Supplement Privacy Policy

AutoWeb, Inc.

Supplement

General Privacy Policy

For

Employment-Related Personal Information

Last Updated and Effective Date: January 1, 2023

AutoWeb, Inc. and its subsidiaries and affiliated entities (collectively “AutoWeb,” “Company,” “we”, “us” or “our”) have implemented a general Privacy Policy (“General Privacy Policy”) related to the Company’s collection, sale, sharing, retention and disclosure of Personal Information of Consumers. This Supplement to General Privacy Policy for Employment-Related Personal Information (“Supplemental Privacy Policy”) contains additional information and disclosures regarding AutoWeb’s collection, sale, sharing, retention and disclosure of Employment-Related Personal Information of Employment-Related Consumers (as defined below).

The General Privacy Policy and this Supplemental Privacy Policy can be viewed at the following location: https://www.autoweb.com/privacy-policy.html This Supplemental Privacy Policy should be read in conjunction with your review of the General Privacy Policy. Please review the General Privacy Policy together with this Supplemental Privacy Policy before providing AutoWeb any Employment-Related Personal Information. If you do not agree with the terms of the General Privacy Policy or this Supplemental Privacy Policy, you must refrain from providing the Company any Employment-Related Personal Information. By submitting Employment-Related Personal Information to the Company, you agree and provide your consent to our collection, sale, sharing, disclosure, use, and retention of your Employment-Related Personal Information consistent with the terms of the General Privacy Policy and this Supplemental Privacy Policy, subject to your rights described below.

WE ENCOURAGE EMPLOYMENT-RELATED CONSUMERS TO READ THIS PRIVACY POLICY CAREFULLY BEFORE PROVIDING ANY PERSONAL INFORMATION TO THE COMPANY.

NOTE THAT PERSONAL INFORMATION, WHICH MAY INCLUDE SOME COMPONENTS OF EMPLOYMENT-RELATED INFORMATION (INCLUDING SENSITIVE PERSONAL INFORMATION), THAT IS COLLECTED BY THE COMPANY FROM EMPLOYMENT-RELATED CONSUMERS SUBMITTING PERSONAL INFORMATION IN THE COURSE OF THEIR USING THE COMPANY’S PRODUCTS AND SERVICES AND NOT INCONNECTION WITH EMPLOYMENT-RELATED MATTERS SHALL BE GOVERNED BY THE TERMS OF THE GENERAL PRIVACY POLICY WITH RESPECT TO SUCH PERSONAL INFORMATION AND NOT BY THE TERMS OF THIS SUPPLEMENTAL PRIVACY POLICY.

Definitions
Categories of Employment-Related Information We Collect and Retention Periods
Categories of Sources From Which We Collect Employment-Related Information
Purposes for Disclosing Employment-Related Information to Third Parties
How We Use Your Employment-Related Information and Categories of Third Parties to Which We Disclose Employment-Related Personal Information
Your Choices Regarding Your Employment-Related Personal Information
Changes or Revisions to This Policy
Updating or Correcting Your Personal Information
Contact Us

Notice to California Residents Regarding Your California Privacy Rights

I. Definitions

Capitalized terms used in this Supplemental Privacy Policy and not defined in this Supplemental Privacy Policy shall have the meanings for such terms as defined in the General Privacy Policy. As used in this Supplemental Privacy Policy, the following terms are defined as follows:

“Employment-Related Consumers” mean Company employees, job applicants and independent contractors.

“Employment-Related Information” means Personal Information that is collected by the business about a natural person for reasons related to employment (including emergency contact information) and employment benefits as identified in California Civil Code Section 1798.145(m)(1).

The tables below lists (i) the categories of Employment-Related Information, including Sensitive Personal Information that we collect; (ii) the purposes for which the Employment-Related Information is collected or used; (iii) retain or disclose the Employment-Related Personal Information; (iii) the categories of Third Parties to which we disclose Employment-Related Information; and (iii) our expected retention periods for the Employment Related Personal Information. The types of Employment-Related Personal Information we collect about you may vary based on the nature of your relationship with us. We do not sell or share (as such terms are defined in the California Privacy Act) Employment-Related Information.

