Privacy Policy

Effective Date: 1/22/2025
Last Updated: 1/22/2026

TABLE OF CONTENTS

Introduction and Scope
Definitions
Information We Collect
How We Collect Information
How We Use Your Information
Legal Bases for Processing (EEA/UK Users)
How We Share Your Information
Our Role as Controller, Joint Controller, and Processor
Geolocation Data and Affirmative Consent
Marketing Communications and Consent Requirements
Artificial Intelligence and Automated Decision-Making
Cookies and Tracking Technologies
Third-Party Services and Links
Data Security and Incident Response
Data Retention and Deletion
International Data Transfers
Your Privacy Rights and Choices
State-Specific Privacy Rights and Disclosures
Children’s Privacy
Changes to This Privacy Policy
Contact Us and Data Protection Officer
Jurisdiction-Specific Addenda

1. INTRODUCTION AND SCOPE

1.1 Who We Are

This Privacy Policy is provided by Happy Camper Roadside LLC, a Nevada limited liability company with its principal place of business at 6543 South Las Vegas Boulevard, 2nd Floor, Las Vegas, Nevada 89119 (“Happy Camper,” “we,” “us,” or “our”). Happy Camper provides roadside assistance services, insurance brokerage services, technology platforms, and related services (collectively, the “Services”).

1.2 Purpose of This Policy

This Privacy Policy describes how Happy Camper collects, uses, discloses, stores, and otherwise processes personal information (also referred to as “personal data” or “personally identifiable information”) in connection with:

(a) Our roadside assistance services, including white-labeled services provided on behalf of third-party clients such as recreational vehicle manufacturers, dealers, and warranty providers;

(b) Our direct-to-consumer roadside assistance services;

(d) Our technology platforms, including mobile applications, websites, and software-as-a-service offerings;

(e) Our business operations, customer service, and corporate functions; and

(f) Any other services we provide or may provide in the future.

1.3 Applicability

This Privacy Policy applies to all individuals whose personal information we collect, including:

End Users: Individuals who use our roadside assistance services, whether directly or through a white-labeled service provided on behalf of a third-party client;
Customers: Individuals or entities that purchase services from us;
Website and App Visitors: Individuals who visit our websites or use our mobile applications;
Business Contacts: Individuals employed by or associated with our business partners, vendors, clients, and other third parties with whom we conduct business;
Job Applicants: Individuals who apply for employment with Happy Camper; and
Other Individuals: Any other individual whose personal information we collect in connection with our business operations.

1.4 Multiple Roles

Happy Camper processes personal information in different capacities depending on the context:

As an Independent Data Controller: For our direct customers, website visitors, business contacts, and our own business operations;
As a Joint Data Controller: When we provide white-labeled services on behalf of third-party clients, we act as a joint data controller with those clients with respect to end user personal information;
As a Data Processor/Service Provider: When we process certain business data on behalf of our clients pursuant to data processing agreements.

These roles are described in detail in Section 8 below.

1.5 Consent to This Policy

By using our Services, visiting our websites, using our mobile applications, or otherwise providing personal information to us, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, disclosure, and processing of your personal information as described herein. If you do not agree with this Privacy Policy, you must not use our Services or provide us with your personal information.

1.6 Additional Terms and Policies

This Privacy Policy should be read in conjunction with:

Our Terms of Service https://thehappycamper.com/terms-and-conditions/
Our Cookie Policy https://thehappycamper.com/cookie
Any service-specific terms and conditions
Any data processing agreements entered into with our clients

In the event of a conflict between this Privacy Policy and any other agreement, the terms of the other agreement shall control with respect to the subject matter of that agreement.

2. DEFINITIONS

For purposes of this Privacy Policy, the following terms have the meanings set forth below:

“Applicable Data Protection Laws” means all federal, state, provincial, and international laws, regulations, and regulatory guidance applicable to the processing of personal information, including without limitation: (i) the EU General Data Protection Regulation (“GDPR”) and UK GDPR; (ii) the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); (iii) other U.S. state privacy laws enumerated in Section 18; (iv) the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and provincial privacy laws in Canada; (v) Quebec’s Law 25; (vi) the Gramm-Leach-Bliley Act (“GLBA”); (vii) the Telephone Consumer Protection Act (“TCPA”); (viii) the CAN-SPAM Act; (ix) Canada’s Anti-Spam Legislation (“CASL”); and (x) all other applicable privacy, data protection, and telecommunications laws.

“Business Associate” has the meaning set forth in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”).

“Consumer” means a natural person who is a resident of a state, province, or other legal jurisdiction, with applicable consumer privacy laws.

“Controller” (or “Data Controller”) means an entity that determines the purposes and means of processing personal information.

“Cross-Context Behavioral Advertising” means the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.

“Data Subject” means an identified or identifiable natural person to whom personal information relates.

“Deidentified Information” means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, provided that we: (i) take reasonable measures to ensure that such information cannot be associated with a consumer or household; (ii) publicly commit to maintain and use the information in deidentified form and not attempt to reidentify the information; and (iii) contractually obligate any recipients of the information to comply with all provisions of applicable law related to deidentified information.

“Personal Information” (also referred to as “Personal Data” or “Personally Identifiable Information”) means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information includes, but is not limited to: identifiers such as name, address, email address, telephone number, account name, Social Security number, driver’s license number, passport number, or other similar identifiers; commercial information; biometric information; internet or other electronic network activity information; geolocation data; audio, electronic, visual, or similar information; professional or employment-related information; education information; and inferences drawn from any of the foregoing. Personal Information does not include publicly available information, deidentified information, or aggregate consumer information.

“Process” or “Processing” means any operation or set of operations performed on personal information or sets of personal information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Processor” (or “Service Provider” under California law) means an entity that processes personal information on behalf of a controller.

“Profiling” means any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“Pseudonymization” means the processing of personal information in such a manner that the personal information can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable natural person.

“Sale” or “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.

“Sensitive Personal Information” means personal information that reveals: (i) a consumer’s social security, driver’s license, state identification card, or passport number; (ii) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (iii) a consumer’s precise geolocation; (iv) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (v) the contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication; (vi) a consumer’s genetic data; (vii) personal information collected and analyzed concerning a consumer’s health; (viii) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation; or (ix) biometric information for the purpose of uniquely identifying a consumer. The specific definition of Sensitive Personal Information may vary by jurisdiction.

“Share” or “Sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

“Targeted Advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal information obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.

“Third Party” means a person or entity that is not: (i) the business that collects personal information from consumers; or (ii) a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.

3. INFORMATION WE COLLECT

We collect various categories of personal information depending on how you interact with our Services. The categories of personal information we collect include:

3.1 Identifiers and Contact Information

Full name (first, middle, last)
Alias, nickname, or username
Postal address (including billing and shipping addresses)
Email address
Telephone number (including mobile phone number)
Account name and account number
Driver’s license number or state identification card number
Passport number
Vehicle identification number (VIN)
License plate number
Social Security number (for employment, background checks, or as required for certain financial services)
Signature
Date of birth
Unique personal identifier or customer number
Online identifier or device identifier
Internet Protocol (IP) address

3.2 Demographic Information

Age or age range
Gender
Marital status
Nationality or citizenship status
Language preferences
Veteran status (for employment purposes)
Disability status (for employment or service accommodation purposes)

3.3 Commercial Information

Records of products or services purchased, obtained, or considered
Service plan details, including type of roadside assistance coverage, coverage limits, deductibles, and coverage period
Date of purchase or activation of service plan
Purchase history and transaction records
Payment information, including credit card number, debit card number, bank account information, and other financial account information (processed through secure third-party payment processors)
Billing and shipping information
Records of claims submitted, approved, or denied
Service history, including dates, times, locations, and types of services provided
Preferences regarding products or services

3.4 Geolocation Data

Precise real-time GPS location coordinates (latitude and longitude)
Approximate location derived from IP address
Location history
Breakdown location and tow-to destination
Home address, work address, and frequently visited locations

3.5 Internet or Other Electronic Network Activity Information

Browsing history, including websites visited before and after visiting our websites
Search history within our Services
Information regarding your interaction with our websites, mobile applications, or advertisements
Clickstream data
Pages viewed and time spent on pages
Links clicked
Features used within our mobile applications
Error logs and diagnostic information
Session recordings (aggregated and anonymized)

3.6 Device and Usage Information

Device type (e.g., smartphone, tablet, computer)
Device make and model
Operating system and version
Browser type and version
Mobile network information, including carrier name
Device settings and configurations
Unique device identifiers (e.g., IMEI, UDID, advertising ID)
Screen resolution and display settings
Time zone settings
Application version and build number
Device memory and storage capacity
Battery status

3.7 Communication and Interaction Data

Customer service inquiries, requests, and correspondence
Call recordings (with prior notice and consent as required by law)
Chat transcripts, including chatbot interactions
Text messages (SMS/MMS) sent to or received from us
Email communications
Survey responses and feedback
Reviews and ratings you provide
Photos, videos, or other media you submit to us (e.g., photos of vehicle damage)

3.8 Professional or Employment-Related Information

Current or past job history
Professional licenses and certifications (for independent service providers)
Educational background
Performance evaluations
Employment references
Background check results (with consent as required by law)
Criminal history information (for employment or service provider qualification purposes, with consent and in compliance with applicable law)

3.9 Education Information

Educational institution attended
Degrees obtained
Dates of attendance
Transcripts (for employment purposes)

3.10 Inferences and Derived Data

Inferences drawn from any of the above categories of personal information to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes
Predictive analytics regarding service needs, likelihood of claims, customer lifetime value, churn risk, and fraud risk
Risk scores and creditworthiness assessments (for insurance brokerage services)
Customer segmentation and classification
Service recommendations and personalized content

3.11 Audio, Electronic, Visual, or Similar Information

Photographs submitted by you (e.g., vehicle photos, accident scene photos)
Video recordings (e.g., dash cam footage, if provided by you)
Audio recordings of customer service calls (with notice and consent)
Voice recordings for voice-activated features (if applicable)

3.12 Protected Classification Characteristics

We do not intentionally collect protected classification characteristics such as race, ethnicity, religion, sexual orientation, or health information for roadside assistance services. However, such information may be incidentally captured in free-form text fields, communications, photographs, or other submissions. If you provide such information, it will be subject to this Privacy Policy and applicable law.

For insurance brokerage services, we may collect certain protected classification characteristics as permitted or required by law for underwriting, risk assessment, and compliance purposes.

3.13 Information About Others

You may provide us with personal information about other individuals, such as:

Emergency contacts
Additional authorized drivers
Co-applicants for insurance
Beneficiaries
Employees or contractors (if you are a business customer)

By providing us with personal information about other individuals, you represent and warrant that you have obtained all necessary consents and authorizations from those individuals to provide their personal information to us and for us to process their personal information as described in this Privacy Policy.

3.14 Sensitive Personal Information

We may collect the following categories of Sensitive Personal Information:

Precise Geolocation: We collect precise real-time GPS coordinates to dispatch roadside assistance to your exact location. This is considered Sensitive Personal Information under certain state laws.
Account Credentials: We collect account login credentials, including username and password, which are encrypted and securely stored.
Financial Account Information: For payment processing and insurance brokerage services, we may collect credit card numbers, bank account numbers, and other financial account information in combination with security codes or passwords. This information is processed through PCI-DSS compliant payment processors.
Social Security Number: We may collect Social Security numbers for employment purposes, background checks, identity verification, fraud prevention, or as required for certain insurance and financial services.
Driver’s License, State ID, or Passport Number: We may collect government-issued identification numbers for identity verification, fraud prevention, or as required for certain services.
Contents of Communications: We may process the contents of your emails, text messages, or other communications when you communicate with us for customer service or other purposes. We are the intended recipient of such communications.
Health Information: For certain insurance brokerage services, we may collect health-related information as permitted by law. We do not collect health information for roadside assistance services unless you voluntarily provide it to us (e.g., in explaining why you need assistance).

We do not collect:

Racial or ethnic origin (except as incidentally disclosed by you)
Religious or philosophical beliefs
Union membership
Genetic data
Biometric information for the purpose of uniquely identifying a consumer
Information concerning sex life or sexual orientation

Our use and disclosure of Sensitive Personal Information is limited to the purposes specified in this Privacy Policy and as permitted by applicable law. You have the right to limit our use and disclosure of your Sensitive Personal Information as described in Section 17.

4. HOW WE COLLECT INFORMATION

We collect personal information through various methods:

4.1 Information You Provide Directly

We collect personal information that you voluntarily provide to us when you:

Register for an account or create a user profile
Purchase or activate a service plan
Request roadside assistance through our mobile application, website, or customer service line
Fill out forms, surveys, or questionnaires
Apply for employment or a contractor position
Sign up for newsletters, promotional emails, or text messages
Participate in contests, sweepstakes, or promotions
Submit reviews, ratings, feedback, or testimonials
Contact customer service or technical support
Interact with our chatbot or virtual assistant
Upload photos, videos, or other content
Communicate with us via email, text message, phone, mail, or social media
Attend events, webinars, or training sessions
Otherwise interact with our Services

4.2 Information Collected Automatically

We automatically collect certain information when you use our Services, including:

Device and Usage Information: As described in Section 3.6 and 3.5, we automatically collect information about your device, how you access and use our Services, and your interactions with our content.
Location Information: With your consent, we automatically collect your precise geolocation when you use our mobile application to request roadside assistance. We may also derive your approximate location from your IP address.
Cookies and Tracking Technologies: We use cookies, web beacons, pixels, local storage, and similar tracking technologies to collect information about your browsing activities and preferences. See Section 12 for more information.
Log Files: Our servers automatically record certain information in log files, including your IP address, browser type, referring/exit pages, operating system, date/time stamp, and clickstream data.
Analytics and Performance Monitoring: We use analytics tools to collect information about how our Services are used, including error rates, performance metrics, and user engagement statistics.

4.3 Information from Third Parties

We may receive personal information about you from third parties, including:

Business Partners and Clients: When you purchase or receive roadside assistance coverage from one of our white-label clients (e.g., an RV manufacturer, dealer, or warranty provider), they provide us with your personal information to enable us to provide services to you. This includes your name, contact information, VIN, service plan details, and eligibility information.
Independent Service Providers (ISPs): Local tow truck operators, mobile mechanics, and other roadside assistance providers may provide us with information about the services they provided to you, including service completion confirmations, time stamps, and notes.
Third-Party Service Providers: We work with third-party companies that provide dispatch coordination, payment processing, fraud prevention, identity verification, data enrichment, and other services. These companies may provide us with information necessary to deliver our Services.
Data Brokers and Marketing Partners: We may obtain personal information from data brokers, marketing partners, or other third parties to supplement the information we collect, for purposes such as fraud prevention, identity verification, marketing analytics, and customer insights. Such information may include demographic data, contact information, and publicly available information.
Social Media Platforms: If you interact with us through social media platforms or use social media features integrated into our Services, we may receive information from those platforms, such as your profile information, friend lists, and content you’ve shared.
Publicly Available Sources: We may collect information about you from publicly available sources, including public records, social media profiles, news articles, and other publicly accessible information.
Insurance Partners: For our insurance brokerage services, we may receive information from insurance carriers, underwriters, and other partners.
Credit Bureaus and Background Check Providers: For employment purposes, fraud prevention, or certain financial services, we may obtain information from credit bureaus, background check providers, or similar entities (with your consent as required by law).
Government Agencies: We may receive information from government agencies as permitted or required by law.

4.4 Information from Other Users

Other users of our Services may provide information about you, such as:

If another user adds you as an emergency contact or authorized user
If another user refers you to our Services
If another user mentions you in communications with us

4.5 Inferred Information

We may derive or infer information about you based on the personal information we collect. For example, we may infer your preferences, interests, likely service needs, or geographic location based on your usage patterns, service history, and other data.

