CAA Club Group Privacy Policy

Policy Contents

1. Accountability for Your Privacy
2. Personal Information and How We Collect It
3. Using Your Personal Information
4. Withdrawing Your Consent
5. Sharing Your Information
6. Our Website and App Practices
7. Keeping Your Information Safe
8. Accessing Your Personal Information
9. How Long We Keep Your Information
10. External Links and Social Media
11. Our Privacy Complaint and Breach Management Process
12. Changes to this Policy
13. Getting in Touch

Accountability for Your Privacy

CAA takes full responsibility for the management and confidentiality of personal information we collect and use. Personal information is collected, used, shared and stored in accordance with the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 and any applicable provincial privacy laws that may apply to CAA from time to time.

CAA has appointed a Privacy Officer who oversees compliance with privacy laws and best practice. The Privacy Officer’s duties include:

• Developing and, on a regular basis, reviewing the implementation of internal procedures to protect personal information;
• Ensuring all staff are trained on privacy best practices and are aware of the importance of safeguarding any personal information that they are privy to;
• Ensuring that all inquiries and complaints relating to privacy are appropriately handled; and
• Ensuring all third parties to whom CAA provides access to personal information adhere to appropriate standards of care in handling that information.

Personal Information and How We Collect It

'Personal information' is any factual or subjective information, recorded or not, about an identifiable individual.

For CAA Members, this includes your name, contact information, birthdate, gender, email address, type of vehicle, membership usage, vehicle diagnostics, payment information, any identifiers such as your CAA membership number, driver's license or GPS (vehicle location), and any identifiable on-line activity. We also collect information about your CAA retail purchases and preferences.

We may also collect information obtained during the course of dispatching a service vehicle including the type of service required and the tow destination.

For CAA Travel customers, personal information includes travel booking arrangements, passport details, frequent traveler numbers, itineraries and special requests.

For CAA Insurance customers, personal information includes previous insurance experience, including accidents and traffic violations, other drivers and claims history. It will also include information about any residential property you are seeking to insure.

For CAA Travel Insurance customers, personal information may include travel plans, medical history and claims history.

If you participate in our CAA Rewards^® program, we will also collect and use information about your use of your CAA membership with our rewards partners, including the date, location and amount of any transaction, qualified spending and the number of CAA Dollars^® earned or amount saved on the transaction.

Direct Collection
Personal information can be collected directly from you in several ways with your knowledge and consent, or as authorized by law, including through phone calls, electronic messages, application forms, as well as any other documents you provide to CAA.

Indirect Collection
There are also ways in which CAA collects personal information indirectly. For example, to obtain an associate membership, CAA collects personal information about other members of your household from you, and for auto insurance, you may provide information regarding other drivers of your vehicle. We assume you have obtained consent to our collection, use and disclosure of others' personal information for the purposes outlined in this policy.

CAA may collect your personal information from third parties as well. For example, with your explicit consent, a credit reporting agency or previous insurer may provide information to CAA. CAA implies or assumes consent only if doing so is reasonable and appropriate based on our relationship with you. For example, we may collect information from a contracted locksmith or tow truck operator that has provided services covered by your membership, or from one of the CAA Rewards partners in order to ensure we provide you with CAA Dollars. If you are a CAA insurance policyholder, we may collect or otherwise verify personal information about you from the Ministry of Transportation (Ontario) or Manitoba Public Insurance.

Note that there may be instances where the law permits the collection, use or disclosure of your personal information without your consent, for example for debt collection, fraud investigations, and where necessary to protect our legal interests or the safety of others.

Using Your Personal Information

We use personal information for the following specific purposes:

• To confirm eligibility for Membership or other CAA products and services;
• To process, administer and manage your CAA Membership (if applicable);
• To provide you with the CAA products and services you have requested;
• To process, administer and manage your car, property or travel insurance related policies (if applicable);
• To reserve your transportation, accommodation or other travel arrangements (if applicable);
• To better understand your needs and the ways in which we can improve our products and services;
• To verify your identity and to communicate with you, including responding to your inquiries and confirming receipt of a requested product or service;
• To process payments;
• If you are a CAA Member in South Central Ontario and participate in our usage-based insurance program, to build up a profile on how, where and when your vehicle is driven as set out in the CAA Connect (UBI) Terms and Conditions or CAA MyPace Terms and Conditions;
• To inform you about products and services that we offer (or that we and our loyalty partners jointly offer), which we believe may be of interest to you;
• To administer your participation in contests or promotions sponsored by CAA and to contact you if you are eligible to win a prize;
• To conduct surveys or research for CAA's internal use in order to better understand our members and improve our product and service offerings, as well as to compile aggregate statistics for internal reporting purposes;
• To assess and manage risk, including detecting and preventing fraud;
• To collect debts owed to CAA and enforce agreements between you and CAA; and
• To meet auditing, legal and regulatory processes and requirements.

