Last Updated: March 24, 2026

‍

Click here for the downloadable version.

‍

Gramm-Leach-Bliley Act & State Privacy Law Addendum for Safeguarding Customer Information

‍

This Gramm-Leach-Bliley Act and StatePrivacy Law Addendum (“PureCars Data Protection Addendum,” “DPA,” or“Addendum”) is made as of the ___ day of [MONTH, YEAR], by and between PureCars Technologies, LLC and/or any of its affiliated entities (herein after collectively referred to as “PureCars”) and _____________ (“Customer”).

‍

Purpose 

This Addendum supplements and amends the [SERVICE AGREEMENT] (the“Agreement”) between Customer and PureCars with respect to Customer Information, as defined in 16 C.F.R. § 314.2, and Personal Information, as defined by Data Protection Laws, as defined below, and constitutes a Service Provider agreement subject to the Gramm-Leach-Bliley Act (“GLBA”) Safeguards Rule or Data Protection Laws. To the extent of any ambiguity or conflict between the Agreement and this Addendum, as it applies to the safeguarding or privacy of Customer Nonpublic Information or Customer Personal Information, the terms of this Addendum shall apply. This Addendum may be updated periodically.  In the event of any updates, PureCars will notify Client of the same by email at the email notice address provided by Client in an Order Form.

‍

Definitions

Capitalized terms used herein shall havethe meanings set forth in this Section 2 or 16 C.F.R. § 314.2 or DataProtection Laws, as defined below.

a.    “Authorized Persons” means PureCars’ employees, contractors, agents, and auditors who have a need to know or otherwise access Customer Nonpublic Information or Customer Personal Information to enable PureCars to perform its obligations under the Agreement and this DPA, and who are bound by confidentiality and other obligations sufficient to protect Customer Nonpublic Information or Customer Personal Information in accordance with the terms and conditions of the Agreement.

b.    “Consumer” means the term“consumer” or “individual” as it is defined in the applicable Data Privacy Law.

c.    “Data Protection Laws” means all applicable data protection laws with respect to Personal Information, such as federal and state data privacy laws (e.g., the GLBA andthe Federal Trade Commission’s implementation or the California Consumer Privacy Act of 2018, as amended (“CCPA”) or similar state comprehensive privacylaws, such as the Colorado Privacy Act; the Connecticut Data Privacy Act; Delaware Personal Data Privacy Act, the Indiana Consumer Data Protection Act,the Iowa Consumer Data Protection Act, the Kentucky Consumer Data Protection Act, the Maryland Online Data Privacy Act of 2024, as amended,  the Minnesota Consumer Data Privacy Act, the Montana Consumer Data Privacy Act, the Nebraska Data Privacy Act, the New Hampshire Privacy Act, the New Jersey Data Protection Act, the Oregon Consumer Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act, the Tennessee Information Protection Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act; state data breach notification laws; and state information security laws).

d.     “Child” means an individual under 13 years of age.

e.    “Customer Nonpublic Information” means nonpublic information, as defined under 16 C.F.R. § 314.2, that is contained in the data that Customer furnished to PureCars in connection with the provision of the Services and Products PureCars provides under theAgreement.

f.     “Customer Personal Information” or “Customer Personal Data” means “personal information” or“personal data” – as those terms are defined in the applicable Data Privacy Law and its implementing rules, procedures, exceptions, guidelines, and regulations – that is contained in the data that Customer furnished to PureCars inconnection with the provision of the Services and Products PureCars provides under the Agreement. In California, for example, it may include any information that is linked or reasonably linkable to an identified or identifiable individual or household and that PureCars is processing on or for Customer’s behalf pursuant to the Agreement.

g.    “Data Breach” is defined under relevant Data Protection Laws but may be triggered by unauthorized acquisition of unencrypted Customer Personal Information. A security incident does not always rise to the level of a Data Breach or Notification Event.

h.    “Minor” means an individualunder the age threshold specified by applicable Data Protection Laws for heightened protections (for example, under 13, 13-17, or under 18 in some states).