5. HOW WE USE YOUR INFORMATION

We use your personal information for various business and commercial purposes as described below. The specific purposes for which we use your information depend on how you interact with our Services and the context in which we collected the information.

5.1 Providing and Delivering Services

We use your personal information to provide, deliver, and maintain our Services, including to:

Process and fulfill service requests: Verify your eligibility, dispatch roadside assistance to your location, coordinate with independent service providers, track service status, and confirm service completion.
Operate our platforms: Provide access to our mobile applications, websites, and technology platforms; authenticate users; maintain user accounts and profiles.
Process transactions and payments: Process payments, billing, and invoices; prevent fraud and verify payment information; issue refunds or credits.
Provide customer support: Respond to inquiries, requests, and complaints; troubleshoot technical issues; provide assistance with using our Services.
Communicate with you: Send transactional communications such as service confirmations, appointment reminders, status updates, claims notifications, account alerts, and other Service-related messages.
Manage claims and disputes: Adjudicate claims for benefits, resolve disputes, manage quality assurance processes, and investigate service issues or complaints.
Coordinate with service providers: Share necessary information with independent service providers (ISPs) to enable them to provide services to you; manage our network of service providers.

5.2 Improving and Developing Services

We use your personal information to improve, develop, and innovate our Services, including to:

Analyze usage and performance: Understand how users interact with our Services, identify usage patterns and trends, measure the effectiveness of features, and identify areas for improvement.
Conduct research and development: Develop new products, services, and features; test new functionality; conduct pilots and beta programs.
Enhance user experience: Personalize content, recommendations, and features; optimize the user interface and user experience.
Train and improve AI systems: Use personal information (in anonymized or aggregated form where possible) to train, test, and improve our artificial intelligence systems, machine learning models, chatbots, predictive analytics algorithms, and other automated systems. See Section 11 for more information.
Improve algorithms: Enhance our dispatch algorithms, route optimization, fraud detection systems, risk assessment models, and other algorithmic processes.

5.3 Marketing and Promotional Activities

Subject to applicable law and your consent where required, we use your personal information for marketing and promotional purposes, including to:

Send marketing communications: Send you promotional emails, text messages, direct mail, or other marketing communications about our Services, new features, special offers, promotions, contests, surveys, and other information that may be of interest to you.
Personalize marketing: Tailor marketing content and offers based on your preferences, interests, service history, and other information.
Conduct market research: Understand customer preferences, conduct surveys, gather feedback, and analyze market trends.
Advertise our Services: Display targeted advertisements to you on our own websites and applications, as well as on third-party websites, applications, and social media platforms.
Analyze marketing effectiveness: Measure the performance of our marketing campaigns, understand which marketing channels are most effective, and optimize our marketing strategies.

You have the right to opt out of marketing communications at any time. See Section 10 for information about marketing consent and opt-out rights.

5.4 Business Operations and Administration

We use your personal information for internal business operations and administration, including to:

Maintain business records: Keep records of transactions, service history, communications, and other business activities.
Conduct financial management and accounting: Process invoices, manage accounts receivable and payable, prepare financial statements, and conduct audits.
Manage vendor and partner relationships: Onboard and manage relationships with business partners, vendors, contractors, and service providers.
Administer employee and contractor relationships: For employment purposes, we use personal information to recruit, hire, onboard, pay, manage, evaluate, and terminate employment or contractor relationships.
Manage facilities and assets: Control physical and logistical access to our facilities, systems, and assets; manage equipment and inventory.
Conduct training: Provide training to employees, contractors, and service providers.

5.5 Security, Fraud Prevention, and Safety

We use your personal information to protect the security, integrity, and safety of our Services, our users, our employees, and the public, including to:

Prevent fraud and abuse: Detect, investigate, and prevent fraudulent transactions, unauthorized access, identity theft, misuse of services, and other illegal or harmful activities.
Authenticate and verify identity: Verify the identity of users, customers, service providers, and other individuals; prevent unauthorized account access.
Protect against security threats: Monitor for and respond to security incidents, vulnerabilities, and threats; conduct security assessments and penetration testing.
Enforce policies and terms: Enforce our Terms of Service, acceptable use policies, and other agreements; investigate violations of our policies.
Protect rights and property: Protect our legal rights, property, and assets; protect the rights, property, and safety of our users and third parties.
Ensure physical safety: In emergency situations, we may use location information and other personal information to coordinate with emergency services, locate individuals in need of assistance, or otherwise protect health and safety.

5.6 Legal Compliance and Legal Proceedings

We use your personal information to comply with legal obligations and defend our legal rights, including to:

Comply with laws and regulations: Comply with applicable federal, state, provincial, and local laws, regulations, and regulatory guidance, including data protection laws, consumer protection laws, telecommunications laws, tax laws, and employment laws.
Respond to legal process: Respond to subpoenas, court orders, law enforcement requests, government investigations, and other legal processes.
Enforce legal rights: Establish, exercise, or defend legal claims; enforce our contracts and agreements.
Conduct investigations: Investigate suspected violations of law or our policies.
Fulfill regulatory requirements: Submit reports, filings, and other information to regulatory authorities as required.
Manage litigation: Manage and defend litigation, arbitration, and other legal proceedings.

5.7 Analytics and Business Intelligence

We use your personal information for analytics and business intelligence purposes, including to:

Analyze business performance: Measure and analyze key performance indicators, revenue, profitability, customer acquisition costs, customer lifetime value, and other business metrics.
Segment customers: Group customers into segments based on characteristics, behavior, preferences, and other factors for analysis and decision-making.
Conduct predictive analytics: Use statistical models and machine learning to predict future outcomes, such as likelihood of claims, customer churn risk, service demand forecasting, and risk assessment.
Generate insights: Derive insights from data to inform business strategy, product development, pricing, marketing, and operations.
Create aggregated and anonymized data: Aggregate and anonymize personal information to create statistical information, reports, and data sets that do not identify individuals.

5.8 Insurance and Financial Services

For our insurance brokerage and related financial services, we use your personal information to:

Provide insurance quotes: Evaluate your eligibility for insurance products, calculate premiums, and provide quotes.
Process insurance applications: Submit applications to insurance carriers on your behalf; coordinate underwriting and approval processes.
Service insurance policies: Assist with policy administration, renewals, endorsements, cancellations, and claims.
Assess risk: Evaluate risk factors for underwriting and pricing purposes; conduct credit checks and background checks where permitted by law and with your consent.
Comply with insurance regulations: Comply with state insurance laws, licensing requirements, and regulatory reporting obligations.

5.9 Joint Controller Activities

When we act as a joint controller with our white-label clients, we use your personal information for the joint purposes described in Section 8, including program administration, service delivery, claims processing, reporting, and analytics.

5.10 Other Purposes

We may also use your personal information for other purposes that are disclosed to you at the time of collection or with your consent.

5.11 Aggregated and Deidentified Information

We may aggregate, anonymize, or de-identify personal information so that it can no longer reasonably be used to identify you. We may use and disclose such aggregated, anonymized, or deidentified information for any purpose and without restriction, including for research, analytics, reporting, benchmarking, and other commercial purposes. We maintain and use aggregated and deidentified information in deidentified form and will not attempt to reidentify such information, except as permitted by law to test our deidentification processes.

6. LEGAL BASES FOR PROCESSING (EEA/UK USERS)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, the General Data Protection Regulation (GDPR), UK GDPR, or Swiss Federal Act on Data Protection (FADP) requires us to have a legal basis for processing your personal data. Our legal bases for processing your personal data include:

6.1 Contractual Necessity

Processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract. This includes:

Providing roadside assistance services to you
Processing your service requests and claims
Managing your account
Processing payments
Communicating with you about services you’ve requested

6.2 Legitimate Interests

Processing is necessary for our legitimate interests or the legitimate interests of a third party, provided that such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include:

Operating and improving our business and Services
Fraud prevention and security
Network and information security
Protecting our legal rights and property
Conducting analytics and research
Marketing our Services to existing customers (where permitted without consent)
Managing vendor and partner relationships
Internal administration and record-keeping

We conduct balancing tests to ensure that our legitimate interests do not override your rights and freedoms.

6.3 Legal Obligation

Processing is necessary to comply with a legal obligation to which we are subject, such as:

Complying with tax, accounting, and regulatory requirements
Responding to lawful requests from law enforcement or regulatory authorities
Maintaining records as required by law
Complying with court orders and legal processes

6.4 Consent

We have obtained your explicit consent to process your personal data for specific purposes. This includes:

Processing precise geolocation data
Sending marketing communications (where consent is required)
Using cookies and similar tracking technologies (where consent is required)
Processing special categories of personal data (if applicable)

You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

6.5 Vital Interests

Processing is necessary to protect the vital interests of you or another natural person. This may include emergency situations where processing is necessary to protect life or physical safety.

6.6 Public Interest

In certain limited circumstances, processing may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

7. HOW WE SHARE YOUR INFORMATION

We share your personal information with third parties in the circumstances described below. We do not “sell” or “share” personal information as those terms are defined under the CCPA and other state privacy laws, except as disclosed in Section 18.

7.1 Service Providers and Subprocessors

We engage third-party service providers and subprocessors to perform functions on our behalf and to assist us in providing our Services. These service providers may have access to your personal information only to perform specific tasks on our behalf and are contractually obligated to:

Use personal information only for the purposes for which we disclose it to them
Implement appropriate technical and organizational security measures
Comply with applicable data protection laws
Not sell or share personal information
Not retain, use, or disclose personal information for any purpose other than performing services for us

Categories of service providers and subprocessors with whom we share personal information include:

Technology and Infrastructure Providers:

Cloud hosting and storage providers (Amazon Web Services)
Software-as-a-service (SaaS) platform providers
Content delivery networks (CDNs)
Database management providers
Application development and maintenance providers
IT support and managed services providers

Dispatch and Service Coordination:

Third-party dispatch coordination platforms
Roadside assistance network management providers
GPS and mapping service providers
Route optimization service providers

Payment Processing:

Payment processors and payment gateways
Credit card processing companies
ACH processors
PCI-DSS compliant payment service providers
Fraud detection and prevention services

Communications:

Email service providers
SMS/text messaging platforms
Customer relationship management (CRM) platforms
Call center and telephony providers
Video conferencing providers
Chatbot and conversational AI platforms

Analytics and Business Intelligence:

Web and mobile analytics providers
Data analytics and visualization platforms
Business intelligence tools
Marketing analytics providers

Customer Support:

Customer service platform providers
Help desk and ticketing systems
Knowledge base and FAQ platforms

Marketing and Advertising:

Email marketing platforms
Marketing automation tools
Advertising networks and exchanges
Social media advertising platforms
Affiliate marketing platforms
Survey and feedback tools

Security and Fraud Prevention:

Identity verification services
Fraud detection and prevention tools
Security monitoring and threat intelligence providers
Background check providers
Cybersecurity service providers

Professional Services:

Legal counsel and law firms
Accounting and audit firms
Consulting firms
Insurance brokers and carriers (for our corporate insurance)

Human Resources and Employment:

Payroll processing providers
Benefits administration providers
Recruiting and applicant tracking systems
Background check and drug screening providers
Employee training and learning management systems

A current list of our subprocessors is available upon written request to our Data Protection Officer.

7.2 Independent Service Providers (ISPs)

When you request roadside assistance, we share necessary personal information with independent service providers (ISPs) who will provide services to you. This includes:

Your name and contact phone number
Your vehicle location (GPS coordinates)
Your vehicle information (make, model, VIN, license plate)
Service request details (type of service needed, breakdown description)
Tow destination (if applicable)
Any special instructions or notes

ISPs are independent contractors, not employees of Happy Camper. Each ISP must pass criminal background checks and drug screenings and must comply with our service provider requirements. ISPs are contractually prohibited from using your personal information for any purpose other than providing roadside assistance services to you.

7.3 Joint Controllers and White-Label Clients

When you use roadside assistance services provided through one of our white-label clients (such as RV manufacturers, dealers, or warranty providers), Happy Camper and that client act as joint controllers of your personal information. We share personal information with our joint controller clients for the following purposes:

Program administration: Managing eligibility, service plan details, coverage limits, and program terms
Service delivery and coordination: Ensuring seamless delivery of services to you
Claims processing and adjudication: Processing and adjudicating claims under the service plan
Reporting and analytics: Providing reports on service usage, claims activity, customer satisfaction, and program performance
Customer relationship management: Enabling the client to manage their relationship with you
Quality assurance and dispute resolution: Investigating and resolving service issues, complaints, and disputes
Marketing and communications: Coordinating marketing and customer communications (with appropriate consents)

The allocation of responsibilities between Happy Camper and our joint controller clients is set forth in data processing agreements and is described in Section 8.

7.4 Business Partners

We may share personal information with business partners for joint marketing initiatives, co-branded offerings, or other collaborative business purposes, including:

RV manufacturers and dealers
Insurance carriers and underwriters (for our insurance brokerage services)
Financial institutions
Warranty providers
Membership organizations
Affinity groups and associations

When we share personal information with business partners, we require them to comply with applicable data protection laws and to use the information only for authorized purposes.

7.5 Corporate Affiliates

We may share personal information with our parent company, subsidiaries, affiliates, and other entities under common control or ownership for the purposes described in this Privacy Policy, including:

Providing and improving Services
Business operations and administration
Marketing (subject to applicable consent requirements)
Internal analytics and reporting
Shared technology infrastructure and platforms

All corporate affiliates are required to comply with this Privacy Policy and applicable data protection laws.

7.6 In Connection with Business Transactions

We may share or transfer personal information in connection with, or during negotiations of, any merger, sale of company assets, financing, acquisition, divestiture, dissolution, bankruptcy, or other business transaction or restructuring. In such transactions:

We will require the acquiring or successor entity to honor this Privacy Policy or provide notice of changes
We will comply with applicable data protection laws regarding transfers of personal information
We may share personal information with prospective buyers, investors, advisors, and other parties involved in the transaction, subject to confidentiality obligations

7.7 Legal Requirements and Protection of Rights

We may disclose personal information if we believe in good faith that such disclosure is necessary to:

Comply with Legal Obligations:

Comply with applicable laws, regulations, legal processes, or enforceable governmental requests
Respond to subpoenas, court orders, warrants, or other legal process
Cooperate with law enforcement, regulatory authorities, or other government agencies
Comply with national security or law enforcement requirements

Enforce Our Rights:

Enforce our Terms of Service, this Privacy Policy, and other agreements
Investigate and respond to potential violations of our policies
Protect our legal rights, property, and interests

Protect Safety and Security:

Protect the rights, property, or safety of Happy Camper, our users, employees, or the public
Detect, prevent, or address fraud, security, or technical issues
Respond to emergency situations that threaten the health or safety of any person

When we receive legal process seeking personal information, we will review the request for legal sufficiency and may object to overly broad or inappropriate requests. We will notify affected individuals of legal demands for their personal information when appropriate and legally permissible, unless prohibited by law or court order or when the request involves imminent harm.

7.8 With Your Consent or at Your Direction

We may share personal information with third parties when you provide consent or direct us to do so, including:

When you authorize third-party applications or integrations to access your account
When you participate in joint promotions or offerings with third parties
When you post content to public areas or social media
When you direct us to share information with specific third parties

7.9 Aggregated and Deidentified Information

We may share aggregated, anonymized, or deidentified information that does not identify you personally with third parties for any purpose, including:

Industry benchmarking and reports
Market research and analysis
Academic research
Business intelligence and analytics
Marketing and promotional purposes

Such information is not considered personal information and is not subject to the restrictions in this Privacy Policy.

