle service;
  • Creating, managing, and administering your MyCarMax account or CarMax Auto Finance account, including identifying and authenticating you so you may access your account or use certain features of our Online Services;
  • Providing customer and technical support;
  • Providing you with marketing materials, such as to send you information about newly available vehicles and special offers and telling you about new features or updates;
  • Providing you with information, notices, offers, brochures, and advertising on our and third-party websites and mobile apps, by email and text, and in other ways;
  • Communicating with you about and administering your participation in surveys, special events, and other offers and promotions;
  • Performing data analytics, market research, and other processing;
  • Operating, evaluating and improving our business and Online Services (including developing new products and services; enhancing and improving our Online Services, products and services; managing our communications; measuring the effectiveness of our sales, advertising, communications and marketing; analyzing our customer base, Online Services, products and services; performing accounting, auditing and other internal functions; and connecting your interactions with our Customer Service Specialists, our website and our physical stores to enable you to progress in your car shopping, selling, financing and service journey as efficiently as possible);
  • Protecting against, identifying, and preventing fraud and other criminal activity, claims and other liabilities; and
  • Complying with applicable regulatory and legal requirements, relevant industry standards, and our policies, including this Privacy Notice and our Terms of Use; and
  • Responding to legal, court, or regulatory investigations or requests for information.

We also may use the information we obtain about you in other ways for which we provide specific notice and obtain your consent if required by applicable law.


In addition, we may combine information that we obtain about you. For example, we may combine:

  • Information that we have obtained offline, including in-person at our stores or over the phone, with information we obtain through our Online Services;
  • Information we obtain through automated means with information you submit to us;
  • Information about our transactions and experiences with you with other information we have collected from you;
  • Financial information we learn about you with other information we obtain; and
  • Information we get from a third-party with information we already have.

Third-Party Web Analytics Services

We use third-party online analytics services on our Online Services, including “Google Analytics” and Google reCAPTCHA v3 to collect information about use of our Online Services. Learn more about how Google uses information from sites or apps that use Google Analytics.

Online Tracking and Interest-Based Advertising

We collect information about your online activities over time and across different websites, apps and devices, including from third-party websites and apps. We also work with third-parties, such as ad networks and other service providers, which collect information about your online activities in this way. To do this, we (including the third-parties) may use browser cookies, web beacons, flash cookies, unique identifiers associated with your devices and apps, and other technologies. The information collected via these technologies is described in the Automated Collection of Data section above.;


We and certain third parties display interest-based advertising using information gathered about you over time and across devices and third-party websites, apps and platforms. Interest-based advertising or “online behavioral advertising” includes ads served to you after you leave our website, encouraging you to return. They also include ads we think are relevant based on your shopping habits or online activities. These ads might be served on websites or on mobile apps. They might also be served in emails or other ways. We might serve these ads, or third parties may serve ads. They might be about our products or other companies’ products.


To decide what is relevant to you, we and certain third parties, such as our ad networks and other service providers, use information you make available to us when you interact with us, our affiliates, and other third parties. We and certain third parties gather this information using tracking tools, such as those described above. For example, we or the third parties may look at your browsing behaviors across devices. We and the third parties also may look at these activities on our apps and platforms and the apps and platforms of others.


We work with third parties who help gather this information and serve ads. These third parties might link your name, email address and other information to data they obtain. That might include past purchases made offline or online. Or, it might include online usage information.


To learn how to opt out of certain ad network interest-based advertising in the U.S., please visit YourAdChoices and Network Marketing Initiative websites. Choices you make may be browser-specific and device-specific. In addition, your mobile device settings may allow you to limit your device from sharing certain information for advertising purposes. Learn more information on these types of settings by exploring Google Play Help - Advertising ID and limiting your Apple ad tracking. Additional information about opting out of targeted advertising is included in the Your Rights section below.