i.     “Notification Event”means unauthorized acquisition of unencrypted Customer Nonpublic Informationor Customer Personal Information, as defined under 16 C.F.R. § 314.2, owned byCustomer. A security incident does not always rise to the level of a Notification Event or a data breach.

j.     “Processing” means any operation or set of operations that are performed on Customer Nonpublic Information or Customer Personal Information or on sets of Customer Nonpublic Information or Customer Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

k.    “Sale” “Sell” “Share” have the meanings as in applicable Data Protection Laws and include certaindisclosures of Customer Personal Information for monetary or other valuable consideration or for cross-context behavioral advertising.

l.     “Targeted Advertising” or“Targeted Ad” or cross-context behavioral advertising has the same meaning as in relevant Data Protection Laws and generally refers to displaying advertisements to a consumer where the advertisement is selected based on Customer Personal Information collected or inferred from that consumer’s activities overtime and across non-affiliated websites, applications, or services.

‍

Details of Processing 

2. The type of data that is subject to processing and governed by this Addendum is Customer Nonpublic Information and Customer Personal Information.
3. The categories of Consumers about which Customer Nonpublic Information or Customer Personal Information may be Processed may include individuals who may, have, or will have considered, owned, bought, leased, or sold vehicles from Customer’s dealerships.
4. Other than for Pure Identiy/Targeted Ad Services, when providing the Services, the Customer is the “Controller,” “Business,” “Owner” and PureCars is the “Processor,” “Service Provider,” “Collector” under applicable Data Protection Laws.
5. For Pure Identity/Targeted Ad Services, when providing the Services, the Customer is a “Controller” or “Business” or “Owner” and PureCars is a “Processor” or “Third Party.”
6. The nature and specific business purposes of processing Customer Nonpublic or Personal Data is for Advertising and Analytics purposes.  Advertising may include Targeted Advertising or similar services but does not always include Targeted Advertising.
7. Customer hereby authorizes PureCars or any service provider that produces, collects or receives Customer Nonpublic or Personal Information, including data pertaining to the Customer’s website(s), advertising activity, sales leads, lead generation activity, Customer’s use of the Services, or any of Customer’s other business activities (the “Customer Data”), to:
   
   1. transfer, provide or otherwise make available the Customer Personal Information to services providers that adhere to terms similar to this DPA in connection with providing the Services hereunder in compliance with Data Protection Laws; and
   2. use the Customer Personal Information:
      

               - to provide the Services and to develop reports for Customer, and ‍

                - together with other data in its possession, to generate aggregated and anonymized data and use such              aggregated and anonymized data for its business purposes including (A) in promotional materials of PureCars, (B) to create proprietary market price and incentive guides, and (C) to generate market analysis data and related products.

2. The Agreement and this DPA shall form the “documented instructions” of the Customer, as used and further described in this DPA, in relation to the Processing of Customer Information and Personal Information in accordance with applicable Data Protection Laws, including any restrictions on processing Customer Nonpublic Information or Customer Personal Information under the GLBA or state privacy laws.
3. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Nonpublic Information or Customer Personal Information.

‍

PureCars Obligations

PureCars will:

a.    Comply with and maintain the same level of privacy protection as required by the Data Protection Laws, this Addendum, and industry-recognized standards and best practices;

b.    Ensure that Authorized Persons engage in training and/or sign confidentiality agreements as appropriate;

c.     Only collect, use, retain, ordisclose Customer Nonpublic Information or Customer Personal Information obtained under this Addendum for purposes that align with the underlying Agreement, this Addendum, or as the law otherwise permits; and shall not use such information for Targeted Advertising, profiling, or any other purpose that is not reasonably necessary and proportionate to those purposes unless Section 6 of this Addendum related to Pure Identity/Targeted Ad Services applies;

d.    Reasonably assist Customer with meeting the Customer’s compliance obligations under the relevant Data Protection Laws, taking into account the nature of processing and the information available to PureCars;