7.10 Public Disclosure

Certain features of our Services may allow you to post content, reviews, ratings, or other information that may be publicly visible. Any information you post to public areas will be accessible by other users and the general public. We cannot control how others may use information you post publicly. Please exercise caution when posting personal information to public areas.

7.11 Social Media Platforms

If you interact with us through social media platforms or use social media features integrated into our Services, information you post or share may be visible to other users of those platforms according to the platforms’ privacy settings and policies. We may also receive information from social media platforms as described in Section 4.3.

7.12 Data Transfers for International Operations

We operate globally and may transfer personal information to recipients in countries other than your country of residence, including the United States and Canada. See Section 16 for information about international data transfers and safeguards.

8. OUR ROLE AS CONTROLLER, JOINT CONTROLLER, AND PROCESSOR

Happy Camper processes personal information in different legal capacities depending on the context. This section explains our different roles and responsibilities.

8.1 Happy Camper as Independent Data Controller

Happy Camper acts as an independent data controller when we determine the purposes and means of processing personal information for our own business operations and services. This includes:

Direct-to-Consumer Services: When individuals purchase roadside assistance services directly from Happy Camper (not through a white-label client), we are the sole controller of their personal information.

Our Website and Corporate Operations: For visitors to our corporate websites, business contacts, vendors, prospective customers, and other individuals with whom we interact in the course of our business operations, we are the independent controller.

Employment and Recruiting: For job applicants, employees, contractors, and other individuals in an employment or work relationship with Happy Camper, we are the controller.

Marketing and Analytics: For our own marketing initiatives, customer analytics, and business intelligence activities (separate from joint controller arrangements), we act as an independent controller.

Insurance Brokerage Services: For individuals who use our insurance brokerage services, we are the controller (or co-controller with insurance carriers in certain contexts).

Our Own Technology Development: When we use data to develop, train, and improve our proprietary technology, algorithms, and AI systems (in compliance with our contractual obligations), we are the controller.

As an independent controller, Happy Camper has sole responsibility for:

Determining how and why personal information is processed
Complying with all applicable data protection laws
Responding to data subject rights requests
Maintaining appropriate security measures
Providing privacy notices and obtaining required consents
Managing data breaches and security incidents

8.2 Happy Camper as Joint Data Controller

Happy Camper acts as a joint data controller with our white-label clients when we provide roadside assistance services through white-labeled mobile applications or platforms. In these arrangements, both Happy Camper and the client jointly determine certain purposes and means of processing end user personal information.

Examples of White-Label Client Arrangements:

RV manufacturers
RV dealers and dealer networks
Vehicle warranty providers
Membership organizations
Other entities that offer roadside assistance services powered by Happy Camper

Joint Controller Responsibilities:

The specific allocation of responsibilities between Happy Camper and each joint controller client is set forth in a data processing agreement. Generally, the responsibilities are allocated as follows:

Client’s Responsibilities:

Collecting end user personal information in connection with the sale or provision of roadside assistance plans
Determining which individuals are eligible for services
Providing eligibility and program information to Happy Camper via API or other agreed methods
Managing the dealer-distributor relationship (if applicable)
Managing the customer relationship, including contract terms and billing
Providing customer support for plan purchase, eligibility, and account matters
Sending marketing and promotional communications to end users (if any), subject to obtaining appropriate consents
Providing privacy notices to end users at the point of sale or enrollment
Responding to data subject rights requests related to the customer relationship, eligibility, and contract matters (with Happy Camper’s assistance as needed)

Happy Camper’s Responsibilities:

Operating and maintaining the white-labeled mobile application and technology platform
Collecting dispatch information from end users when they request roadside assistance services
Processing location data for dispatch purposes
Selecting and dispatching independent service providers (ISPs) to provide services
Coordinating service delivery and tracking service status
Adjudicating claims and determining benefits under the service plan terms
Conducting quality assurance reviews and resolving service-related disputes
Managing all data related to service delivery and operations
Providing reporting and analytics to the client regarding service usage and program performance
Serving as the primary point of contact for data subject rights requests related to service delivery (on behalf of both controllers)
Maintaining appropriate technical and organizational security measures
Managing security incidents and data breaches
Providing privacy notices within the mobile application
Obtaining required consents from end users (such as geolocation consent)

Data Subject Rights Under Joint Controller Arrangements:

End users may exercise their privacy rights against either Happy Camper or the joint controller client. When we receive a data subject rights request:

Happy Camper will serve as the primary coordinator of the response
Happy Camper and the client will cooperate to provide a complete response
Each party will provide information within its area of responsibility
Both parties will comply with applicable legal timeframes for responses
If a request requires action by both parties (e.g., deletion), both parties will take appropriate action

Transparency:

Both Happy Camper and our joint controller clients are required to:

Inform end users of the joint controller arrangement in their respective privacy policies
Provide clear information about how to exercise privacy rights
Make privacy notices easily accessible to end users
Ensure that privacy notices accurately reflect the joint controller arrangement

Essential Elements of Joint Controller Arrangement (Article 26 GDPR):

For end users in the EEA, UK, or Switzerland, the following represents the essence of our joint controller arrangement as required by Article 26 of the GDPR:

Joint Determination: Happy Camper and the client jointly determine the purposes (providing roadside assistance services) and certain means (using the Happy Camper platform) of processing.
Allocation of Responsibilities: Responsibilities are allocated as described above and in our data processing agreements.
Essence Made Available: The essence of this arrangement is made available to data subjects through this Privacy Policy and the client’s privacy policy.
Single Point of Contact: Happy Camper serves as the primary point of contact for data subjects exercising their rights, but data subjects may exercise rights against either controller.
Independent Liability: Notwithstanding the joint controller arrangement, Happy Camper has agreed to indemnify and hold harmless the client for any claims, damages, or liabilities arising from Happy Camper’s processing activities. However, this internal allocation of liability does not affect data subjects’ rights to bring claims against either or both controllers under the GDPR.

8.3 Happy Camper as Data Processor/Service Provider

In certain limited contexts, Happy Camper acts as a data processor or service provider (under California law) on behalf of our clients. This includes:

Client Business Data: When our clients provide us with personal information about their employees, dealers, business contacts, or other individuals not directly using roadside assistance services (e.g., dealer contact lists, employee rosters), we process such information solely on the client’s behalf as a processor.

Custom Technology Services: When we provide custom software development, data analytics, or other technology services to clients under specific service agreements, we may act as a processor for certain data sets.

As a processor/service provider, Happy Camper:

Processes personal information only on the documented instructions of the controller/business
Does not use personal information for our own purposes
Does not sell or share personal information
Implements appropriate security measures as required by the controller and applicable law
Assists the controller in responding to data subject rights requests
Notifies the controller of security incidents
Deletes or returns personal information at the end of the service relationship
Complies with all applicable data processor obligations under GDPR, CCPA, and other laws

The specific terms of our processor arrangements are set forth in data processing agreements with each client.

8.4 Summary Table

Context	Happy Camper’s Role	Key Responsibilities
Direct-to-consumer roadside services	Independent Controller	Sole responsibility for all processing
Corporate website, marketing, HR	Independent Controller	Sole responsibility for all processing
White-label roadside services for end users	Joint Controller with Client	Shared responsibilities as described in 8.2
Client business data (non-end users)	Processor/Service Provider	Process only on client’s instructions
Custom technology services	Processor/Service Provider	Process only on client’s instructions

9. GEOLOCATION DATA AND AFFIRMATIVE CONSENT

9.1 Collection of Precise Geolocation Data

Our Services collect and process precise real-time geolocation data (GPS coordinates, latitude and longitude) from your mobile device when you use our mobile application to request roadside assistance. This geolocation data is considered Sensitive Personal Information under certain state privacy laws.

9.2 Purposes for Collecting Geolocation Data

We collect and use your precise geolocation data for the following purposes:

Dispatching assistance to your exact location: We share your GPS coordinates with the nearest available independent service provider (ISP) so they can locate you and provide assistance.
Route optimization: We use location data to calculate optimal routes and estimated arrival times for service providers.
Service coordination: We track the location of service providers en route to you and provide you with status updates.
Service verification: We use location data to confirm that services were provided at the correct location.
Safety and security: In emergency situations, we may use location data to coordinate with emergency services or to locate individuals in need of urgent assistance.
Analytics and improvement: We use aggregated and anonymized location data to analyze service demand patterns, optimize our service provider network, and improve dispatch efficiency.

9.3 Affirmative Consent Required

IMPORTANT: We will not collect, use, or share your precise geolocation data without your affirmative consent.

How We Obtain Consent:

When you first download and open our mobile application, you will be presented with:

Device-Level Permission: Your mobile device operating system (iOS or Android) will prompt you to grant location permission to the Happy Camper app. You must grant “Allow While Using App” or “Allow Once” permission for the app to access your location.
In-App Consent: In addition to device-level permission, our app will display a consent screen explaining:
- What location data we collect
- How we use location data
- With whom we share location data
- Your right to withdraw consentYou must affirmatively accept this consent (e.g., by clicking “I Agree” or checking a consent box) before the app will collect your location data.

Ongoing Permission:

Each time you use the app to request roadside assistance, your device will use your location. By initiating a service request, you confirm your ongoing consent to share your location for that specific service request.

9.4 Withdrawing Consent

You may withdraw your consent to location data collection at any time by:

Device Settings:

iOS: Go to Settings > Privacy & Security > Location Services > Happy Camper > Select “Never” or “Ask Next Time”
Android: Go to Settings > Location > App Permissions > Happy Camper > Select “Don’t Allow” or “Ask Every Time”

In-App Settings: Within the Happy Camper app, go to Settings > Privacy > Location Services and toggle location sharing off.

Contacting Us: You may contact our Data Protection Officer to withdraw consent (see Section 21).

Consequences of Withdrawing Consent:

If you withdraw consent for location data collection:

We will not be able to automatically dispatch assistance to your location
You will need to manually provide your address or coordinates when requesting service
Service response times may be longer
Some features of the app may not function properly

Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

9.5 Retention of Location Data

We retain your precise geolocation data for the following periods:

Active Service Requests: Location data is retained in real-time during active service requests and for up to 24 hours after service completion.
Service History: Location data associated with completed service requests is retained for up to 3 years for record-keeping, claims processing, dispute resolution, and legal compliance purposes.
Aggregated Analytics: We may retain aggregated, anonymized location data indefinitely for analytics purposes. This data cannot be used to identify you personally.

After these retention periods, we securely delete precise geolocation data or anonymize it so it can no longer be linked to you.

9.6 Sharing of Location Data

We share your precise geolocation data only with:

Independent Service Providers (ISPs): We share your GPS coordinates with the specific ISP dispatched to assist you so they can navigate to your location.
Third-Party Dispatch Platform: We use a third-party service provider to manage dispatch operations, which may temporarily process your location data to facilitate service delivery.
Emergency Services: In emergency situations, we may share your location with 911, police, fire, or medical services if necessary to protect health or safety.

We do not sell, share for advertising purposes, or otherwise disclose your precise geolocation data to third parties except as described above or with your explicit consent.

9.7 Security of Location Data

Location data transmitted from your device to our servers is encrypted using industry-standard TLS 1.2 or higher encryption. Location data stored on our servers is encrypted at rest using AES 256-bit encryption. Access to location data is restricted to authorized personnel on a need-to-know basis.

9.8 Location Data for Minors

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect geolocation data from minors. If you are a parent or guardian and believe we have collected location data from a minor, please contact us immediately.

9.9 State-Specific Location Privacy Rights

California Residents: You have the right to limit our use and disclosure of your precise geolocation data under the CCPA. See Section 18.1 for California-specific rights.

Other State Residents: Residents of certain other states have similar rights regarding geolocation data. See Section 18 for state-specific disclosures.

10. MARKETING COMMUNICATIONS AND CONSENT REQUIREMENTS

10.1 Types of Marketing Communications

Subject to your consent where required by law, we may send you marketing communications about our Services, including:

Email Marketing: Promotional emails about new features, services, special offers, discounts, contests, surveys, and other information that may be of interest to you.
Text Message Marketing (SMS/MMS): Promotional text messages about our Services, special offers, and time-sensitive information. Standard message and data rates may apply.
Direct Mail: Physical mail to your postal address with promotional materials.
Telephone Marketing: Promotional calls about our Services (where permitted by law and with consent).
Push Notifications: Mobile app notifications with promotional content (if you have enabled push notifications).
In-App Messages: Messages displayed within our mobile applications promoting features or offers.

10.2 United States Marketing Consent Requirements

For individuals located in the United States, we comply with the following federal laws governing marketing communications:

Telephone Consumer Protection Act (TCPA):

The TCPA restricts certain telephone solicitations, autodialed calls, prerecorded calls, and text messages. We comply with the TCPA by:

Obtaining Prior Express Written Consent: Before sending marketing text messages or making marketing calls using an automatic telephone dialing system or prerecorded voice, we obtain your prior express written consent. This consent is provided through:
- A clear and conspicuous disclosure that you will receive marketing messages
- A mechanism to provide affirmative consent (e.g., checking a box, clicking “I Agree,” or providing a written signature)
- Disclosure that consent is not a condition of purchase (where applicable)
Consent Content: Our consent disclosures clearly state:
- That you agree to receive marketing text messages or calls from Happy Camper
- That message and data rates may apply
- The frequency of messages (e.g., “up to 4 messages per month”)
- How to opt out (text “STOP” or call us to opt out)
Recordkeeping: We maintain records of consent for at least 4 years.
Honoring Opt-Out Requests: We honor all opt-out requests within 10 business days and maintain an internal “Do Not Call” list.
Calling Time Restrictions: We do not make telemarketing calls before 8 a.m. or after 9 p.m. local time.
Abandoned Call Rate: For autodialed or prerecorded calls, we maintain an abandoned call rate of no more than 3% per campaign.

CAN-SPAM Act:

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) governs commercial email messages. We comply with CAN-SPAM by:

No False or Misleading Header Information: Our emails accurately identify Happy Camper as the sender.
No Deceptive Subject Lines: Subject lines accurately reflect the content of the message.
Identifying Messages as Ads: We clearly identify promotional emails as advertisements where required.
Including Physical Address: All commercial emails include our valid physical postal address.
Providing Opt-Out Mechanism: Every marketing email includes a clear and conspicuous link or mechanism to unsubscribe. The opt-out mechanism:
- Is easy to use
- Allows you to opt out of all commercial messages or specific types of messages
- Is free (no cost to opt out)
- Does not require you to log in, provide additional information, or take steps other than visiting a single webpage or sending a reply email
Honoring Opt-Out Requests: We honor opt-out requests within 10 business days.
Monitoring Third Parties: If we hire third parties to send emails on our behalf, we monitor their compliance with CAN-SPAM.

National Do Not Call Registry:

We comply with Federal Trade Commission (FTC) regulations regarding the National Do Not Call Registry. We do not call phone numbers on the Do Not Call Registry unless an exception applies (such as established business relationship or prior express written consent).

10.3 Canadian Marketing Consent Requirements

For individuals located in Canada, we comply with Canada’s Anti-Spam Legislation (CASL), which governs commercial electronic messages (CEMs), including email and text messages.

Canada’s Anti-Spam Legislation (CASL):

Express Consent Required: We obtain express consent before sending commercial electronic messages to Canadian residents. Express consent means you have clearly and explicitly agreed to receive messages.
Consent Mechanism: We obtain consent through:
- A clear request for consent
- A description of why we are seeking consent and what messages you will receive
- An easy-to-use mechanism to provide consent (checkbox, button, etc.)
- Information about how to withdraw consent
Identification and Contact Information: Every CEM clearly identifies Happy Camper as the sender and includes our contact information (mailing address and either a telephone number, email address, or web address).
Unsubscribe Mechanism: Every CEM includes a clear and prominent unsubscribe mechanism that:
- Is easy to use
- Does not require payment
- Allows you to unsubscribe at no cost and without providing additional information
- Is valid for at least 60 days after the message is sent
Honoring Unsubscribe Requests: We honor unsubscribe requests within 10 business days.
Record keeping: We maintain records of consent for Canadian recipients, including when, how, and from whom consent was obtained.

