AutoRevolution Privacy Policy: Your Data Security

Last Updated: March 25, 2026

Effective Date: July 1, 2004

This Privacy Policy describes how Metzger Enterprises LLC dba AutoRevolution, including its subsidiaries and affiliates (“Company,” “we,” “us,” or “our”), respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, process, and safeguard personal information in connection with our website hosting, CMS, CRM, marketing, analytics, applications, SMS communication, artificial intelligence tools, and related services (collectively, the “Services”).

This Policy applies to users across the United States and Canada and is designed to comply with applicable laws including This Privacy Policy is designed to comply with applicable U.S. federal and state privacy laws, including but not limited to the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”) including AI Act, Texas Data Privacy and Security Act ("TDPSA"), Connecticut Data Privacy Act ("CTDPA"), and other applicable laws.

1. Scope and Applicability

1.1 Scope

This Privacy Policy applies to personal information collected:

• Through our Services;
• Through websites hosted on behalf of dealerships and clients (“Hosted Sites”);
• Through communications, events, transactions, and business relationships.

1.2 Role of the Company

Depending on the context of processing:

• AutoRevolution acts as a data controller when determining the purposes and means of processing personal information for its own business operations.
• AutoRevolution acts as a service provider or processor when processing personal information on behalf of dealerships or other clients.

This Privacy Policy does not apply to:

• Third-party websites, services, or platforms not controlled by AutoRevolution
• Dealerships, and clients using our platform (their policies govern their practices)

2. Categories of Personal Information Collected

We collect the following categories of personal information:

2.1 Identifiers

• Name, email address, mailing address, phone number
• IP address, device identifiers, online identifiers
• Image and photographic data

2.2 Customer Records

• Billing and shipping address
• Account credentials
• Account history
• Payment-related metadata (processed by third-party processors)

2.3. Commercial Information

• Transaction records/data, products or services purchased, obtained, or considered
• Preferences, interactions, and transaction history

2.4. Internet / Network Activity

• Browsing history, search history, interactions with our Services
• Pages viewed, referring URLs, clickstream data
• Session recordings and interactions
• Device and usage analytics

2.5. Device and Technical Data

• Browser type, operating system, analytics data
• Device identifiers

2.6. Geolocation Data

• Approximate location derived from IP or device settings
• Approximate location derived from photo identifiers

2.7 Audio, Electronic, or Visual Information

• Call recordings for quality assurance
• Chat transcripts, support logs, and communications
• Images and vehicle photos submitted through our platform

2.8 Financial Information (if applicable)

• Credit application data
• Income and employment information

2.9 Professional or Employment Information

• Business name, job title, dealership affiliation

3.0 Inferences / Profiling Data

• Preferences, interests, characteristics, and behavioral insights derived from usage

3.1. Sensitive Personal Information (CPRA Definition)

We may collect limited categories of sensitive personal information, including:

• Precise or approximate geolocation (if enabled and permitted by law)
• Account login credentials
• Financial/credit related information related to transactions (if submitted)

We use Sensitive Personal Information only as reasonably necessary to:

• Provide Services
• Prevent fraud and ensure security
• Process transactions

ou may have the right to limit use of sensitive data under applicable law.

3. Sources of Personal Information

We collect personal information from:

• You directly (forms, communications, account creation);
• Your employers, organization, or business partners;
• Automated technologies (cookies, pixels, analytics tools);
• Third-party partners, service providers, and integrations (dealerships, marketing providers, data integrations, social media)
• Service providers acting on our behalf
• Device identifiers
• Publicly available sources

4. Purposes for Processing Personal Information

We process personal information for the following purposes:

4.1 Business and Operational Purposes

• Provide, operate, maintain, and improve the Services;
• Process transactions, payments, and fulfill contractual obligations;
• Account creation, authentication, and management;
• Lead generation, process and manage leads, and CRM functionality and services;
• Deliver marketing, advertising, and campaign measurement;
• Personalize content and user experience;
• Conduct analytics and performance tracking;>/li>
• Enable SMS and communication services;
• Detect fraud and ensure security;
• Comply with legal obligations, and compliance.