Withdrawing Your Consent

Your consent can be withdrawn at any time, subject to legal or contractual restrictions, by providing us with written notice to the contact information found at the end of this policy. Upon receipt of notice to withdraw consent, we will inform you of the consequences of withdrawing your consent before we process your request, which may include CAA's inability to provide you with certain products or services.

If you wish to opt out of receiving marketing or promotional communications from us or change your communications preferences, please see the following options:

• For CAA Members in South Central Ontario, please complete an Opt-Out Form on our website at https://www.caasco.com/about-our-website/marketing-opt-out-form, or visit one of our CAA store locations or contact the Privacy Office (see contact information at the end of this policy). If you have received an email from CAA, you may also click the “unsubscribe” link at the bottom of each of our emails. Please note that if you unsubscribe from receiving marketing communications, you may still continue to receive transactional or informational messages from us.
• For CAA Members in Manitoba, you can call us at 204-262-6000 or toll free at 1-800-222-4357; or visit a CAA store location; or click the "unsubscribe" link at the bottom of any of our emails to manage your email preferences or unsubscribe; or contact the Privacy Office (see contact information at the end of this policy). Please note that if you unsubscribe from receiving marketing communications, you may still continue to receive transactional or informational messages from us.

Sharing Your Personal Information

CAA takes all reasonable steps to protect the interest of individuals when disclosing personal information. We do not disclose personal information for purposes other than those purposes for which it was collected, unless you have provided consent to do so or we are required/permitted by law to disclose the information.

Service Providers and Business Partners
We may share your personal information with business partners, service providers and suppliers of goods and services. For example, we may use third party service providers to authorize and process payments, send email or other communications, provide roadside assistance to you, process information collected through telematics devices, conduct customer research or manage and analyze data. In arranging for your travel, we may share your personal information with suppliers such as hotels, vacation or tour companies, airlines or cruise suppliers. Our service providers are only given the information they need to perform their designated functions.

We may offer products and services jointly with our CAA Rewards partners, and may disclose your basic Membership and contact information to such partners to offer you products or services.

We take reasonable steps to ensure that any third parties who we entrust with your personal information are reputable and have safeguards in place to protect this information. In working with business partners, service providers and suppliers, your personal information may be transferred to a foreign jurisdiction to be processed or stored. Such information may be provided to law enforcement or national security authorities of that jurisdiction upon request, in order to comply with foreign laws.

Affiliated Companies
We share your personal information with affiliated companies within the CAA group of companies. For instance, our membership service agents may see whether you have conducted business with our affiliated insurance companies or travel agency. This information sharing allows us to offer you member discounts and rewards and to inform you about products and services which we believe may be of interest to you.

Third Party Advertising
CAA may also share your name, phone number and e-mail address with third party ad-servers such as social media platforms for targeted advertising purposes. Services such as Facebook Custom Audiences and Google Ads Custom Match allow CAA to reach potential customers who would benefit from our products and services. Information provided to such third parties is secured at all times and only used for the purpose of displaying ads and reporting back to CAA on the performance of such ads. You can choose to hide ads through your socials at any time, or you can contact CAA to opt out of sharing your information with social media platforms altogether, by sending an email to privacy@caasco.ca with 'opt-out' in the subject line.

CAA also uses third party advertising partners to provide on-line visitors with relevant ads across the Internet. You may also opt out of interest based advertising by visiting the opt-out tool made available by the Digital Advertising Alliance of Canada at https://youradchoices.ca/choices.

Insurance Companies
If you apply for an insurance product with CAA, we will disclose the personal information in your application with the prospective insurance company. In Manitoba, this includes Manitoba Public Insurance.

Automobile Accidents
If you have installed a telematics device in your vehicle, data collected from the device may be provided to third parties in relation to an accident, investigation and/or litigation.