Employment-Related Information Category	Nature or Type of Employment-Related Information Collected	Purpose for Which Employment-Related Information is Collected	Categories of Third Parties to Which Employment-Related Information is Disclosed for a Business Purpose	Retention Period or Criteria
Identifiers	First and last names (including aliases). Mobile and landline phone numbers. Email addresses. Postal/street addresses Age and date of birth Social security numbers Driver’s license Government identification cards Passport Number Citizenship Names and ages of employee dependents and beneficiaries for Company health and welfare benefits, including information for employee dependents and beneficiaries under 16 years of age. Name and relationship to employees for employee emergency contacts Constitutes or may constitute Sensitive Personal Information under applicable law.	To interview and evaluate prospective employees and independent contractors. To onboard employee and independent contractors. To enroll employees and dependents in Company health, welfare and other benefits. To administer Company health, welfare and other benefits. To enter into employment and independent contractor contracts. Use for general human resource purposes. For purposes of I9 verification. Tax withholding and reporting. Emergency contact information for use in emergency involving employee.	HRIS service providers, benefits brokers, benefits carriers, third party wellness providers	The Company will retain Employment-Related Information in accordance with applicable law or regulations relating to retention of Employment-Related Information.
Banking and Other Financial Information	The Company collects the following banking or financial information from Employment-Related Consumers: Payroll information Tax deduction and withholding information (e.g., IRS Form W-4 information) Bank account number Constitutes or may constitute Sensitive Personal Information under applicable law.	Payroll processing. Tax withholding. Direct deposits of compensation and expense reimbursement payments.	HRIS service providers, benefits brokers and carriers (pay rates).	The Company will retain Employment-Related Information in accordance with applicable law or regulations relating to retention of Employment-Related Information.
Other Personal Information Identifiers	Signatures. Photos on drivers’ licenses; passports and other government identification cards that may reflect physical characteristics or description) Country of origin **Constitutes or may constitute Sensitive Personal Information under applicable law.	To process job applications, onboard Personnel. Enroll and administer benefits. Enter into contracts; and use for general human resource purposes.	HRIS Systems, Benefits Administration Systems/Parties, 3rd party vendors for contractual agreements, Worker’s Comp Administration, Federal, State and/or Local government agencies, social media websites.	The Company will retain Employment-Related Information in accordance with applicable law or regulations relating to retention of Employment-Related Information.
Characteristics of Protected Classifications	Age Sex/Gender Racial or ethnic origin Color Ethnicity/Ancestry Disability (mental and physical). Marital status Military and veteran status	To implement the Company’s diversity programs and to comply with applicable laws.	HRIS systems, benefits brokers and carriers	The Company will retain Employment-Related Information in accordance with applicable law or regulations relating to retention of Employment-Related Information.
Health Information	Health or medical information Constitutes or may constitute Sensitive Personal Information under applicable law.	To maintain a safe workplace, assess your working capacity, administer health and Workers’ Compensation insurance programs, and comply with applicable laws. Benefits enrollment and administration.	HRIS systems, Worker’s Compensation Administrators, and Benefits Administrators.	The Company will retain Employment-Related Information in accordance with applicable law or regulations relating to retention of Employment-Related Information.
Professional or employment-related information	Performance evaluations.	Compensation. Performance management. Retention. Termination.	N/A	The Company will retain Employment-Related Information in accordance with applicable law or regulations relating to retention of Employment-Related Information.