e.    Collect, retain, use, and disclose Customer Nonpublic Information or Customer Personal Information only for the purposes for which Customer provides it, or access to it, pursuant tothe terms and conditions of the Agreement and this Addendum, and not use orotherwise disclose or make available this information for PureCars’s own purposes or for other commercial purposes without Customer’s prior written consent and only to the extent permitted by Data Protection Laws;

f.     Not Sell, Share, or otherwise process Customer Nonpublic Information or Customer Personal Information for Targeted Advertising purposes, as those terms are defined under applicable Data Protection Laws, that PureCars collects or obtains from or on behalf of Customer under the Agreement or this Addendum, except if Customer expressly authorizes in a signed writing that the Section of this Addendum related to Pure Identity/Targeted Ad Services applies and only in compliance with applicable opt-out and, where required, opt-in obligations, including those related to Minors.

g.    Notwithstanding clause (f), PureCars may aggregate, de-identify, or anonymize Customer Nonpublic Information or Customer Personal Information, and use such aggregated, de-identified, or anonymized data, which shall no longer be considered Customer Nonpublic Information or Customer Personal Information, for its own research and development or other purposes permitted under law.

‍

Customer Obligations

Customer will:

i.     Comply with the terms and conditions set forth in the Agreement, this Addendum, and the Data Protection Laws, including by providing legally compliant privacy notices that reference PureCars, if required, and obtaining consent from Consumers;

ii.     Be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Customer Nonpublic Information and Customer Personal Information under its control or in its possession, including user accounts that Customer controls;

iii.     Only use secure methods, according to accepted industry standards, when transferring or otherwise making available Customer Nonpublic Information and Customer Personal Information to PureCars; and

iv.     Provide written notice to PureCars if any information Customer provides to PureCars under the Agreement contains Customer Nonpublic Information or Customer Personal Information. PureCars will not be responsible for determining on its own that any information Customer provides under the Agreement qualifies as Customer Nonpublic Information or Customer Personal Information.

b.    CUSTOMER HEREBY REPRESENTS AND WARRANTS THAT IT HAS A PUBLICLY AVAILABLE,UP-TO-DATE PRIVACY POLICY WITH FURTHER DETAILS ON DATA HANDLING, THIRD-PARTY SHARING, AND SECURITY MEASURES THAT INCLUDE THE USE OF SERVICES BY PURECARS. CUSTOMER ALSO HEREBY REPRESENTS AND WARRANTS THAT IT HAS OBTAINED NECESSARY CUSTOMER CONSENTS FOR COLLECTING, PROCESSING, AND TRANSFERRING PERSONAL INFORMATION TO PURECARS TO CONDUCT THE SERVICES, INCLUDING NOTIFYING CUSTOMERS ABOUT CALL RECORDINGS, SMS, OR OTHER COMMUNICATIONS THAT PURECARS MAY PROVIDE UNDER THE SERVICES.

‍

Pure Identity/Targeted Ad Services  

To the extent that Customer engages PureCars to provide cross-context behavioral or targeted advertising or profiling services, as those terms are defined by relevant Data Protection Laws(“Pure Identity” or “Targeted Ad Services”), the Parties agree as follows:

a.    When Processing Customer Personal Information solely for the purpose of Targeted Ad Services that PureCars may provide through its own ad technology, exchanges, or media partners, including through its Pure Identity Services, PureCars is a Third Party, as defined under the CCPA, or equivalent role under similar Data Protection Laws (“Third Party”).

b.    When acting as a Third Party, PureCars will not:

  i.     direct any Targeted Ad Services to consumers of Customer who have opted out of the Sale or Sharing of their personal information or Targeted Ad Services; or

  ii.     direct Targeted Ad Services or otherwise process Customer Nonpublic Information or Customer Personal Information for Targeted Advertising with respect to any Child or Minor where applicable Data Protection Laws prohibit such processing or require opt-in consent that has not been validly obtained.

c.     PureCars will recognize and honor any legally required browser-based or platform-based opt-out mechanisms or universal opt-out signals that Customer has chosen to implement and pass to PureCars under Data Protection Laws, including signals related to Sale, Sharing, or Targeted Advertising.