Information Sharing

We may share your personal information with third parties for the business purposes described above in accordance with applicable law:

  • We may share information within the CarMax family of companies;
  • We may share information with third parties who perform services for us or on our behalf. For example, we share information with vendors who send emails for us. We may also share information with companies that operate our websites or run a promotion. The information we share may include location information. We do not authorize our service providers to use or disclose the information except as necessary to perform services for us or on our behalf or to comply with legal requirements;
  • We may share information with third parties to complete your transactions, including Departments of Motor Vehicles and third-party finance companies;
  • We may share information if you are a winner of a sweepstakes, contest, or promotion. For example, we may share your information if you win a sweepstakes or contest as part of a winner’s list. We may also publish this winner’s list publicly;
  • We may share information with our business partners. For example, we will share information with third parties who cosponsor a promotion. These partners may send you information about events and products by mail or email;
  • We may share information if we think we are required to do so or believe that we have to do so in order to protect ourselves. For example, we may share information to respond to a court order or subpoena. We may share it in response to requests by a government agency or investigatory body. We may share information to establish, exercise or defend our legal rights or when we are investigating suspected or actual illegal activity or fraud;
  • We may share information with any successor to all or part of our business. We reserve the right to transfer any information we have about you in the event we sell or transfer all or a portion of our business or assets(including in the event of a merger, acquisition, joint venture, reorganization, divestiture, dissolution or liquidation); and
  • We may share information for other reasons we may describe to you;
  • We may share information with any other third party with your prior consent.

We disclose the following categories of personal information for business and operational purposes, such as auditing transactions, data security, debugging and product improvement, customer service, fulfillment, marketing, advertising, analytics, processing transactions, and servicing and maintaining accounts:

  • Identifiers;
  • Commercial information;
  • Online activities;
  • Professional information;
  • Geolocation data;
  • Education information;
  • Records of your interactions with us;
  • Demographics; and
  • Preferences.

California law requires that we describe certain disclosures of personal information where we receive valuable consideration. California law considers a “sale” even if no money is exchanged, and disclosures of personal information for purposes of targeted advertising, considered “sharing” under California law. In the course of supporting CarMax digital advertising activities, we “sell” or “share information to digital marketing partners. They use this information to provide us with digital advertising services, and may use the information to improve the services and offerings they provide to us and other businesses. The information we “sell” or “share” in this manner includes information collected when you engage with our website, mobile application, and other digital offerings.

All the above information sharing practices exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties, excluding aggregators and providers of the text message services or as otherwise requested or required by court order, legal proceeding, investigative demand or any governmental agency or regulatory authority.

Choices

We offer you certain choices in connection with the personal information we obtain about you. To update your preferences or limit the communications you receive from us, please contact us as specified in the How to contact us section of this Privacy Notice.

When you use our mobile device-ready website or mobile app (our “Mobile Services”), we may assign a unique identifier to your mobile device which will enable us to identify your device and send you push notifications. If you wish to turn off push notifications, go to your device’s settings and turn off push notifications from the CarMax mobile app or turn off push notifications directly through the CarMax mobile app. You can stop all collection of information by our mobile app by uninstalling it. You may use the standard uninstall process on your mobile device or the mobile app marketplace or network.

Your Rights

Residents of certain states, such as California, may have rights to submit certain requests regarding our processing of their information. Depending on where you reside, you may have some of the following rights with respect to your personal information, subject to applicable exceptions:

  • Right to Access or Know: You may have the right to confirm that we have collected personal information about you and know what personal information we have collected about you, including, as applicable, the categories of personal information we have collected, the sources from which we collected that personal information, the business or commercial purposes for which we collected, sold, and shared that personal information, the categories of personal information that we sold, shared, or disclosed to third parties for business purposes and the categories of third parties to whom we sold, shared or disclosed personal information.
  • Right to Correct: You may request that we correct personal information that we hold about you.
  • Right to Deletion: You may be entitled to request that we delete the personal information that we have collected from you, though we may be permitted or required to retain personal information for certain purposes.
  • Right to Opt-Out of Sales and Sharing of Personal Information for Targeted Advertising: You may be entitled to opt out of sales of your personal information to third parties and to opt out of the disclosure or processing of your personal information for certain targeted advertising.
  • Right to Appeal: You may appeal any decision we make with respect to your rights requests.
  • Third-Parties Making Requests on Behalf of Others: Should you desire to have an authorized agent submit requests on your behalf, the authorized agent will need to provide certain information about them and you and provide documentation showing they are authorized to make such requests.
  • Right to Limit the Processing of Sensitive Personal Information: We only use and disclose sensitive Personal Information for the purposes expressly permitted under California law.
  • Right to Non-Discrimination: You have the right not to receive discriminatory treatment if you exercise the rights conferred to you by applicable privacy law.