Double Opt-In for Text Messages:

For text message marketing to Canadian residents, we implement a double opt-in process:

Initial Consent: You provide initial consent through our website, app, or other method.
Confirmation Message: We send a confirmation text message asking you to reply with a specific keyword (e.g., “YES”) to confirm you want to receive marketing texts.
Verified Consent: Only after you respond with the confirmation keyword do we begin sending marketing text messages.

This double opt-in process ensures clear, verifiable consent as required by CASL.

10.4 How to Provide Consent

You can provide consent to receive marketing communications through:

Account Registration: When creating an account, you may check a box to opt in to marketing communications.
Preference Center: You can manage your communication preferences in your account settings or preference center.
Promotional Sign-Up: You may sign up for newsletters, promotions, or special offers through forms on our website or app.
In-Store or Event Sign-Up: You may provide consent when signing up for services at events, dealerships, or other locations.
Text Message Opt-In: For text message marketing, you may text a keyword (e.g., “HAPPYCAMPER”) to a short code to opt in.

In all cases, consent is:

Freely Given: Providing consent is voluntary and not a condition of using our Services (unless the communication is necessary for service delivery).
Specific: Consent is obtained for specific types of communications.
Informed: We clearly explain what you’re consenting to before you provide consent.
Unambiguous: Consent requires a clear affirmative action (pre-checked boxes do not constitute valid consent).

10.5 How to Opt Out of Marketing Communications

You may opt out of marketing communications at any time using the following methods:

Email Marketing:

Click the “Unsubscribe” link at the bottom of any marketing email
Visit your account preference center and adjust email preferences
Reply to any marketing email with “UNSUBSCRIBE” in the subject line
Contact us at privacy@thehappycamper.com

Text Message Marketing:

Reply “STOP,” “UNSUBSCRIBE,” “CANCEL,” “END,” or “QUIT” to any marketing text message
Visit your account preference center and disable text message marketing
Contact us at privacy@thehappycamper.com

Telephone Marketing:

Tell the caller you wish to be placed on our Do Not Call list
Contact us at 833-243-0349 or privacy@thehappycamper.com

Push Notifications:

Disable push notifications in your device settings or app settings

Direct Mail:

All Marketing:

Processing Time: We will process your opt-out request within 10 business days. You may receive messages already in progress during this time.

Effect of Opting Out:

Opting out of marketing communications does not affect transactional or service-related messages (e.g., service confirmations, account alerts, legal notices)
Opting out of one type of communication (e.g., email) does not automatically opt you out of other types (e.g., text messages) unless you request to opt out of all marketing
Opting out does not affect our processing of your personal information for non-marketing purposes

10.6 Transactional vs. Marketing Communications

Transactional Communications (No Consent Required): We may send you transactional or service-related communications without your consent, as these are necessary for providing Services. Transactional communications include:

Service confirmations and appointment notifications
Status updates for active service requests
Claims processing updates
Account notifications and security alerts
Password reset and verification messages
Responses to your inquiries
Legal notices and policy updates
Payment confirmations and receipts
Service satisfaction surveys related to a specific service you received

You cannot opt out of transactional communications as they are essential for service delivery and account management.

Marketing Communications (Consent Required): Marketing communications promote our Services, features, offers, or content and require your consent (where applicable). These include:

Promotional offers and discounts
New feature announcements (not related to services you’re actively using)
Newsletters and content marketing
Contests and sweepstakes
General surveys not related to a specific service
Cross-selling and upselling messages
Referral program invitations

10.7 Third-Party Marketing

We do not sell or rent your personal information to third parties for their own marketing purposes. We do not allow third parties to send you marketing communications on their own behalf using contact information obtained from Happy Camper.

However, we may partner with third parties for joint marketing initiatives. In such cases:

We will clearly disclose the partnership
We will obtain your consent for the specific joint marketing initiative
The third party will be contractually prohibited from using your information for other purposes
You can opt out of the joint marketing at any time

11. ARTIFICIAL INTELLIGENCE AND AUTOMATED DECISION-MAKING

11.1 Use of Artificial Intelligence

Happy Camper uses artificial intelligence (AI), machine learning, and automated systems in various aspects of our Services. This section describes our AI systems, how they work, and your rights related to automated decision-making.

11.2 Types of AI Systems We Use

Customer Service Chatbots: We use AI-powered chatbots and virtual assistants to:

Answer frequently asked questions
Help you navigate the app and find information
Provide initial triage for customer service inquiries
Route you to the appropriate human agent when needed

Our chatbots use natural language processing (NLP) to understand your questions and provide relevant responses. Chatbot conversations may be reviewed by human agents for quality assurance and to improve the system.

Predictive Analytics: We use machine learning models for predictive analytics, including:

Service Demand Forecasting: Predicting when and where roadside assistance services will be needed to optimize our service provider network
Risk Assessment: Assessing risk factors such as likelihood of claims, fraud risk, and service quality issues
Customer Churn Prediction: Identifying customers at risk of canceling services to enable proactive retention efforts
Route Optimization: Predicting optimal routes and estimated arrival times for service providers
Pricing Optimization: Analyzing market conditions and demand patterns to optimize pricing (for insurance brokerage services)

Fraud Detection: We use AI-powered fraud detection systems to:

Identify potentially fraudulent service requests or claims
Detect unusual patterns that may indicate account compromise or identity theft
Flag transactions that require additional verification
Protect against payment fraud and unauthorized access

Dispatch Optimization: We use algorithmic systems to:

Match service requests with the nearest available and qualified independent service providers
Optimize dispatch decisions based on location, availability, service type, and other factors
Balance workload across our service provider network
Minimize response times and improve service quality

Content Personalization: We may use AI to:

Personalize app content and recommendations based on your preferences and usage patterns
Customize marketing messages (subject to consent requirements)
Suggest relevant features or services

Training and Improvement: We use personal information (in anonymized or aggregated form where possible) to train, test, and improve our AI systems and machine learning models. This includes:

Training chatbots on historical customer service conversations
Improving predictive models using historical service data
Enhancing fraud detection algorithms using past fraud patterns
Refining dispatch algorithms based on service outcomes

11.3 Data Used to Train AI Systems

Our AI systems are trained using:

Historical Service Data:

Past service requests, including location, service type, time of day, and outcomes
Claims data and adjudication decisions
Service provider performance metrics
Customer satisfaction ratings and feedback

Interaction Data:

Chatbot conversations and customer service interactions
App usage patterns and user behavior
Search queries and navigation paths

Anonymized and Aggregated Data: Where possible, we anonymize or aggregate personal information before using it to train AI models. This means:

Individual identifiers are removed or replaced with pseudonymous identifiers
Data is aggregated across many users so individual behavior cannot be identified
Personal information is stripped from training datasets

However, some AI systems require non-anonymized data for training and operation (such as chatbots responding to your specific questions). In these cases, we implement appropriate safeguards as described in Section 11.6.

Third-Party Data: We may supplement our training data with industry benchmarks, publicly available information, and data from third-party providers to improve model accuracy and reduce bias.

11.4 Automated Decision-Making

Solely Automated Decisions: We engage in limited automated decision-making without human involvement. Automated decisions include:

Chatbot Responses: Our chatbot provides automated responses to common questions without human review for each interaction.
Fraud Flags: Our fraud detection system may automatically flag transactions or requests as potentially fraudulent, which triggers additional review (but final decisions are made by humans).
Dispatch Matching: Our dispatch algorithm automatically matches service requests with service providers based on location, availability, and qualifications.

Decisions with Human Involvement: Most significant decisions involve human review and oversight:

Claims Adjudication: While our systems may provide recommendations, claims decisions are reviewed and approved by human claims adjusters.
Account Actions: Decisions to suspend, terminate, or restrict accounts involve human review, especially when based on fraud detection alerts.
Complex Customer Service: When chatbots cannot resolve an issue or when the matter is complex, the conversation is escalated to a human agent.
Risk Assessment for Insurance: While AI may assist in risk assessment for insurance products, underwriting decisions involve human review and approval.

11.5 Your Rights Regarding Automated Decision-Making

Right to Human Review: You have the right to request human review of decisions made solely by automated systems, particularly decisions that have legal or similarly significant effects on you. To request human review:

Contact our Data Protection Officer at fraz@thehappycamper.com
Explain the decision you wish to contest
Provide any additional information you believe is relevant

We will conduct a human review of the decision and respond to you within the timeframe required by applicable law (typically 45 days for U.S. residents, 30 days for EEA/UK residents).

Right to Explanation: For certain automated decisions, you have the right to receive meaningful information about the logic involved in the decision-making process. When you request an explanation, we will provide:

Information about what type of AI system was used
What factors the system considered
The general logic of how the decision was made
How you can contest the decision

However, we may not be able to disclose proprietary algorithms or trade secrets that would compromise our systems or competitive position.

Right to Opt Out (State-Specific): Residents of certain states (including California, Colorado, Connecticut, Virginia, and others) have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. See Section 18 for state-specific rights.

Right to Contest: If you believe an automated decision was made in error or was based on inaccurate information, you have the right to:

Contest the decision
Provide additional information or context
Request correction of inaccurate data
Request human review

11.6 Safeguards for AI Systems

We implement the following safeguards to ensure our AI systems are fair, accurate, and transparent:

Bias Testing and Mitigation:

We regularly test our AI models for bias, including bias based on race, gender, age, location, and other protected characteristics
We use diverse training datasets to reduce bias
We monitor model outputs for disparate impact
We adjust models when bias is detected

Accuracy and Quality Assurance:

We regularly validate model accuracy using test datasets
We monitor real-world performance and outcomes
We conduct periodic audits of AI system decisions
We retrain models when accuracy degrades

Human Oversight:

Significant decisions undergo human review
AI systems have escalation mechanisms to involve humans when appropriate
Humans can override AI decisions
We maintain human accountability for AI system outcomes

Transparency and Explainability:

We design systems to be interpretable and explainable where possible
We document how AI systems work and what data they use
We provide information to users about AI usage as described in this section
We are responsive to questions and concerns about AI systems

Data Minimization:

We limit the personal information used by AI systems to what is necessary
We use anonymized or aggregated data where possible
We implement privacy-by-design principles in AI system development

Security:

AI models and training data are stored securely with encryption and access controls
We protect against adversarial attacks and model manipulation
We monitor for unauthorized access to AI systems

Data Protection Impact Assessments: We conduct data protection impact assessments (DPIAs) for AI systems that pose privacy risks, particularly those involving:

Automated decision-making with legal or significant effects
Large-scale processing of sensitive personal information
Systematic monitoring of individuals
Processing that may result in high risk to individuals’ rights and freedoms

11.7 AI Limitations and Inaccuracies

“Hallucinations” and Errors: AI systems, particularly chatbots and natural language processing systems, may occasionally produce inaccurate, incomplete, or misleading information (sometimes called “hallucinations”). This can occur when:

The system does not have sufficient information to answer a question
The system misinterprets a query
The training data contained errors or biases
The system extrapolates beyond its actual knowledge

User Responsibility: You should:

Verify important information provided by chatbots or AI systems
Use critical judgment when relying on AI-generated content
Contact a human customer service agent for important decisions or complex matters
Report inaccuracies so we can improve our systems

No Warranties: We do not warrant or guarantee the accuracy, completeness, or reliability of AI-generated content or decisions. AI systems are provided “as is” subject to the limitations in our Terms of Service.

11.8 Third-Party AI Systems

We may use AI systems and tools provided by third-party vendors, including:

Cloud-based AI services (e.g., natural language processing APIs)
Analytics and business intelligence platforms with AI features
Fraud detection services
Customer service platforms with AI-powered features

When we use third-party AI systems:

We select vendors that comply with applicable data protection laws
We enter into data processing agreements with vendors
We require vendors to implement appropriate security and privacy safeguards
We remain responsible for compliance with this Privacy Policy

11.9 Future AI Development

As AI technology evolves, we may implement additional AI systems and capabilities. Material changes to our use of AI that affect your rights will be communicated through updates to this Privacy Policy and, where required by law, through direct notice to affected individuals.

12. COOKIES AND TRACKING TECHNOLOGIES

12.1 What Are Cookies?

Cookies are small text files that are placed on your device (computer, smartphone, tablet) when you visit a website or use an application. Cookies allow the website or app to recognize your device and remember information about your visit, such as your preferences, login status, and browsing activity.

12.2 Types of Cookies and Tracking Technologies We Use

We use the following types of cookies and similar tracking technologies:

First-Party Cookies: Cookies set by Happy Camper directly on our websites and applications.

Third-Party Cookies: Cookies set by third-party service providers, advertising networks, analytics providers, and other partners who provide services on our behalf or integrate their tools into our Services.

Session Cookies: Temporary cookies that expire when you close your browser or app. These are used to maintain your session while you navigate our Services.

Persistent Cookies: Cookies that remain on your device for a set period or until you delete them. These remember your preferences across multiple visits.

Strictly Necessary Cookies: Essential cookies required for our Services to function properly. These cannot be disabled without severely affecting the functionality of our Services.

Performance and Analytics Cookies: Cookies that collect information about how visitors use our Services, such as which pages are visited most often, how long users stay on pages, and error messages. This information is aggregated and used to improve our Services.

Functionality Cookies: Cookies that remember your choices and preferences (such as language preference, location, or username) to provide enhanced, personalized features.

Targeting and Advertising Cookies: Cookies that track your browsing activity across websites to build a profile of your interests and display relevant advertisements. These are primarily set by third-party advertising networks.

Other Tracking Technologies:

In addition to cookies, we use:

Web Beacons (Pixels): Tiny graphics embedded in emails and web pages that allow us to track whether content has been viewed or clicked.
Local Storage: HTML5 local storage and similar technologies that store data locally on your device.
SDKs (Software Development Kits): Code libraries integrated into our mobile applications that collect usage data and enable third-party services.
Device Fingerprinting: Techniques that combine multiple device and browser characteristics to create a unique identifier for your device.

12.3 Purposes for Using Cookies

We use cookies and tracking technologies for the following purposes:

Essential Functions:

Authenticating users and maintaining login sessions
Remembering items in your shopping cart or service requests in progress
Detecting and preventing fraud and security threats
Load balancing and ensuring platform stability
Enabling core features and functionality

Performance and Analytics:

Measuring website and app performance
Understanding how users navigate our Services
Identifying technical errors and issues
Conducting A/B testing of features
Generating aggregate statistics and reports

Personalization:

Remembering your preferences and settings
Providing language-appropriate content
Customizing your user interface
Offering personalized recommendations

Marketing and Advertising:

Measuring the effectiveness of marketing campaigns
Serving targeted advertisements based on your interests
Retargeting users who have visited our website
Tracking conversions and attribution
Building audience segments for advertising

12.4 Specific Cookies We Use

The following table lists examples of cookies we use (this is not an exhaustive list):

Cookie Name	Type	Purpose	Duration	Provider
session_id	Session	Maintain user session	Session	Happy Camper
user_pref	Persistent	Remember user preferences	1 year	Happy Camper
auth_token	Persistent	Keep users logged in	30 days	Happy Camper
_ga, _gid	Analytics	Google Analytics tracking	2 years / 24 hours	Google
_fbp	Advertising	Facebook Pixel	90 days	Facebook
optimizelyEndUserId	Testing	A/B testing	6 months	Optimizely

For a complete and current list of cookies used on our Services, please visit www.thehappycamper.com/cookie

12.5 Third-Party Services Using Cookies

We work with the following categories of third-party services that may set cookies on our Services:

Analytics Providers:

Google Analytics
Adobe Analytics
Mixpanel
Amplitude

Advertising Networks:

Google Ads
Facebook Ads
LinkedIn Ads
Other programmatic advertising platforms

Social Media Platforms:

Facebook
LinkedIn
Twitter/X
Instagram

Customer Support:

Zendesk
Intercom
LiveChat

Marketing Automation:

HubSpot
Marketo
Mailchimp

Tag Management:

Google Tag Manager
Adobe Launch

These third parties have their own privacy policies governing their use of cookies and personal information. We are not responsible for the privacy practices of third parties.