4.2 Communication

• Respond to inquiries and support requests;
• Send service-related and administrative notifications and communications.

4.3 Marketing and Advertising

• Send promotional communications (with opt-out rights and applicable consent requirements);
• Measure campaign effectiveness;
• Personalizing user experiences where permitted by law.

4.4 Security and Legal Compliance

• Detect and prevent fraud or illegal activity;
• Security monitoring and incident response;
• Compliance with legal and regulatory obligations.

4.5 Product Development and Analytics

• Monitor performance, data analysis, research, and product enhancement the Services;
• Develop new features and offerings;
• Debugging and system performance monitoring.

4.6 Legal Bases for Processing (Where Applicable)

• Contractual necessity;
• Legitimate business interests;
• Consent (where required);
• Legal obligations.

4.7 Data Minimization and Purpose Limitation

We collect, use, and retain personal information only to the extent reasonably necessary and proportionate to achieve the purposes described in this Privacy Policy, consistent with applicable law.

5. Cookies, Tracking Technologies, and Consent

We use cookies and similar technologies, including:

• First-party cookies (strictly necessary essential cookies functionality);
• Third-party cookies (analytics, performance tools, advertising, and marketing technologies (where permitted);
• Pixels, session replay tools, and heatmaps (e.g., Microsoft Clarity).
• Analytics platforms

5.1 Categories of Cookies

• Strictly Necessary – required for operation;
• Performance/Analytics – measure usage;
• Advertising – personalize content.

5.2 Consent Mechanisms

Where required by law:

• Users may accept, reject, or customize cookie preferences banner;
• We honor legally recognized opt-out signals, including the Global Privacy Control (GPC).

5.3 Opt-Out Options

• Browser settings to block cookies (may affect functionality);
• Device-level controls;
• Mobile device advertising ID settings for opt-out;
• Google Analytics opt-out tools (Browser Add-on);
• Global Privacy Control (GPC) signals (honored where required).

6. Disclosure of Personal Information

We may disclose personal information to:

6.1 Service Providers (Processors)

• Hosting providers
• Analytics providers
• CRM systems and database providers
• SMS and communications vendors
• Advertising and marketing providers
• Payment Processors
• IT Services

6.2 Advertising and Marketing Partners

We may “sell” or “share” personal information (as defined by applicable law) for targeted advertising purposes.

6.3 Business Partners

When jointly offering products or services

• Automotive dealerships
• Marketing partners
• Reseller Partnerships

6.4 Legal and Compliance

• When required by law enforcement or regulatory authorities to protect rights and safety
• To enforce rights or prevent harm

6.5 Corporate Transactions

• In connection with mergers, acquisitions, or asset sales

7. Sale, Sharing, and Targeted Advertising

We may engage in “sale” or “sharing” of personal information under certain state laws.

We may disclose personal information to third parties such as:

• Marketing and advertising platforms
• Analytics providers
• CRM and marketing platforms

These disclosures may constitute:

• “Selling” or “Sharing” under California law
• “Targeted advertising” under other state laws
• "Profiling"

You have the right to opt out of these activities.

• To exercise your rights, click the Do Not Sell or Share My Personal Information link for more information or contact us.
• Enable Global Privacy Control (GPC) in your browser.

8. Use of Cookies and Tracking Technologies

We use:

• Essential cookies
• Pixels
• Session replay technologies and tools
• Advertising cookies
• Analytics cookies and tools

These technologies help us:

• Understand user behavior
• Deliver targeted advertising
• Improve our Services

Please see our Cookie and Tracking page for more information.

Global Privacy Control (GPC):

We recognize and honor Global Privacy Control (GPC) signals as valid opt-out requests where required by law.

9. Artificial Intelligence (AI), Automated Decision-Making, and Governance

9.1 Artificial Intelligence (AI)

We may incidentally capture images that include individuals.