You may exercise these rights without fear of being denied goods or services. We may, however, provide a different level of service or charge a different rate reasonably relating to the value of your personal information. You can exercise your rights online or by calling us at (833) 987-1241.

Due to the sensitive nature of the personal information CarMax may collect or maintain about you, to exercise certain of the rights described above, you may need to answer a few questions to verify your identity. CarMax uses a third party to administer the identity verification process. CarMax does not have access to the information included in the questions.

Edmunds is an affiliate of CarMax that operates as a separate business with respect to the handling of personal information. Except as expressly addressed in this Policy or in other disclosures presented to you, Edmunds and CarMax do not share consumer personal information with each other. If you would like to exercise your rights with respect to Edmunds, please visit Edmunds.com.

California Metrics

Number of Requests to Know received176
Number of Requests to Know fulfilled126
Number of Requests to Know denied50
Mean number of days to respond to Requests to Know22
Number of Requests to Delete received322
Number of Requests to Delete fulfilled252
Number of Requests to Delete denied70
Mean number of days to respond to Requests to Delete18
Number of Requests to Opt-Out received6,043
Number of Requests to Opt-Out fulfilled6,043
Number of Requests to Opt-Out denied0
Mean number of days to respond to Requests to Opt-Out1

Other online services and third-party features

Our Online Services may transfer you or provide links to other online services, including websites, for your convenience and information, and may include third-party features such as apps, tools, payment services, widgets and plug-ins, including for Facebook, LinkedIn, or Twitter. These online services and third-party features may operate independently from us. The privacy practices of the relevant third parties, including details on the information they may collect about you, is subject to the privacy statements of these parties, which we strongly suggest you review. To the extent any linked online services or third-party features are not owned or controlled by us, CarMax is not responsible for these third parties’ information practices.


We maintain presence on several social networking and blogging platforms, such as Facebook and Twitter, and we also incorporate some third-party social networking features into our Online Services. Through these platforms and features, we may receive information about you, and this Privacy Notice applies to that information as well. In addition, third-party social networking platforms and blogging platforms have their own privacy policies which explain how the third parties that provide them will use and protect your information.

How we protect personal information

We maintain administrative, technical and physical safeguards designed to protect personal information against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.

Financial privacy

If you are a consumer who uses our financial services, please review our Financial Privacy Policy.

Children's privacy

The Online Services are not directed to children under the age of thirteen, and we do not knowingly collect personal information from children under the age of thirteen through our Services. We encourage parents and legal guardians to help enforce our Privacy Notice by instructing children under the age of thirteen not to download or use the Online Services.

How Long We Keep Your Information

We retain the personal information we collect for as long as reasonably necessary to achieve the purposes disclosed at the point of collection or in this Privacy Notice, unless a shorter retention period is required by law. The length of retention may vary depending upon factors such as:

  • The existence of an ongoing relationship between you and us;
  • Recordkeeping or legal compliance requirements; and
  • The need to resolve inquiries or complaints.

Updates to our privacy notice

From time to time, we may change our privacy practices. This Privacy Notice may be updated periodically and without prior notice to you to reflect changes in our personal information practices. We will post an updated copy on our website and indicate at the top of the Privacy Notice when it was most recently updated. Please check our site periodically for updates. If we make a material change to our Privacy Notice, we will take reasonable steps to notify you, such as sending an email or posting notice on the Online Services.

How to contact us

If you have any questions about this Privacy Notice or our privacy practices you may contact us by e-mail at privacy@carmax.com, or if you would like us to limit the communications from us, please contact us by e-mail at WebOptOut@carmax.com or write to us at: CarMax, 12800 Tuckahoe Creek Parkway, Richmond, Virginia 23238, ATTENTION: Legal Department.

take control of your data