Our Website and App Practices

When you use visit CAA's websites or use CAA's apps, we automatically receive and record information in our server logs from your browser or mobile platform, including the date and time of your visit, your IP address, unique device identifier, browser type and other device information (such as your operating system version and mobile network provider).

CAA uses "cookies" to identify you as a registered and/or returning visitor. Cookies are files sent from a website to a visitor's computer which may then be stored on your hard drive so we can recognize you when you return. CAA uses both session and permanent cookies. This data may be used for statistical purposes and to personalize future visits or communications (via direct mail, email or telecommunications). By setting cookies, CAA is also able to enhance a user's on-line experience (e.g. once you are logged in to your account, you are able to move between webpages without having to re-enter your credentials). You can disable cookies through your website browser, but this may affect your user experience.

The usage data we collect when you visit CAA's websites or use CAA's apps help us analyze and improve the performance of our digital services. CAA uses Google Analytics for web statistical analysis. We make no effort to personally identify you based on your visit to our site. If you wish, you may opt out of being tracked by Google Analytics by disabling or refusing third party cookies; by disabling JavaScript within your browser; or by using the Google Analytics Opt-Out Browser Add-On.

Keeping Your Information Safe

CAA has implemented critical physical, organizational and technical measures to guard against unauthorized or unlawful access to the personal information we manage and store. We have also taken steps to avoid accidental loss or destruction of, or damage to, your personal information. While no system is completely secure, the measures implemented by CAA significantly reduce the likelihood of a data security breach.

Here are some examples of the security controls we have in place:

• Secure office premises;
• Locked filing cabinets and a secure shredding practice for paper records;
• The use of encryption, such as secure portals for document transfers and tokenization for payment card information;
• Robust authentication processes, including complex passwords, for electronic records;
• Limited access to personal information by employees who need the information to perform their work-related duties; and
• The use of data centres with effective physical and logical data security controls.

In addition, we recommend that you do your part in protecting yourself from unauthorized access to your personal information. For example, ensure your CAA account login credentials are not shared with anyone. CAA is not liable for any unauthorized access to your personal information that is beyond our reasonable control.

Let us know right away if your contact information changes or you find any errors in your account statements or invoices. If you have reason to believe that the security of your account has been compromised, you must immediately notify CAA of the problem in order for us to resolve the issue in a timely manner.

Accessing Your Personal Information

We make every effort to ensure that the personal information we hold is accurate, complete and up-to-date for the purposes for which we collect it. You can make a written request for access to your personal information at any time if it is for information that you are unable to access yourself through your CAA account. You will need to provide as much information as necessary to help us process your request and locate the information you require.

If you need assistance in preparing your request, please contact us and we would be pleased to help you. Upon receipt of your request, CAA will update your information, or inform you of how your personal information has been or is being used, and who your personal information has been shared with. We may charge a fee to cover any reasonable expenses related to responding to your access request.

CAA responds to access requests within 30 days, unless an extension of time is required. However, there may be contexts where access is refused or only partial information is provided, for example, in the context of an on-going investigation or where another individual's personal information or identity must be protected.

How Long We Keep Your Information

CAA retains personal information for as long as necessary to fulfill legal or business purposes and in accordance with our retention schedules. Once your information is no longer required by CAA to meet business, legal or regulatory requirements, it is securely destroyed, erased or made anonymous. Keep in mind however that information may be retained for a lengthier period of time due to an on-going investigation or legal proceeding, and that residual information may remain in back-ups for a period of time after its destruction date.

External Links and Social Media

We may offer links from our website to the sites of third parties, such as partner organizations, that may be of interest to you. CAA makes no representations as to such third parties' privacy practices and we recommend that you review their privacy policies before providing your personal information to any such third parties.

CAA's use of social media serves as an extension of our presence on the Internet and help us build a positive brand image as well as provide useful information to the public. Social media account(s), such as CAA's Facebook and Twitter accounts, are not hosted on CAA's servers. Users who choose to interact with CAA via social media should read the terms of service and privacy policies of these services/platforms.

Our Privacy Complaint and Breach Management Process

CAA takes privacy complaints very seriously and has a procedure in place for escalating and managing any privacy-related concerns to ensure that they are responded to in a timely and effective manner. Any suspected privacy breach must be escalated internally to CAA's Privacy Officer who oversees the containment, investigation and corrective actions for all breach situations.

As required by law, privacy breaches may be reported by CAA or its business partners to the regulators of the relevant provinces in which affected individuals reside.