We collect Employment-Related Information from the following categories of sources:

Voluntarily Provided Employment-Related Information. We collect Employment-Related Information that you provide voluntarily in connection with job applications; enrollment in, participation in and administration of Company health and welfare benefits; tax withholdings; payroll processing; requests for leaves; and changes in Employment-Related Information previously provided to the Company.
Third-Party Data Sources. We may collect Employment-Related Information from the following Third-Party data sources:
- Recruiters
- Prior employers (e.g., for references)
- References you provide to us
- Educational institutions
- Pre-employment screening and background checking services
- Credentialing and licensing organizations
- Publicly available sources such as your social media profile (e.g., LinkedIn, Twitter, and Facebook)
- Third Parties as necessary for providing you with benefits and ancillary services
- Other sources as directed by you

We disclose Employment-Related Information to Third Parties in the categories listed in the table above for the following business purposes

Enrollment of Employment-Related Consumers and their participation in Company health and welfare benefits.
Administration of Company health and welfare benefits.
Tax withholdings and reporting.
Payroll processing.
E-verification of certain records.

In large part, we collect and maintain this information through the Paycom service. For more information about Paycom’s privacy policies, please consult Paycom’s disclosures on its website at https://www.paycom.com/privacy/.

We use Employment-Related Information that we collect for the following purposes:

To evaluate candidates for employment.
To enroll Employment-Related Consumers in Company health and welfare benefits.
To pay compensation and expense reimbursements.
To evaluate job performance of Employment-Related Consumers.

Legal Matters

AutoWeb will cooperate with legal authorities and may in some circumstances be required to disclose Employment-Related Information in response to requests from law enforcement or other governmental agencies, or in response to a subpoena or other legal process. We can also share information about you if we believe we must in order to (i) prevent a violation of the law; (ii) protect or defend our interests and the legal rights or property of AutoWeb and our affiliates; (iii) protect the rights, interests, safety and security of users of the AutoWeb Sites or members of the public; (iv) protect against fraud or for risk management purposes; or (v) comply with prudent legal practice as we may determine, and with applicable law or legal process. We may also share Employment-Related Information in the course of legal proceedings if we are legally required to do so, if we reasonably believe that doing so may mitigate our liability, or if doing so will assist us in enforcing our legal rights.

Business Transfers and Other Transactions

Information about our Employment-Related Consumers is a business asset of AutoWeb. As we continue to develop our business, we might sell or buy websites, subsidiaries or business units. In such transactions, Employment-Related Information generally is one of the transferred business assets. Also, in the event that AutoWeb or substantially all of its assets are acquired, Employment-Related Information will of course be one of the transferred assets. We will make reasonable efforts to ensure that the acquirer of our Employment-Related Information respects the provisions of this Supplemental Privacy Policy, although this may not be possible in certain legal settings (such as bankruptcy).

You may limit and control the Employment-Related Personal Information collected by us. Note that California residents’ limitation and control rights are described in the section of this Privacy Policy entitled “Notice to California Residents Regarding Your California Privacy Rights.”

You are not required to provide any voluntarily-provided Employment-Related Information in connection with your application for employment or enrollment in Company health and welfare benefits, and you determine the extent of the information you provide. Your decision not to provide such information may affect our ability to consider you for employment and may affect your ability to participate in, or the level of participation in, Company health and welfare benefits.

VII. Changes or Revisions to This Supplemental Privacy Policy

We reserve the right to change this Supplemental Privacy Policy at any time without prior individual notice. Any changes to this Supplemental Privacy Policy will be posted at https://www.autoweb.com/supplemental-policy.html, so be sure to check back often and consult the last updated version. Your decision to remain employed or engaged by AutoWeb following notice of such changes will be conclusively deemed acceptance of any changes to this Supplemental Privacy Policy. You agree that posting of changes to this Supplemental Privacy Policy constitutes reasonable and sufficient notice. At all times, you are bound by the then-current version of this Supplemental Privacy Policy and all applicable laws, rules, regulations and orders. We highly recommend that you review this Supplemental Privacy Policy from time to time. If we make material changes that will affect Employment-Related Personal Information we have already collected from you prior to the changes going into effect, we will make reasonable efforts to notify you of these material changes and to give you the opportunity to opt-out and not allow us to use your Employment-Related Personal Information in the manner allowed by the changes.