12.6 Your Cookie Choices

You have several options for controlling cookies:

Cookie Consent Manager: When you first visit our website, you will see a cookie consent banner allowing you to accept or reject non-essential cookies.

Browser Settings: Most web browsers allow you to control cookies through their settings. You can:

Block all cookies
Block third-party cookies only
Delete existing cookies
Receive alerts when cookies are being set

Browser-specific instructions:

Chrome: Settings > Privacy and Security > Cookies and other site data
Firefox: Settings > Privacy & Security > Cookies and Site Data
Safari: Preferences > Privacy > Cookies and website data
Edge: Settings > Cookies and site permissions > Cookies and data stored

Mobile Device Settings: For mobile apps, you can:

iOS: Settings > Privacy > Tracking (to control cross-app tracking)
Android: Settings > Google > Ads > Opt out of Ads Personalization

Opt-Out Tools:

For targeted advertising, you can opt out through:

Digital Advertising Alliance (DAA): www.aboutads.info/choices
Network Advertising Initiative (NAI): www.networkadvertising.org/choices
European Interactive Digital Advertising Alliance (EDAA): www.youronlinechoices.eu

Do Not Track (DNT): Some browsers offer a “Do Not Track” setting. We do not currently respond to Do Not Track signals, as there is no industry-wide standard for how to interpret and respond to such signals. However, you can control cookies through other means as described above.

Global Privacy Control (GPC): We recognize and honor Global Privacy Control (GPC) signals as an opt-out of the “sale” or “sharing” of personal information for residents of states that recognize GPC (currently California, Colorado, and Connecticut).

12.7 Consequences of Disabling Cookies

If you disable or block cookies:

Strictly Necessary Cookies: You cannot opt out of strictly necessary cookies without severely impairing the functionality of our Services. Disabling these cookies may prevent you from:

Logging into your account
Using key features
Completing transactions

Non-Essential Cookies: You can opt out of non-essential cookies (performance, functionality, advertising) without preventing basic use of our Services. However, disabling these cookies may result in:

Less personalized experience
Need to re-enter preferences repeatedly
Inability to use certain features
Less relevant advertising
Reduced ability for us to improve our Services

12.8 Cookie Policy Updates

For more detailed information about our use of cookies, please review our Cookie Policy www.thehappycamper.com/privacy, which is incorporated into this Privacy Policy by reference.

We may update our cookie practices from time to time. Material changes will be communicated through our Cookie Consent Manager and updates to our Cookie Policy.

13. THIRD-PARTY SERVICES AND LINKS

13.1 Third-Party Websites and Services

Our Services may contain links to third-party websites, applications, services, or content that are not owned or controlled by Happy Camper. These may include:

Links to RV dealerships and manufacturers
Links to insurance carrier websites
Links to campground directories and travel resources
Social media platforms
Third-party service provider websites
Advertising networks
Payment processing platforms
Other external resources

We Are Not Responsible: This Privacy Policy does not apply to third-party websites or services. We are not responsible for the privacy practices, content, or security of third-party sites. Third-party sites have their own privacy policies, terms of service, and security practices.

Your Responsibility: When you click a link to a third-party site or use a third-party service:

You leave our Services and this Privacy Policy no longer applies
You should review the third party’s privacy policy before providing personal information
You interact with the third party at your own risk
We cannot control how third parties collect, use, or share your information

13.2 Third-Party Integrations

Our Services may integrate with or interoperate with third-party platforms and services, including:

Social Media Integration: If you connect your Happy Camper account with social media accounts (Facebook, LinkedIn, etc.), the social media platform may:

Receive information about your use of our Services
Share your profile information with us
Post content to your social media account on your behalf (with your permission)

Review the social media platform’s privacy settings and policies to control what information is shared.

Single Sign-On (SSO): If you use third-party authentication services (such as “Sign in with Google” or “Sign in with Apple”) to access our Services:

The SSO provider may share your profile information with us
We may share information about your use of our Services with the SSO provider
Review the SSO provider’s privacy policy to understand data sharing

Third-Party Applications: If you authorize third-party applications to access your Happy Camper account or data:

You are granting the third-party application permission to access your information
The third-party application’s privacy policy will govern its use of your information
You can revoke third-party application access through your account settings

Payment Processors: We use third-party payment processors (such as Stripe, PayPal, etc.) to process payments. When you provide payment information:

Payment information is transmitted directly to the payment processor
The payment processor’s privacy policy governs their use of your payment information
We receive limited information from payment processors (such as transaction confirmations, but not full credit card numbers)

13.3 Co-Branded or White-Labeled Services

When you use roadside assistance services provided through our white-label clients, you may interact with co-branded services or interfaces that combine Happy Camper and client branding. In these situations:

Both Happy Camper and the client act as joint controllers (as described in Section 8.2)
Both privacy policies apply
You should review both Happy Camper’s and the client’s privacy policies

13.4 Third-Party Service Providers

Independent service providers (ISPs) who provide roadside assistance to you are independent contractors, not employees of Happy Camper. When you receive services from an ISP:

The ISP may collect personal information directly from you
The ISP’s own privacy practices apply to information they collect directly
We require ISPs to comply with privacy and security requirements in their contracts with us
We are not responsible for ISPs’ compliance with privacy laws outside the scope of our contractual relationship

13.5 Advertising and Analytics Services

We work with third-party advertising networks and analytics providers that may collect information about your browsing activity across multiple websites and services to:

Display targeted advertisements
Measure advertising effectiveness
Analyze user behavior and trends

These third parties may use cookies, web beacons, device identifiers, and other tracking technologies. See Section 12 for information about cookies and how to opt out of targeted advertising.

13.6 No Endorsement

Our inclusion of links to third-party sites or integration with third-party services does not imply endorsement of those sites or services. We do not make any representations or warranties about third-party sites, services, products, or content.

14. DATA SECURITY AND INCIDENT RESPONSE

14.1 Our Commitment to Security

We take the security of your personal information seriously and implement comprehensive technical, organizational, and administrative safeguards designed to protect your personal information against unauthorized access, disclosure, alteration, loss, misuse, or destruction.

14.2 Security Framework

Our information security program is based on industry-leading frameworks and standards, including:

NIST Cybersecurity Framework: We align our security practices with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
ISO/IEC 27000 Series: We implement security controls consistent with the Information Security Management Standard (ISO/IEC 27001 and related standards).
SOC 2 Type II: We undergo annual SOC 2 Type II audits by independent third-party auditors to verify the effectiveness of our security controls.
PCI DSS: For payment card processing, we comply with Payment Card Industry Data Security Standard (PCI DSS) requirements through certified payment processors.

14.3 Technical Security Measures

Encryption:

Data in Transit: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) 1.2 or higher with strong cipher suites. We do not support outdated protocols such as SSL, TLS 1.0, or TLS 1.1.
Data at Rest: Personal information stored on our servers and databases is encrypted at rest using Advanced Encryption Standard (AES) with 256-bit keys. This includes databases, file storage, backups, and archives.
End-to-End Encryption: Certain highly sensitive data (such as payment information and passwords) is encrypted end-to-end so that even Happy Camper personnel cannot access it in plain text.

Access Controls:

Role-Based Access Control (RBAC): We implement role-based access controls to ensure that employees and systems have access only to the personal information necessary for their job functions.
Principle of Least Privilege: Access rights are granted based on the principle of least privilege, with users receiving the minimum level of access required.
Multi-Factor Authentication (MFA): All employee access to production systems, databases, and administrative tools requires multi-factor authentication.
Single Sign-On (SSO): We use centralized single sign-on for access management, allowing for greater control and monitoring.
Access Reviews: We conduct regular reviews of user access rights to identify and remove excessive or unnecessary privileges.
Separation of Duties: We segregate conflicting duties and responsibilities to prevent unauthorized actions.

Network and Infrastructure Security:

Firewalls: We deploy next-generation firewalls to control network traffic and prevent unauthorized access. Firewalls are configured according to industry best practices, with unnecessary ports and services disabled.
Intrusion Detection and Prevention: We use intrusion detection systems (IDS) and intrusion prevention systems (IPS) to monitor network traffic for suspicious activity and automatically block potential threats.
Virtual Private Networks (VPNs): Remote access to production systems and sensitive network segments requires connection through encrypted VPN tunnels with multi-factor authentication.
Network Segmentation: We segment our network into security zones with different trust levels. Production systems are isolated from corporate networks and development environments.
DDoS Protection: We implement distributed denial-of-service (DDoS) protection to maintain service availability during attacks.

Application Security:

Secure Software Development Lifecycle (SSDLC): We follow secure development practices throughout the software development lifecycle, including:
- Threat modeling during design
- Secure coding standards
- Code reviews with security focus
- Automated security testing (SAST/DAST)
- Dependency scanning for vulnerabilities
- Penetration testing before major releases
Input Validation: We validate and sanitize all user inputs to prevent injection attacks (SQL injection, cross-site scripting, etc.).
Session Management: We implement secure session management, including secure session tokens, automatic session timeouts, and protection against session fixation and hijacking.
Security Headers: We use HTTP security headers (Content Security Policy, X-Frame-Options, HSTS, etc.) to protect against common web vulnerabilities.

Endpoint and Device Security:

Full Disk Encryption: All company-owned devices (laptops, mobile devices) use full disk encryption.
Anti-Malware: We deploy endpoint protection with anti-virus, anti-malware, and behavioral detection capabilities on all company devices.
Patch Management: We maintain a patch management program to ensure operating systems, applications, and firmware are kept up to date with security patches.
Screen Lockouts: Company devices are configured to automatically lock after periods of inactivity.
Mobile Device Management (MDM): We use MDM solutions to enforce security policies on mobile devices accessing company resources.

Logging and Monitoring:

Centralized Logging: All system logs, authentication logs, access logs, and security-relevant events are collected in a centralized, tamper-resistant log management system.
Security Information and Event Management (SIEM): We use SIEM tools to aggregate, correlate, and analyze log data to detect security incidents.
Real-Time Alerts: Our security team receives real-time alerts for suspicious activities, unauthorized access attempts, and potential security incidents.
Log Retention: We retain security logs for at least 1 year to support incident investigation and compliance requirements.

Vulnerability Management:

Regular Vulnerability Scanning: We conduct automated vulnerability scans of our infrastructure, applications, and systems on a regular basis (at least weekly).
Penetration Testing: We engage independent third-party security firms to conduct penetration testing at least annually and before major releases.
Bug Bounty Program: We maintain a responsible disclosure program (vulnerability discovery program) that allows security researchers to report vulnerabilities. Contact: support@thehappycamper.com
Remediation: We prioritize and remediate identified vulnerabilities based on severity, with critical vulnerabilities addressed within 72 hours of discovery.

Backup and Disaster Recovery:

Regular Backups: We perform automated backups of all critical systems and data on at least a daily basis.
Backup Encryption: All backups are encrypted using strong encryption algorithms.
Geographic Redundancy: Backups are stored in multiple geographically distributed locations to protect against regional disasters.
Backup Testing: We regularly test our backup and restoration procedures to ensure data can be recovered in the event of an incident.
Disaster Recovery Plan: We maintain a comprehensive disaster recovery plan with defined recovery time objectives (RTO) and recovery point objectives (RPO).

14.4 Organizational Security Measures

Personnel Security:

Background Checks: All employees undergo background checks (including criminal background checks where permitted by law) commensurate with their roles before being granted access to personal information.
Confidentiality Agreements: All employees, contractors, and vendors with access to personal information sign confidentiality and data protection agreements.
Security Training: All employees receive security and privacy training upon onboarding and at least annually thereafter. Training covers:
- Data protection principles and legal requirements
- Security best practices
- Recognizing and reporting security threats (phishing, social engineering, etc.)
- Incident response procedures
Access Termination: When an employee, contractor, or vendor relationship ends, access to all systems and personal information is revoked within 24 hours.

Vendor and Third-Party Security:

Vendor Risk Assessment: We conduct security and privacy assessments of vendors and service providers before engaging them and periodically thereafter.
Contractual Requirements: Our contracts with service providers and subprocessors require them to implement appropriate security measures and comply with data protection laws.
Vendor Monitoring: We monitor vendor security practices and require vendors to notify us of security incidents that may affect our data.

Physical Security:

Data Center Security: Our production data is hosted in secure data centers operated by reputable cloud infrastructure providers (Amazon Web Services). These facilities implement:
- 24/7 physical security and monitoring
- Biometric access controls
- Video surveillance
- Environmental controls (fire suppression, climate control, power redundancy)
- Physical access logging
Office Security: Our offices implement appropriate physical security controls, including:
- Badge access systems
- Visitor management
- Security cameras
- Secure disposal of physical media containing personal information (shredding, degaussing)

Security Governance:

Security Leadership: We have a dedicated Chief Technology Officer (CTO) and Data Protection Officer (DPO) responsible for overseeing our security and privacy programs.
Security Policies: We maintain comprehensive security policies covering all aspects of information security, which are reviewed and updated at least annually.
Risk Management: We conduct regular risk assessments to identify, evaluate, and mitigate security and privacy risks.
Incident Response Plan: We maintain a written incident response plan that defines roles, responsibilities, and procedures for detecting, responding to, and recovering from security incidents.
Business Continuity: We maintain business continuity plans to ensure continuity of operations in the event of disruptions.

14.5 Security Incident Response

Detection and Response:

If we become aware of a security incident involving unauthorized access to, disclosure of, or acquisition of personal information (a “Security Incident” or “data breach”), we will:

Contain and Investigate: Immediately contain the incident, assess the scope and impact, and conduct a thorough investigation.
Notify Affected Individuals: Notify affected individuals without undue delay and in accordance with applicable law requirements. Notification will be provided via email, account notification, postal mail, or other appropriate means and will include:
- Description of what happened
- Types of information involved
- Steps we are taking to address the incident
- Steps you can take to protect yourself
- Contact information for questions
Notify Regulators: Notify applicable regulatory authorities and supervisory authorities as required by law (e.g., within 72 hours for GDPR breaches, as required by state breach notification laws).
Notify Business Partners: Notify affected clients and business partners (such as joint controllers) when their data or their customers’ data is impacted.
Remediate: Take appropriate steps to remediate the vulnerability or issue that led to the incident and prevent recurrence.
Document: Maintain detailed documentation of the incident, investigation, response actions, and lessons learned.

Timeframes:

Discovery to Notification: We will notify affected individuals without unreasonable delay, and in no event later than required by applicable law (typically 30-60 days in most U.S. states, without undue delay under GDPR).
Regulatory Notification: We will notify applicable regulatory authorities within the timeframes required by law (e.g., 72 hours for GDPR, varies by state law).

No Admission of Liability:

Any notification of a Security Incident is provided to comply with legal obligations and to allow affected individuals to take protective measures. Such notification does not constitute an admission of fault, liability, or wrongdoing by Happy Camper.