d.    PureCars will comply with any Consumer opt-out requests, if applicable, and direct all PureCars subcontractors to comply as required under the Data Protection Laws. Upon written request from Customer, PureCars will certify in writing that it has complied with this requirement.

e.    Customer will ensure that it has provided all required notices to individuals, including notifying individuals about PureCars and any other third parties involved with targeted advertising, and obtaining consent from individuals before engaging in targeted advertising, including explicit consent when required.

f.     For avoidance of doubt, Customer is solely responsible for implementing any age verification, consent flows, or parental consent mechanisms required for Minors under Data Protection Laws on its own properties or channels and for transmitting accurate age, consent, and opt-out signals to PureCars.

g.    PureCars may rely on Customer’s documented instructions to provide Targeted Ads if Customer engages PureCars for Targeted Ad Services through Pure Identity.

h.    Each party may audit the other’s privacy practices, as reasonable, based on opt-outs received from individuals.

‍

Information Security

a.    PureCars will comply with applicable laws and regulations, including the GLBA Safeguards Rule and implementing regulations and guidance from the Federal Trade Commission and relevant Data Protection Laws, in its creation, collection, receipt, access, use, storage, disposal, and disclosure of Customer Personal Information and Customer Nonpublic Information.

b.    PureCars will employ reasonable physical, administrative, and technical security measures to protect Customer Personal Information and Customer Nonpublic Information in accordance with PureCars’ internal information security policy as amended from time to time (“Information Security Policy”).

c.     Customer acknowledges that the Services include certain features and functionalities that Customer may elect to use that impact the security of the data processed by Customer’s use of the Services. Customer is further responsible for its users’ access to Customer Personal Information and Customer Nonpublic Information and for using the available features and functionalities to maintain appropriate security in light of the nature of the data processed by its use of the Services.

‍

Notification Event/Data Breach Procedures

2. PureCars maintains a cyber incident breach response plan (“Incident Response Plan”) and will implement the procedures required under such plan on the occurrence of a Notification Event or Data Breach.
3. Depending on the relevant terms with the OEM, PureCars will notify Customer or the relevant OEM of a Notification Event or Data Breach that impacts the Customer Personal Information or, if relevant, Customer Nonpublic Information, as soon as reasonably practicable so that the Customer or OEM may comply with the Data Protection Laws, including Notification Event obligations under 16 C.F.R. §314.4(j)(1) or similar state law Data Breach obligations.
4. Immediately following PureCars’ notification to Customer of a Notification Event or Data Breach, the parties will coordinate with each other, as necessary, to investigate the Notification Event or Data Breach.
5. PureCars will reimburse Customer for actual reasonable costs incurred by Customer to provide any legally required notice or services to individuals affected by a Notification Event or Data Breach, to the extent that PureCars caused a Notification Event or Data Breach.
6. PureCars agrees that it will not inform any third party of any Notification Event that impacts Customer Personal Information or Customer Nonpublic Information without Customer’s prior consent, other than to inform a complainant that the matter has been forwarded to Customer.

‍

Security Controls Review or Audit

At least annually, PureCars will obtain a security controls review or audit performed by an independent third party based on recognized industry standards. PureCars will make results of such controls review or audit available to Customer upon request and will timely address any noted exceptions. PureCars will provide reasonably necessary information to allow Customer to comply with any assessments or audits required under Data Protection Laws.

‍

Return or Disposal of Personal Information‍

At any time during the term of the Agreement at Customer’s written request or at a reasonable interval after the termination or expiration of the Agreement, PureCars will securely disposeof all Customer Nonpublic Information and Customer Personal Information in its possession or in the possession of Authorized Persons. If requested, PureCars will notify Customer that such Customer Nonpublic Information and CustomerPersonal Information has been disposed of securely. If PureCars is not reasonably able to securely dispose of Customer Personal Information,including, but not limited to, Customer stored on backup media, PureCars will continue to protect such Customer Nonpublic Information and Customer Personal Information in accordance with the terms of this Addendum until such time that it can reasonably securely dispose of such information.