VIII. Updating or Correcting Your Employment-Related Information.

To update your Employment-Related Information, you must submit a request by contacting our Human Resources Department as provided under the section of this Supplemental Privacy Policy entitled “Contact Us” below. Note that California residents should also review the additional requirements applicable to California residents in the section of this Supplemental Privacy Policy entitled “Notice to California Residents Regarding Your California Privacy Rights.”

IX. Contact Us

If you have any questions or need help or assistance regarding privacy, security, opting-out of email or text communications, your email and marketing preferences, or understanding how your Personal Information is being used, please contact our Human Resources Department by email at HR@autoweb.com or by calling via our toll-free number at (800) 250-9994. Note that California residents should also review the additional requirements applicable to California residents in the section of this Privacy Policy entitled “Notice to California Residents Regarding Your California Privacy Rights.”

Notice to California Residents Regarding Your California Privacy Rights

The California Privacy Act provides eligible California residents with specific rights with respect to our collection and disclosure of Employment-Related Information. This California Privacy Rights section supplements this Supplemental Privacy Policy and applies solely to eligible residents of California. Any terms not defined in this section have the same meaning as defined in the California Privacy Act.

Summary of California Privacy Rights Act

Right to Request and Obtain Information Regarding Employment-Related Personal Information (“Right to Know”). The California Privacy Act entitles California residents to request information about the Consumer’s Employment-Related Information collected by a business in the 12 months preceding the request and concerning the categories of Employment-Related Information that the business has collected about the Employment-Related Consumer; the categories of sources from which the Employment-Related Information was collected; the business or commercial purpose for collecting or disclosing the Employment-Related Personal Information; and the categories of third parties with whom the business discloses Personal Information. Upon request by the Employment-Related Consumer, we may be required to provide the foregoing information for a period beyond the 12-month period unless doing so proves impossible or would involve disproportionate effort. This extended reporting period shall only apply to Personal Information collected on or after January 2, 2022. California residents who wish to request the foregoing information in compliance with the California Privacy Act should submit their requests as provided below under the section entitled “Submission of Requests To Exercise California Privacy Rights--Requests to Know, Requests to Delete and Requests to Correct” below.

Right to Have Personal Information Deleted (“Right to Delete”). The California Privacy Act entitles California residents to request that a business delete all Employment-Related Personal Information about the Employment-Related Consumer that the business has collected, subject to certain exceptions set forth in the California Privacy Act. California residents who wish to request deletion of their Employment-Related Personal Information in compliance with the California Privacy Act should submit their requests as provided below under the section entitled “Submission of Requests To Exercise California Privacy Rights--Requests to Know, Requests to Delete and Requests to Correct” below.

Right to Have Inaccurate Personal Information Corrected (“Right to Correct”). The California Privacy Act entitles California residents to request that a business that maintains inaccurate Employment-Related Personal Information about the Consumer to use commercially reasonable efforts to correct that inaccurate Personal Information, taking into account the nature of the Employment-Related Personal Information and the purposes of the processing of the Employment-Related Personal Information. California residents who wish to exercise the foregoing right should submit their requests as provided below under the section entitled “Submission of Requests To Exercise California Privacy Rights--Requests to Know, Requests to Delete and Requests to Correct” below.

Right to Have the Use and Disclosure of Sensitive Personal Information Limited (“Right to Limit). The California Privacy Act entitles California residents to direct that a business that collects Sensitive Personal Information about the Employment-Related Consumer to limit its use of the Employment-Related Consumer’s Sensitive Personal Information to that use which is necessary to perform the services or provide the goods reasonably expected by an average Consumer who requests those goods or services, except that this Right to Limit is not applicable to certain such uses permitted by the California Privacy Act. California residents who wish to exercise the foregoing right should submit their requests as provided below under the section entitled “Submission of Requests To Exercise California Privacy Rights--Requests to Limit” below.

No Discrimination Against Persons Exercising Rights Under the California Privacy Act. AutoWeb will not discriminate against any Consumer because the Consumer exercised any of the Consumer’s rights under the California Privacy Act. Unless permitted by applicable law, we will not:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Retaliate against an employee, applicant for employment, or independent contractor.