14.6 Your Role in Security

While we implement robust security measures, security is a shared responsibility. You can help protect your personal information by:

Account Security:

Choose strong, unique passwords for your Happy Camper account
Do not share your password with anyone
Enable multi-factor authentication if available
Log out of your account when using shared or public devices
Keep your contact information up to date so we can reach you about security matters

Device Security:

Keep your devices (smartphone, tablet, computer) secure with passwords, PINs, or biometric locks
Keep your operating system and applications up to date with the latest security patches
Use anti-malware software on your devices
Do not root or jailbreak your devices, as this reduces security protections
Be cautious when downloading apps from unknown sources

Network Security:

Use secure, trusted Wi-Fi networks when accessing our Services
Avoid using public Wi-Fi for sensitive transactions
Use a VPN when accessing our Services over untrusted networks

Awareness:

Be suspicious of unsolicited communications asking for personal information or account credentials (phishing)
Verify the authenticity of emails, calls, or texts claiming to be from Happy Camper
Do not click on suspicious links or download attachments from unknown senders
Report suspicious activity or potential security issues to us immediately

Reporting Security Issues:

If you discover a security vulnerability or incident:

For Account Issues: Contact customer support immediately
For Security Vulnerabilities: Email our vulnerability discovery program at support@thehappycamper.com
For Data Breaches: Email privacy@thehappycamper.com or call 833-243-0349

14.7 Limitations

While we implement industry-leading security measures, no system is completely secure. We cannot guarantee absolute security of personal information. You acknowledge and accept that:

Transmission of information over the internet inherently carries security risks
Unauthorized access, hacking, data loss, or breaches may occur despite our safeguards
You use our Services at your own risk
Our liability for security incidents is limited as set forth in our Terms of Service

15. DATA RETENTION AND DELETION

15.1 Retention Principles

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, enforce our agreements, and protect our legal rights. Our retention practices are based on the following principles:

Purpose Limitation: We do not retain personal information longer than necessary for the purposes described in this Privacy Policy.
Legal Compliance: We retain personal information as required by applicable laws, regulations, and legal obligations (such as tax, accounting, employment, and regulatory requirements).
Legitimate Business Needs: We retain personal information as necessary for legitimate business purposes, including contract enforcement, dispute resolution, fraud prevention, and records management.
Data Minimization: We periodically review and delete or anonymize personal information that is no longer necessary.

15.2 Retention Periods by Category

The following table outlines our general retention periods for different categories of personal information. Actual retention periods may vary based on specific circumstances, legal requirements, or your jurisdiction.

Category of Information	Retention Period	Justification
Account Information (name, email, phone, address)	Duration of active account + 7 years after account closure	Contract performance, legal compliance (statute of limitations)
Service Request Data (location, service type, breakdown info)	3 years after service completion	Claims processing, dispute resolution, quality assurance
Geolocation Data (precise GPS coordinates)	24 hours (real-time); 3 years (historical)	Service delivery; historical records for claims/disputes
Payment Information (credit card, bank account)	Duration of active account + 7 years	Payment processing, tax/accounting compliance, fraud prevention
Communications (emails, chats, call recordings)	3 years	Customer service, dispute resolution, training, legal compliance
Claims Data (claim submissions, adjudications, outcomes)	7 years after claim closure	Legal compliance (statute of limitations), audit requirements
Marketing Consent Records	4 years after consent withdrawal	TCPA compliance, demonstrating consent
Employment Data (applications, employee records)	7 years after employment ends	Legal compliance, employment law requirements
Website/App Usage Data (logs, analytics, cookies)	26 months	Analytics, service improvement, GDPR compliance
Security Logs (access logs, authentication logs)	1 year minimum	Security monitoring, incident investigation
Aggregated/Anonymized Data	Indefinite	Cannot identify individuals; used for analytics, research

15.3 Active Account Retention

While Your Account is Active:

While your account is active and you continue to use our Services, we retain your personal information for as long as necessary to:

Provide Services to you
Maintain your account and preferences
Comply with legal obligations
Enforce our Terms of Service

Account Activity:

We consider an account “active” if you:

Log into your account
Request roadside assistance services
Interact with our customer service
Open marketing emails or click links (if you’ve opted in)
Otherwise engage with our Services

Inactive Accounts:

If your account has been inactive for 3 years with no engagement, we may:

Send you notice that your account will be closed
Provide you an opportunity to reactivate your account
Close your account and delete or anonymize your information (subject to retention requirements below)
Retain limited information necessary for legal compliance and fraud prevention

15.4 Post-Account Closure Retention

After Account Closure:

When your account is closed (whether by you or by us), we do not immediately delete all of your personal information. We retain certain information for the following reasons:

Legal and Regulatory Compliance:

Tax records: 7 years (IRS requirement)
Employment records: 7 years (EEOC, DOL requirements)
Financial transaction records: 7 years (accounting standards, fraud prevention)
Contract records: Duration of statute of limitations (typically 4-7 years depending on jurisdiction)
Regulatory records: As required by applicable industry regulations

Fraud Prevention and Security:

Information about fraudulent accounts, transactions, or activities: Up to 10 years
Information necessary to prevent individuals from circumventing account terminations: Indefinite (in hashed/anonymized form)
Security incident records: 7 years

Legal Claims and Disputes:

Information necessary to establish, defend, or enforce legal claims: Duration of applicable statute of limitations (typically 2-7 years depending on claim type and jurisdiction) plus reasonable period for appeals

Business Records:

Information contained in business records, reports, and analytics: 7 years
Backup systems: Until backup rotation cycle completes (typically 90 days), after which backups are deleted

Service History for Customer Benefits:

If you reactivate your account, we may retain limited service history to restore your account and provide continuity of service

15.5 Deletion and Anonymization Methods

When we delete personal information, we use secure deletion methods including:

Secure Deletion:

Overwriting data with random data multiple times (multi-pass overwrite)
Deleting database records and indexes
Purging from backups during next backup cycle
Shredding or degaussing physical media

Anonymization: For certain data sets, rather than deletion, we may anonymize personal information by:

Removing all direct identifiers (name, email, phone, address, etc.)
Removing or generalizing indirect identifiers (IP addresses, device IDs, precise location, etc.)
Aggregating data so individual-level information cannot be reconstructed
Applying differential privacy or other privacy-enhancing techniques

Properly anonymized information is no longer considered personal information and may be retained indefinitely for analytics, research, and business intelligence.

Limitations on Immediate Deletion:

We may not be able to immediately delete personal information from:

Backup systems (deleted during next backup cycle, typically within 90 days)
Disaster recovery systems (deleted when restored from backup)
Archived or decommissioned systems (deleted when system is decommissioned)
Information held by subprocessors or service providers (deleted after contractual notice period)
Information required for ongoing legal proceedings, investigations, or disputes (deleted after matter is resolved)

15.6 Retention for Specific Purposes

Roadside Assistance Services:

Active service requests: Retained until service is completed plus 90 days
Completed service records: 3 years (for warranty, claims, disputes, quality assurance)
Claims history: 7 years (statute of limitations for contract and fraud claims)

Insurance Brokerage Services:

Insurance applications and quotes: 7 years (regulatory requirement, audit trail)
Policy records: 7 years after policy expiration (insurance regulations, claims)
Premium and commission records: 7 years (tax and accounting compliance)

Joint Controller Data: When we act as a joint controller with clients, retention periods are determined jointly and set forth in our data processing agreements. Generally:

Eligibility and enrollment data: Retained by client per their retention policy
Service delivery data: 3 years (Happy Camper retention)
Shared analytics and reporting: 7 years (both parties)

Marketing Data:

Marketing consent records: 4 years after consent withdrawal (TCPA compliance)
Marketing engagement data (opens, clicks): 3 years
Unsubscribe/opt-out records: Indefinite (to honor opt-out requests)

Employment Data:

Job applications (not hired): 2 years (EEOC requirement)
Employee personnel files: 7 years after employment ends
Payroll records: 7 years (IRS requirement)
I-9 forms: 3 years after hire or 1 year after employment ends, whichever is later

15.7 Legal Holds

When personal information is subject to a legal hold (due to litigation, government investigation, or other legal proceedings), we suspend normal retention and deletion processes and preserve the information until the legal hold is lifted. This may result in information being retained longer than the standard retention periods described above.

15.8 Your Deletion Rights

Subject to applicable law and the limitations described in this section, you have the right to request deletion of your personal information. See Section 17 for information about exercising your deletion rights.

Exceptions to Deletion:

We may decline to delete personal information, or may retain certain personal information after a deletion request, when retention is necessary to:

Complete Transactions: Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you.
Detect and Resolve Issues: Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug and Repair: Debug to identify and repair errors that impair existing intended functionality.
Exercise Free Speech: Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
Comply with Legal Obligations: Comply with the California Electronic Communications Privacy Act (California Penal Code § 1546 et seq.), other legal obligations, or legal process.
Research: Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion would likely render impossible or seriously impair the research’s achievement, provided you have given informed consent.
Internal Uses: Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
Contract Performance: Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

15.9 Contacting Us About Retention

If you have questions about our retention practices or wish to request deletion of your information before the expiration of standard retention periods, please contact us using the information in Section 21.

16. INTERNATIONAL DATA TRANSFERS

16.1 Cross-Border Data Transfers

Happy Camper operates primarily in the United States and Canada. Personal information we collect may be transferred to, stored in, and processed in countries other than the country in which it was originally collected, including the United States, Canada, and other countries where Happy Camper, our affiliates, or our service providers maintain operations or data processing facilities.

These countries may have data protection laws that differ from the laws of your country of residence. By using our Services and providing personal information to us, you acknowledge and consent to the transfer of your personal information to these countries.

16.2 Primary Data Storage Locations

Our primary data storage and processing locations are:

United States:

Primary production data: Amazon Web Services (AWS) US regions (us-east-1, us-west-2)
Backup and disaster recovery: AWS US regions (geographically distributed)
Corporate systems and offices: Nevada, USA

Canada:

Canadian customer data may be stored in AWS Canada regions (ca-central-1) for compliance with Canadian data residency preferences
Certain processing may occur in Canada for Canadian customers

Additional Locations: If we establish data storage or processing facilities in additional countries, we will update this Privacy Policy and notify affected individuals as required by law.

16.3 Transfers from the European Economic Area, UK, and Switzerland

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we comply with applicable European Data Protection Laws regarding international data transfers.

Legal Mechanisms for Transfers:

We use the following legal mechanisms to ensure adequate protection for personal data transferred from the EEA, UK, or Switzerland:

Adequacy Decisions:

Canada: The European Commission has determined that Canada (under PIPEDA) provides an adequate level of protection for personal data. Transfers to Canada are permitted on this basis.

Standard Contractual Clauses (SCCs): For transfers to the United States and other countries without adequacy decisions, we use Standard Contractual Clauses (also known as Model Clauses) approved by the European Commission. The SCCs are contractual commitments between us and data recipients that provide appropriate safeguards for personal data.

The specific SCCs we use depend on the transfer scenario:

EU SCCs (Decision 2021/914): For GDPR-governed transfers, we use the EU Standard Contractual Clauses adopted by the European Commission on June 4, 2021.
UK Addendum: For UK GDPR-governed transfers, we use the EU SCCs as amended by the UK International Data Transfer Addendum issued by the UK Information Commissioner.
Swiss SCCs: For Swiss FADP-governed transfers, we use the EU SCCs with Swiss-specific modifications.

The SCCs are incorporated into our data processing agreements with clients and subprocessors. For end users, the essence of the SCC arrangements is as follows:

Module: We use Module Two (Controller to Processor) when we process personal data on behalf of controllers in the EEA/UK/Switzerland
Docking Clause: The optional docking clause applies, allowing additional parties to accede to the SCCs
Subprocessor Changes: We provide prior notice of subprocessor changes as described in our DPA
Data Subject Rights: Data subjects can enforce their rights under the SCCs
Governing Law: EU SCCs are governed by Irish law; UK Addendum by UK law; Swiss SCCs by Swiss law
Competent Courts: Disputes are resolved before the courts of Ireland (EU SCCs), UK (UK Addendum), or Switzerland (Swiss SCCs)

Supplementary Measures: In addition to the SCCs, we implement supplementary technical and organizational measures to protect personal data transferred internationally, including:

Encryption in transit and at rest
Pseudonymization where feasible
Access controls and authentication
Contractual restrictions on government access
Transparency about government requests
Regular security audits and assessments

Data Protection Impact Assessments: We conduct transfer impact assessments (TIAs) to evaluate the level of protection in destination countries and ensure that our safeguards are adequate.

16.4 Transfers to Subprocessors

Our subprocessors (service providers) may process personal data in various countries. We require all subprocessors to:

Enter into data processing agreements incorporating appropriate transfer mechanisms (SCCs where required)
Implement appropriate technical and organizational security measures
Comply with applicable data protection laws

A list of subprocessors and their locations is available upon request.

16.5 U.S. Federal and State Data Transfer Restrictions

While the United States does not currently have federal adequacy recognition from the EU, certain U.S. federal and state laws impose restrictions on data transfers:

GLBA (Financial Services): For financial services regulated under the Gramm-Leach-Bliley Act, we comply with requirements for sharing financial information with nonaffiliated third parties, including offshore service providers.

State Data Breach Notification Laws: Most U.S. states require notification of data breaches involving personal information. When personal information is transferred to third parties, we ensure those parties notify us of breaches so we can comply with notification obligations.

State Privacy Laws: Certain state privacy laws (such as California’s CCPA, as amended by CPRA) regulate transfers of personal information to third parties and service providers. We comply with these requirements through appropriate contractual safeguards.

16.6 Canadian Data Transfer Requirements

PIPEDA: Under PIPEDA, Canadian organizations may transfer personal information outside Canada for processing, provided they:

Notify individuals of transfers
Obtain consent where required
Ensure adequate protection through contractual or other means
Remain accountable for personal information even when processed by third parties

We comply with these requirements by:

Disclosing transfers in this Privacy Policy
Obtaining consent where required
Using data processing agreements with service providers
Maintaining oversight of service providers’ compliance

Quebec Law 25: Quebec’s Law 25 imposes specific requirements for transfers outside Quebec, including:

Prior notice to individuals
Description of security measures
Assessment of privacy risks

For Quebec residents, we conduct privacy risk assessments for transfers outside Quebec and implement appropriate safeguards.

16.7 Government Access to Data

Personal information transferred to the United States may be subject to access by U.S. government authorities under U.S. law, including:

Foreign Intelligence Surveillance Act (FISA)
Executive Order 12333
USA PATRIOT Act
Other national security and law enforcement laws

When we receive lawful government requests for personal information, we:

Review the request for legal sufficiency
Challenge overly broad or inappropriate requests where possible
Notify affected individuals when legally permitted
Disclose only the information legally required
Publish transparency reports about government requests (to the extent permitted)

Data subjects in the EEA, UK, and Switzerland may have rights to redress under applicable data transfer mechanisms (such as the SCCs) if government access occurs in violation of those mechanisms.

16.8 Your Rights Regarding International Transfers

Right to Object: If you are located in the EEA, UK, or Switzerland, you may have the right to object to the transfer of your personal data to countries outside those regions. However, such objection may prevent us from providing Services to you if the transfer is necessary for service delivery.

Right to Information: You have the right to obtain information about the safeguards we use for international transfers. Contact our Data Protection Officer for more information.

Right to Lodge Complaints: If you believe international transfers of your personal data do not comply with applicable law, you may lodge a complaint with a supervisory authority:

EEA: Contact your national Data Protection Authority
UK: Information Commissioner’s Office (ICO) – ico.org.uk
Switzerland: Federal Data Protection and Information Commissioner (FDPIC) – edoeb.admin.ch

16.9 Changes to Transfer Practices

We may change our data transfer practices, locations, or mechanisms from time to time. Material changes will be communicated through updates to this Privacy Policy and, where required by law, through direct notice to affected individuals.

17. YOUR PRIVACY RIGHTS AND CHOICES

The privacy rights available to you depend on your location and the applicable data protection laws in your jurisdiction. This section describes general privacy rights, while Section 18 provides jurisdiction-specific details for U.S. states, and Section 22 provides details for other jurisdictions.

17.1 Right to Access

What It Means: You have the right to request access to the personal information we hold about you. This is sometimes called a “right to know” or “subject access request.”

What You Can Request:

Confirmation of whether we process your personal information
Categories of personal information we collect
Specific pieces of personal information we hold about you
Sources from which we collected your information
Purposes for which we use your information
Categories of third parties with whom we share your information
How long we retain your information

How to Exercise: Submit a request through:

Email: privacy@thehappycamper.com
Phone: 833-243-0349
Mail: Happy Camper Roadside LLC, Attn: Privacy Officer, 6543 South Las Vegas Boulevard, 2nd Floor, Las Vegas, Nevada 89119

Response Time: We will respond to access requests within the timeframe required by applicable law:

U.S. residents: Typically 45 days, extendable by 45 days for complex requests
EEA/UK residents: Typically 30 days, extendable by 60 days for complex requests
Canadian residents: Typically 30 days

Format: We will provide information in a portable and, to the extent technically feasible, readily usable format (such as PDF, CSV, or JSON).

Limitations: We may decline access requests or redact information when disclosure would:

Adversely affect others’ privacy rights
Violate legal or ethical obligations
Compromise security or fraud prevention measures
Reveal trade secrets or confidential commercial information
Interfere with pending legal proceedings or investigations

17.2 Right to Correction (Rectification)

What It Means: You have the right to request correction of inaccurate, incomplete, or outdated personal information.

What You Can Request:

Correction of factual errors in your personal information
Completion of incomplete personal information
Update of outdated information

How to Exercise: You can correct certain information directly through your account settings. For other corrections, submit a request using the contact methods above.

Our Obligations: When we receive a correction request, we will:

Verify your identity
Investigate the accuracy of the information
Correct verified inaccurate information
Notify third parties to whom we disclosed the inaccurate information (where appropriate and feasible)

Response Time: Same as access requests (see Section 17.1).

Limitations: We may decline correction requests when:

The information is accurate
You cannot provide evidence supporting the correction
Correction would violate legal or regulatory requirements
The information is opinion or judgment rather than fact

17.3 Right to Deletion (Erasure)

What It Means: You have the right to request deletion of your personal information, subject to certain exceptions.

What You Can Request:

Deletion of your account and associated personal information
Deletion of specific categories of personal information
Deletion of personal information collected during a specific time period

How to Exercise: Submit a deletion request using the contact methods in Section 17.1. You may also delete your account through account settings, which will trigger deletion of associated personal information subject to retention requirements.

Our Obligations: When we receive a deletion request, we will:

Delete personal information from active systems
Direct service providers to delete the information
Delete information from backups during the next backup cycle (typically within 90 days)
Anonymize information if deletion is not feasible

Response Time: Same as access requests (see Section 17.1).

Exceptions: We may decline or defer deletion requests when retention is necessary for:

Completing Transactions: Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you.
Detecting and Resolving Issues: Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug and Repair: Debug to identify and repair errors that impair existing intended functionality.
Exercise Free Speech: Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
Comply with Legal Obligations: Comply with the California Electronic Communications Privacy Act (California Penal Code § 1546 et seq.), other legal obligations, or legal process.
Research: Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion would likely render impossible or seriously impair the research’s achievement, provided you have given informed consent.
Internal Uses: Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
Contract Performance: Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

See Section 15.8 for detailed exceptions to deletion.

17.4 Right to Data Portability

What It Means: You have the right to receive your personal information in a structured, commonly used, machine-readable format and to transmit that information to another controller (where technically feasible).

What You Can Request:

Export of your personal information in portable format (CSV, JSON, XML, etc.)
Direct transmission to another service provider (where technically feasible)

How to Exercise: Submit a portability request using the contact methods in Section 17.1, specifying your preferred format.

Scope: Portability applies to:

Personal information you provided to us
Information collected through automated means (with your consent or based on contract)

Portability does not apply to:

Inferred or derived information (predictions, analytics)
Information obtained from third parties
Information about others

Availability: This right is primarily available to EEA/UK residents under GDPR/UK GDPR. Some U.S. state laws provide similar rights.

17.5 Right to Opt-Out of Sale or Sharing

What It Means: You have the right to opt out of the “sale” or “sharing” of your personal information as those terms are defined under applicable state privacy laws.

Our Practices: Happy Camper does not “sell” personal information in the traditional sense (i.e., exchanging personal information for monetary compensation). However, under the broad definitions in some state laws, certain data sharing practices may constitute a “sale” or “sharing,” including:

Sharing personal information with advertising partners for targeted advertising
Using third-party analytics and advertising cookies that track users across websites

How to Opt Out:

Universal Opt-Out Methods:

Do Not Sell or Share Link: Click the “Do Not Sell or Share My Personal Information” link in our website footer
Cookie: https://thehappycamper.com/cookie/
Global Privacy Control (GPC): We honor browser-based Global Privacy Control signals as an opt-out
Email: Send opt-out request to privacy@thehappycamper.com

What Happens When You Opt Out:

We will stop sharing your personal information with third parties for targeted advertising
We will disable third-party advertising cookies on our websites
You may still see advertising, but it will be less relevant to your interests (contextual rather than targeted)
We will continue to share personal information with service providers for necessary business purposes (such as payment processing, roadside assistance delivery)

Limitations: Opting out does not affect:

Sharing with service providers acting on our behalf
Sharing required for service delivery
Sharing required by law
Sharing with your consent for specific purposes

17.6 Right to Limit Use of Sensitive Personal Information

What It Means: Under certain state laws (such as California’s CPRA), you have the right to limit our use and disclosure of Sensitive Personal Information to purposes necessary to provide requested services and other specified purposes.

Our Collection of Sensitive Personal Information: We collect the following categories of Sensitive Personal Information:

Precise geolocation data
Account login credentials
Financial account information (for payment processing)
Social Security numbers (for employment, identity verification)
Government-issued ID numbers
Contents of communications with us

Our Uses: We use Sensitive Personal Information only for the following purposes:

Providing requested services (dispatching roadside assistance, processing payments)
Security and fraud prevention
Verifying identity
Employment purposes
Legal compliance
Other purposes disclosed at the time of collection

We do not use or disclose Sensitive Personal Information for purposes of inferring characteristics about you beyond what is necessary to provide Services.

How to Exercise: If you believe we are using Sensitive Personal Information beyond necessary purposes, you may submit a request to limit use by contacting privacy@thehappycamper.com.

17.7 Right to Opt Out of Profiling/Automated Decision-Making

What It Means: Under certain state laws, you have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.

Our Practices: See Section 11 for information about our use of AI and automated decision-making. Most of our automated decisions do not produce legal or similarly significant effects. Where they do, we provide human review.

How to Exercise: To opt out of profiling, contact privacy@thehappycamper.com and specify which automated processes you wish to opt out of. Note that opting out may affect our ability to provide certain Services.

17.8 Right to Non-Discrimination

What It Means: We will not discriminate against you for exercising your privacy rights. This means we will not:

Deny goods or services to you
Charge different prices or rates for goods or services
Provide a different level or quality of goods or services
Suggest that you will receive a different price, rate, level, or quality of goods or services

Permissible Differences: We may offer financial incentives or different prices if the difference is reasonably related to the value provided by your personal information. Any such programs will be clearly disclosed and require your opt-in consent.

Service Limitations: In some cases, exercising privacy rights may affect our ability to provide Services:

Deleting your account will terminate access to Services
Opting out of geolocation will impair our ability to dispatch assistance to your location
Deleting payment information will prevent us from processing payments

These are natural consequences of your choices, not discriminatory practices.

17.9 Right to Withdraw Consent

What It Means: Where we process your personal information based on consent, you have the right to withdraw consent at any time.

How to Withdraw:

Marketing Consent: Use the unsubscribe link in emails, reply STOP to text messages, or contact privacy@thehappycamper.com
Geolocation Consent: Disable location services in your device settings or app settings
Cookie Consent: Adjust settings in our Cookie Consent Manager
Other Consent: Contact privacy@thehappycamper.com

Effect of Withdrawal:

Withdrawal does not affect the lawfulness of processing before withdrawal
We may continue processing on other legal bases (contract, legitimate interests, legal obligation)
Withdrawal may affect our ability to provide certain Services

17.10 Right to Object

What It Means: For EEA/UK residents, you have the right to object to processing based on legitimate interests or for direct marketing purposes.

How to Exercise: Contact privacy@thehappycamper.com and specify which processing you object to and your reasons.

Our Response: We will stop the processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for establishment, exercise, or defense of legal claims.

Direct Marketing: You have an absolute right to object to direct marketing. We will stop such processing upon your objection.

17.11 Right to Restrict Processing

What It Means: For EEA/UK residents, you have the right to request restriction of processing in certain circumstances:

You contest the accuracy of personal information (during verification)
Processing is unlawful but you prefer restriction to deletion
We no longer need the information but you need it for legal claims
You have objected to processing (pending our response)

Effect: When processing is restricted, we will store the information but not use it (except with your consent, for legal claims, to protect others’ rights, or for important public interests).

17.12 Rights Related to Joint Controllers

When Happy Camper and a white-label client act as joint controllers:

You can exercise rights against either controller
Happy Camper will coordinate with the client to provide complete responses
Each controller is responsible for its area of processing
Both controllers must comply with your requests (subject to legal exceptions)

17.13 Rights for Authorized Agents

You may authorize another person or entity to submit privacy rights requests on your behalf (an “authorized agent”). We require authorized agents to:

Provide proof of authorization (power of attorney, signed authorization form, etc.)
Verify their own identity
Verify your identity

We may deny requests from authorized agents who cannot provide adequate proof of authorization.

17.14 Verification of Identity

To protect your privacy and security, we verify your identity before responding to privacy rights requests. Our verification process may include:

Matching information you provide with information in our records
Asking you to confirm recent transactions or account details
Requiring you to access your account to submit the request
For sensitive requests (such as deletion), requiring additional verification steps

If we cannot verify your identity, we may decline the request.

17.15 No Fee for Requests

We do not charge a fee for processing privacy rights requests. However, we may charge a reasonable fee or decline the request if it is manifestly unfounded, excessive, or repetitive.

17.16 Appeals Process

If we decline your privacy rights request or you are unsatisfied with our response:

Internal Appeal: You may appeal our decision by contacting privacy@thehappycamper.com within 30 days and explaining the basis for your appeal. We will respond to appeals within 45 days (or as required by applicable law).

Regulatory Complaint: You have the right to lodge a complaint with a supervisory authority:

U.S. State Residents: Contact your state Attorney General or consumer protection office
EEA Residents: Contact your national Data Protection Authority
UK Residents: Information Commissioner’s Office (ICO) – ico.org.uk
Canadian Residents: Office of the Privacy Commissioner of Canada (OPC) – priv.gc.ca, or provincial privacy commissioners

See Section 22 for jurisdiction-specific contact information.

18. STATE-SPECIFIC PRIVACY RIGHTS AND DISCLOSURES

This section provides detailed privacy rights and disclosures for residents of U.S. states with comprehensive privacy laws. If you are a resident of one of these states, the provisions in this section apply to you in addition to the general provisions in this Privacy Policy.

18.1 California Residents (CCPA/CPRA)

Effective Date: January 1, 2020 (CCPA); January 1, 2023 (CPRA)

Applicability: These provisions apply to California residents as defined under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

Categories of Personal Information We Collect:

In the preceding 12 months, we have collected the following categories of personal information from California consumers:

Category	Examples	Collected?
A. Identifiers	Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers	YES
B. Personal information categories listed in Cal. Civ. Code § 1798.80(e)	Name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information	YES
C. Protected classification characteristics under California or federal law	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information)	LIMITED (incidentally collected, not intentionally collected for roadside services)
D. Commercial information	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies	YES
E. Biometric information	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data	NO
F. Internet or other similar network activity	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement	YES
G. Geolocation data	Physical location or movements	YES
H. Sensory data	Audio, electronic, visual, thermal, olfactory, or similar information	YES (call recordings, photos submitted by consumers)
I. Professional or employment-related information	Current or past job history or performance evaluations	YES (for employment purposes and ISP contractors)
J. Non-public education information	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records	YES (for employment purposes only)
K. Inferences drawn from other personal information	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes	YES
L. Sensitive Personal Information	(See Below)	YES

Categories of Sensitive Personal Information We Collect:

Category	Collected?	Purpose
Social security, driver’s license, state identification card, or passport number	YES	Identity verification, employment, fraud prevention
Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account	YES	Authentication, payment processing
Precise geolocation	YES	Dispatching roadside assistance
Racial or ethnic origin, religious or philosophical beliefs, or union membership	NO	Not collected
Contents of mail, email, and text messages where we are not the intended recipient	NO	We are the intended recipient of communications sent to us
Genetic data	NO	Not collected
Biometric information for the purpose of uniquely identifying a consumer	NO	Not collected
Personal information collected and analyzed concerning a consumer’s health	LIMITED	Only if voluntarily disclosed; not required for roadside services
Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation	NO	Not collected

Sources of Personal Information:

We collect personal information from the following sources:

Directly from you (account registration, service requests, communications)
Automatically from your device (cookies, usage data, location data)
From our white-label clients
From independent service providers (service completion confirmations)
From third-party service providers (dispatch platforms, payment processors)
From data brokers and marketing partners
From publicly available sources
From social media platforms
From your device operating system (for mobile app data)

Business and Commercial Purposes for Collecting Personal Information:

We use personal information for the following business and commercial purposes:

Providing roadside assistance services
Processing transactions and payments
Customer service and support
Claims adjudication and dispute resolution
Fraud prevention and security
Marketing and advertising (with consent)
Analytics and service improvement
AI training and development
Legal compliance
Protecting rights and safety
Other purposes described in Section 5

Categories of Third Parties With Whom We Share Personal Information:

We share personal information with the following categories of third parties:

Independent service providers (ISPs) – tow truck operators, mobile mechanics
Service providers and subprocessors – cloud hosting, payment processors, analytics, marketing
Joint controller clients – white-label partners
Advertising networks and partners
Social media platforms
Data analytics providers
Government and law enforcement (when required by law)
Legal and professional advisors
Corporate affiliates
Business transaction parties (mergers, acquisitions)

Sale or Sharing of Personal Information:

In the preceding 12 months:

“Sale” of Personal Information: We do NOT sell personal information for monetary consideration.

“Sharing” of Personal Information: We may “share” personal information for cross-context behavioral advertising purposes. Specifically, we share the following categories of personal information with advertising networks and analytics providers:

Identifiers (IP address, device ID, cookie ID)
Internet or network activity information (browsing behavior, pages viewed)
Geolocation data (approximate location derived from IP address, not precise GPS)
Inferences (interests, preferences)

Third Parties With Whom We Share for Advertising:

Google (Google Ads, Google Analytics)
Facebook/Meta (Facebook Pixel, Facebook Ads)
Other advertising networks and platforms

Retention Period: Personal information is retained as described in Section 15. Generally:

Active account data: Duration of account + 7 years
Service history: 3 years
Geolocation: 24 hours (real-time); 3 years (historical)
Marketing data: Until you opt out + 4 years (consent records)

Your California Privacy Rights:

As a California resident, you have the following rights under the CCPA/CPRA:

Right to Know: Request disclosure of:
- Categories of personal information collected
- Categories of sources
- Business or commercial purposes for collection
- Categories of third parties with whom we share information
- Specific pieces of personal information we hold about you
Right to Delete: Request deletion of personal information we collected from you, subject to exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: Opt out of the “sale” or “sharing” of your personal information.
- We honor Global Privacy Control (GPC) signals
Right to Limit Use of Sensitive Personal Information: Request that we limit use of Sensitive Personal Information to purposes necessary for providing requested services.
Right to Opt-Out of Automated Decision-Making: Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

How to Exercise Your Rights:

Email: privacy@thehappycamper.com
Phone: 833-243-0349
Mail: Happy Camper Roadside LLC, Attn: Privacy Officer, 6543 South Las Vegas Boulevard, 2nd Floor, Las Vegas, Nevada 89119

Verification: We will verify your identity before processing requests using information you provide and information in our records.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. The agent must provide proof of authorization.