Submission of Requests To Exercise California Privacy Rights

Requests to Know, Requests to Delete and Requests to Correct

To exercise your Right to Know, Right to Delete or Right to Correct, you must submit a verifiable request (as defined by the California Privacy Act) to our Human Resources Department by email at consumercare@autoweb.com , by calling via our toll-free number at (800) 267-2015, or by accessing our request form online at https://autoweb.truyo.com/consumer/request_form.

A verifiable consumer request must:

Provide sufficient information that allows us to verify, using commercially reasonable methods, that you are the person about whom we collected personal information or an authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
For Requests to Delete, we may use a two-step process for online Requests to Delete where the Consumer must first submit the request and then separately confirm that the Consumer wants to delete the Consumer’s Personal Information.

The California Privacy Act requires that we verify the identity of the requesting Consumer to a reasonable degree of certainty or reasonably high degree of certainty depending on the type of request and the Personal Information about the requesting Consumer maintained by us, as well as the sensitivity of the Personal Information and the risk of harm to the Consumer posed by unauthorized deletion, access or correction. We cannot comply with your Request to Know, Request to Delete or Request to Correct if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.

No later than ten (10) business days after receiving a Request to Know, Request to Delete, or Request to Correct, we will confirm receipt of your request and provide information about how we will process the request, including information regarding our verification process and when you should get a response to your request. We will respond to a Request to Know, Request to Delete or Request to Correct within 45 calendar days of receipt of a request. If we require more time (up to an additional 45 calendar days, for a maximum total of 90 calendar days) to respond, we will notify you of the reason and extension period. If we are unable to comply with or deny a request, the response we provide you an explanation of the reasons why we cannot comply with or denied the request.

We will deliver our written response to a Request to Know information by mail or electronically, at your option.

We are not obligated to provide a Consumer the information requested in response to a Request to Know more than twice within a 12-month period.

With respect to Requests to Correct, if we deny a Request to Correct because we have determined that the contested Personal Information is more likely than not accurate based on the totality of the circumstances, we may elect to delete the contested Personal Information if the deletion does not negatively impact the Consumer or the Consumer consents to the deletion.

With respect to Requests to Delete, we may deny requests if the information is required to be maintained in accordance with our retention policy for the information or the information must be retained in accordance with applicable law, rules, regulations or orders.

Authorized Agents

A request that must be verified may be submitted by an Authorized Agent. If a request is submitted by an Authorized Agent on your behalf, we will require that (i) the Authorized Agent to provide proof that the Employment-Related Consumer gave the Authorized Agent signed permission to submit the request; and (ii) the Employment-Related Consumer verify the Employment-Related Consumer’s own identity directly with us or directly confirms with us that the Employment-Related Consumer provided the Authorized Agent permission to submit the request; provided that the foregoing two requirements shall not apply to an Authorized Agent who has been given a power of attorney by the Employment-Related Consumer pursuant to California Probate Code sections 4121-4130. If a parent or guardian is submitting a request on behalf of a minor under the age of 13, the parent or guardian must submit verifiable proof and we must determine by reasonable methods that they are the parent or guardian of the minor.

How to Contact Us Regarding This Supplemental Privacy Policy and Your California Privacy Rights

If you have any questions regarding this Supplemental Privacy Policy, your rights under the California Privacy Act (e.g., Right to Know, Right to Delete, Right to Correct, Right to Limit) or the process to submit requests to exercise your California Privacy Rights, please contact our Human Resources Department by email at HR@autoweb.com or by calling via our toll-free number at (800) 250-9994.

I. Definitions

II. Categories of Employment-Related Information We Collect and Retention Periods

III. Categories of Sources From Which We Collect Employment-Related Information

IV. Purposes for Disclosing Employment-Related Information to Third Parties

V. How We Use Your Employment-Related Information

VI. Your Choices Regarding Your Employment-Related Personal Information

VII. Changes or Revisions to This Supplemental Privacy Policy

VIII. Updating or Correcting Your Employment-Related Information.

IX. Contact Us

Notice to California Residents Regarding Your California Privacy Rights