Response Time: We respond to requests within 45 days (extendable by 45 days for complex requests).

California “Shine the Light” Law: Under California Civil Code Section 1798.83, California residents have the right to request information about disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes, so no disclosure is required.

California Minors: If you are a California resident under age 18 and have registered for an account, you may request removal of content you posted publicly. Contact privacy@thehappycamper.com. Note: Removal does not ensure complete or comprehensive removal, as content may remain in cached or archived pages, or may have been republished by others.

18.2 Virginia Residents (VCDPA)

Effective Date: January 1, 2023

Applicability: These provisions apply to Virginia residents as defined under the Virginia Consumer Data Protection Act (VCDPA).

Your Virginia Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we collected from you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: If we deny your request, you may appeal by contacting privacy@thehappycamper.com within a reasonable time. We will respond within 60 days. If you are unsatisfied, you may contact the Virginia Attorney General at www.oag.state.va.us.

18.3 Colorado Residents (CPA)

Effective Date: July 1, 2023

Applicability: These provisions apply to Colorado residents as defined under the Colorado Privacy Act (CPA).

Your Colorado Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable, readily usable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

Universal Opt-Out Mechanism: We honor Global Privacy Control (GPC) signals as an opt-out.

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: If we deny your request, you may appeal within a reasonable time. We will respond within 45 days. If unsatisfied, you may contact the Colorado Attorney General at coag.gov.

18.4 Connecticut Residents (CTDPA)

Effective Date: July 1, 2023

Applicability: These provisions apply to Connecticut residents as defined under the Connecticut Data Privacy Act (CTDPA).

Your Connecticut Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

Universal Opt-Out Mechanism: We honor Global Privacy Control (GPC) signals as an opt-out.

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: If we deny your request, you may appeal within a reasonable time. We will respond within 45 days (extendable by 60 days). If unsatisfied, you may contact the Connecticut Attorney General at portal.ct.gov/AG.

18.5 Utah Residents (UCPA)

Effective Date: December 31, 2023

Applicability: These provisions apply to Utah residents as defined under the Utah Consumer Privacy Act (UCPA).

Your Utah Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Note: Utah law does not provide a statutory appeal process or right to correct.

18.6 Montana Residents (MCDPA)

Effective Date: October 1, 2024

Applicability: These provisions apply to Montana residents as defined under the Montana Consumer Data Privacy Act (MCDPA).

Your Montana Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: You may appeal denied requests. We will respond within 60 days. If unsatisfied, contact the Montana Attorney General at dojmt.gov.

18.7 Oregon Residents (OCPA)

Effective Date: July 1, 2024

Applicability: These provisions apply to Oregon residents as defined under the Oregon Consumer Privacy Act (OCPA).

Your Oregon Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: You may appeal denied requests. We will respond within 45 days. If unsatisfied, contact the Oregon Attorney General at doj.state.or.us.

18.8 Texas Residents (TDPSA)

Effective Date: July 1, 2024

Applicability: These provisions apply to Texas residents as defined under the Texas Data Privacy and Security Act (TDPSA).

Your Texas Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: You may appeal denied requests. We will respond within 60 days. If unsatisfied, contact the Texas Attorney General at texasattorneygeneral.gov.

18.9 Delaware Residents (DPDPA)

Effective Date: January 1, 2025

Applicability: These provisions apply to Delaware residents as defined under the Delaware Personal Data Privacy Act (DPDPA).

Your Delaware Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: You may appeal denied requests. We will respond within 60 days. If unsatisfied, contact the Delaware Attorney General at attorneygeneral.delaware.gov.

18.10 Iowa Residents (ICDPA)

Effective Date: January 1, 2025

Applicability: These provisions apply to Iowa residents as defined under the Iowa Consumer Data Protection Act (ICDPA).

Your Iowa Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 90 days (extendable by 45 days) – Iowa provides a longer initial response time than most states

Appeal: You may appeal denied requests. We will respond within 45 days. If unsatisfied, contact the Iowa Attorney General at iowaattorneygeneral.gov.

18.11 Nebraska Residents (NDPA)

Effective Date: January 1, 2025

Applicability: These provisions apply to Nebraska residents as defined under the Nebraska Data Privacy Act (NDPA).

Your Nebraska Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: You may appeal denied requests. We will respond within 60 days. If unsatisfied, contact the Nebraska Attorney General at ago.nebraska.gov.

18.12 New Jersey Residents (NJDPA)

Effective Date: January 15, 2025

Applicability: These provisions apply to New Jersey residents as defined under the New Jersey Data Privacy Act (NJDPA).

Your New Jersey Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: You may appeal denied requests. We will respond within 60 days. If unsatisfied, contact the New Jersey Attorney General at njoag.gov.

18.13 Tennessee Residents (TIPA)

Effective Date: July 1, 2025

Applicability: These provisions apply to Tennessee residents as defined under the Tennessee Information Protection Act (TIPA).

Your Tennessee Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: You may appeal denied requests. We will respond within 60 days. If unsatisfied, contact the Tennessee Attorney General at tn.gov/attorneygeneral.

18.14 Maryland Residents (MODPA)

Effective Date: October 1, 2025

Applicability: These provisions apply to Maryland residents as defined under the Maryland Online Data Privacy Act (MODPA).

Your Maryland Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: You may appeal denied requests. We will respond within 60 days. If unsatisfied, contact the Maryland Attorney General at marylandattorneygeneral.gov.

18.15 New Hampshire Residents (NHPA)

Effective Date: January 1, 2025

Applicability: These provisions apply to New Hampshire residents as defined under the New Hampshire Privacy Act (NHPA).

Your New Hampshire Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: You may appeal denied requests. We will respond within 60 days. If unsatisfied, contact the New Hampshire Attorney General at doj.nh.gov.

18.16 Minnesota Residents (MCDPA)

Effective Date: July 31, 2025

Applicability: These provisions apply to Minnesota residents as defined under the Minnesota Consumer Data Privacy Act (MCDPA).

Your Minnesota Privacy Rights:

Right to Access: Confirm whether we process your personal data and access that data
Right to Correct: Correct inaccuracies in your personal data
Right to Delete: Delete personal data we hold about you
Right to Data Portability: Obtain a copy of personal data in a portable format
Right to Opt-Out: Opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise: Use the contact methods in Section 18.1.

Response Time: 45 days (extendable by 45 days)

Appeal: You may appeal denied requests. We will respond within 60 days. If unsatisfied, contact the Minnesota Attorney General at ag.state.mn.us.

18.17 Nevada Residents

Nevada Privacy Law (SB 220):

Nevada residents have the right to opt out of the “sale” of personally identifiable information by an online service. We do not currently sell personally identifiable information as defined under Nevada law. If our practices change, we will update this Privacy Policy and provide Nevada residents with the ability to opt out.

If you are a Nevada resident and have questions, contact privacy@thehappycamper.com.

18.18 Other U.S. States

If you reside in a U.S. state not listed above, you may not have specific statutory privacy rights under state privacy laws, but you still have rights under federal laws and our general privacy commitments described in Section 17.

We monitor emerging state privacy laws and will update this Privacy Policy as new laws take effect.

19. CHILDREN’S PRIVACY

19.1 Age Restrictions

Our Services are not intended for, and may not be used by, individuals under 18 years of age. We do not knowingly collect, use, or disclose personal information from children under 18.

19.2 COPPA Compliance

The Children’s Online Privacy Protection Act (COPPA) requires parental consent for the collection of personal information from children under 13. Our Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13.

19.3 Parental Notice

If you are a parent or guardian and believe that your child under 18 has provided personal information to us, please contact us immediately at privacy@thehappycamper.com. We will:

Verify the report
Delete the child’s information from our systems
Terminate any associated account
Take steps to prevent future collection

19.4 Age Verification

We rely on the following methods to prevent collection of information from minors:

Age gates and declarations during account registration
Terms of Service requiring users to be 18 or older
Monitoring and investigation of accounts suspected of belonging to minors

19.5 School and Educational Use

Our Services are not designed for use in schools or educational settings and are not marketed to educational institutions. If we become aware that a school has signed up students under 18, we will terminate the accounts and delete the information.

20. CHANGES TO THIS PRIVACY POLICY

20.1 Right to Modify

We reserve the right to modify, amend, or update this Privacy Policy at any time to reflect changes in our practices, Services, legal requirements, or for other operational, legal, or regulatory reasons.

20.2 Notice of Material Changes

Prominent Notice: Posting a prominent notice on our websites and mobile applications.
Email Notification: Sending an email to the address associated with your account (if provided).
In-App Notification: Displaying a notification when you next log into our mobile application.
Updated Effective Date: Updating the “Last Updated” date at the top of this Privacy Policy.
Direct Mail: In certain circumstances, sending notice by postal mail.

20.3 Definition of Material Changes

Material changes include, but are not limited to:

Changes to the categories of personal information we collect
Changes to the purposes for which we use personal information
New categories of third parties with whom we share personal information
Changes to your rights or how to exercise them
Material changes to data security practices
Changes to data retention periods
New uses of sensitive personal information
Changes required by law

20.4 Non-Material Changes

For non-material changes (such as clarifications, corrections of typos, updates to contact information, or other minor modifications), we may update this Privacy Policy without providing advance notice. We encourage you to review this Privacy Policy periodically.

20.5 Effective Date of Changes

Changes to this Privacy Policy will become effective:

On the date specified in the updated Privacy Policy, or
30 days after we provide notice of material changes (whichever is later)

Your continued use of our Services after the effective date of changes constitutes your acceptance of the updated Privacy Policy.

20.6 Objecting to Changes

If you object to changes to this Privacy Policy:

You may stop using our Services
You may close your account
For certain changes, you may opt out of the specific practice (such as opting out of new marketing uses)
You may exercise your privacy rights (such as deletion) before the changes take effect

If you do not agree to the updated Privacy Policy, you must stop using our Services.

20.7 Reviewing Changes

We recommend that you review this Privacy Policy periodically to stay informed about our privacy practices. You can determine when this Privacy Policy was last updated by referring to the “Last Updated” date at the top of this document.

20.8 Archive of Previous Versions

Upon request, we can provide previous versions of this Privacy Policy for your review. Contact privacy@thehappycamper.com to request archived versions.

21. CONTACT US AND DATA PROTECTION OFFICER

21.1 Privacy Questions and Requests

Email: privacy@thehappycamper.com
Phone: 833-243-0349
Mail: Happy Camper Roadside LLC, Attn: Privacy Officer / DPO, 6543 South Las Vegas Boulevard, 2nd Floor, Las Vegas, NV 89119

21.2 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our privacy program and ensuring compliance with data protection laws.

Data Protection Officer:
Fraz Jamil, CTO and Data Protection Officer
Email: fraz@thehappycamper.com
Phone: 833-243-0349

You may contact our DPO directly with:

Questions about this Privacy Policy
Privacy rights requests
Data protection concerns
Complaints about our privacy practices
Questions about international data transfers
Requests for information about our data processing activities

21.3 Customer Service

For general customer service inquiries not related to privacy:

Email: support@happycamperapp.com
Phone:833-243-0349
In-App: Use the “Help” or “Contact Us” feature in our mobile application

21.4 Security Incident Reporting

To report security vulnerabilities or incidents:

Email: support@thehappycamper.com (vulnerability discovery program)
Email: privacy@thehappycamper.com (data breaches or privacy incidents)
Phone: 833-243-0349

21.5 Response Time

We strive to respond to all privacy inquiries and requests within:

General inquiries: 5-10 business days
Privacy rights requests: Timeframes specified in Section 17 and Section 18 (typically 30-45 days depending on jurisdiction)
Security incidents: Immediately upon receipt

21.6 Language

This Privacy Policy is provided in English. If you require this Privacy Policy in another language, please contact us and we will make reasonable efforts to accommodate your request.

22. JURISDICTION-SPECIFIC ADDENDA

22.1 European Economic Area, United Kingdom, and Switzerland

Applicability: These provisions apply to individuals located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland whose personal data is subject to the GDPR, UK GDPR, or Swiss FADP.

Legal Basis for Processing: See Section 6 for detailed information about our legal bases for processing your personal data.

Your GDPR/UK GDPR/Swiss FADP Rights:

Right of access (Article 15 GDPR)
Right to rectification (Article 16 GDPR)
Right to erasure / “right to be forgotten” (Article 17 GDPR)
Right to restriction of processing (Article 18 GDPR)
Right to data portability (Article 20 GDPR)
Right to object (Article 21 GDPR)
Rights related to automated decision-making and profiling (Article 22 GDPR)
Right to withdraw consent (Article 7(3) GDPR)
Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

How to Exercise Your Rights: Contact our Data Protection Officer using the information in Section 21.

Supervisory Authorities:

If you believe we have violated your rights under the GDPR, UK GDPR, or Swiss FADP, you may lodge a complaint with a supervisory authority:

EEA: Contact your national Data Protection Authority. A list is available at: https://edpb.europa.eu/about-edpb/board/members_en

UK: Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Phone: +44 303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom

Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
Website: https://www.edoeb.admin.ch

Privacy Policy

1. INTRODUCTION AND SCOPE

2. DEFINITIONS

3. INFORMATION WE COLLECT

4. HOW WE COLLECT INFORMATION

5. HOW WE USE YOUR INFORMATION

6. LEGAL BASES FOR PROCESSING (EEA/UK USERS)

7. HOW WE SHARE YOUR INFORMATION

8. OUR ROLE AS CONTROLLER, JOINT CONTROLLER, AND PROCESSOR

9. GEOLOCATION DATA AND AFFIRMATIVE CONSENT

10. MARKETING COMMUNICATIONS AND CONSENT REQUIREMENTS

11. ARTIFICIAL INTELLIGENCE AND AUTOMATED DECISION-MAKING

12. COOKIES AND TRACKING TECHNOLOGIES

13. THIRD-PARTY SERVICES AND LINKS

14. DATA SECURITY AND INCIDENT RESPONSE

15. DATA RETENTION AND DELETION

16. INTERNATIONAL DATA TRANSFERS

17. YOUR PRIVACY RIGHTS AND CHOICES

18. STATE-SPECIFIC PRIVACY RIGHTS AND DISCLOSURES

19. CHILDREN’S PRIVACY

19.1 Age Restrictions

19.2 COPPA Compliance

19.3 Parental Notice

19.4 Age Verification

19.5 School and Educational Use

20. CHANGES TO THIS PRIVACY POLICY

20.1 Right to Modify

20.2 Notice of Material Changes

20.3 Definition of Material Changes

20.4 Non-Material Changes

20.5 Effective Date of Changes

20.6 Objecting to Changes

20.7 Reviewing Changes

20.8 Archive of Previous Versions

21. CONTACT US AND DATA PROTECTION OFFICER

21.1 Privacy Questions and Requests

21.2 Data Protection Officer

21.3 Customer Service

21.4 Security Incident Reporting

21.5 Response Time

21.6 Language

22. JURISDICTION-SPECIFIC ADDENDA

22.1 European Economic Area, United Kingdom, and Switzerland

Newsletter