We:

• Do not use facial recognition
• Do not sell biometric data
• Obtain consent where required
• Retain only as necessary
• Delete securely

9.2 Automated Decision-Making

We use automated systems, including artificial intelligence, to:

• Analyze user behavior
• Personalize content and communications
• Optimize and improve marketing performance

These activities may constitute “profiling” under applicable laws.

Your Rights:

• You may opt out of profiling or automated decision-making that produces legal or similarly significant effects by contacting us.
• Request information about automated processing

9.3 AI Governance

We implement safeguards to:

• Reduce bias
• Monitor system performance
• Enable human oversight where appropriate

10. Data Retention

Data is retained as long as your account exists or as needed to provide Services, comply with legal obligations, resolve disputes, or enforce agreements.

• Account data: duration of relationship + up to 36 months
• Lead data: up to 24 months
• Analytics data: 12-26 months
• Marketing data: up to 24 months after last interaction
• Financial/transaction data: up to 7 years
• Legal/compliance data: as required by law or to protect rights
• SMS data: 4 years (TCPA compliance)

Biometric data (if any) is retained:

• Only as long as necessary for the purpose collected
• Or as required by law
• Then permanently deleted

Retention periods may vary based on legal obligations and business needs. We may retain data longer where required by law. We delete or anonymize data when no longer needed.

11. Data Minimization

We limit collection to what is reasonably necessary and proportionate to the purposes described.

12. Consumer Privacy Rights

Depending on your location and subject to applicable law, individuals may have the following rights:

• Right to Access personal information;
• Right to Correct inaccuracies;
• Right to Delete personal information;
• Right to Opt Out of sale/sharing;
• Right to Opt Out of targeted advertising;
• Right to Opt Out of profiling;
• Right to data portability.
.

Appeals

If your request is denied, you may appeal by contacting us at: support@autorevolution.com

13. Canadian Privacy Rights

Canadian residents have rights under applicable privacy laws, including access and correction rights.

14. Your Privacy Rights (Multi-State)

Depending on your state of residence, you may have the following rights:

• Access your personal information
• Correct inaccurate information
• Delete your personal information
• Obtain a copy (portability)

Sensitive Data Rights

• Limit use of sensitive data
• Withdraw consent (where applicable)

Opt out of:

• Sale of personal information
• Sharing for targeted advertising
• Profiling in furtherance of significant decisions

How to Exercise Your Rights:

Submit a request via:

• Web form: Opt Out Request Form
• Email: support@autorevolution.com

We may verify your identity before processing requests.

Appeals:

If your request is denied, you may appeal by contacting:

• Email: support@autorevolution.com

15. State-Specific Privacy Rights

15.1 California (CCPA / CPRA)

• Right to know, delete, correct;
• Right to opt out of sale/sharing;
• Right to limit sensitive data use.

15.2 Texas Residents (TDPSA)

• Access, delete, correct;
• Opt out of targeted advertising and profiling.

15.3 Virgina Residents (VCDPA)

• Access, delete, correct;
• Opt out of targeted advertising;
• Right to appeal decisions.

15.4 Colorado Residents (CPA + AI Act 2026)

• Opt out of profiling;
• AI transparency rights.

15.5 Connecticut Residents (CTDPA)

• Sensitive data consent;
• Profiling opt-out.

15.6 Utah Residents (UCPA)

• Access and opt-out rights.

15.7 Other States (Oregon, Montana, Tennessee, Indiana, Kentucky, Rhode Island, Conniticut, Oregon, Delaware, Iowa, Indiana, Tennessee)

Similar rights including:

• Access
• Deletion
• Opt-out of targeted advertising

Specialized Laws

• Illinois Biometric Information Privacy Act (BIPA);
• State Data Broker Laws (CA): We will follow 28. Data Broker Disclosure
• 50-State Breach Notification Laws: We will follow section 20. Data Breach Notification Clause in accordance with applicable federal and state laws.

16. Exercising Privacy Rights

Requests may be submitted through:

• Web form: Opt Out Request Form
• Email: support@autorevolution.com

Verification

We may verify your identity prior to processing requests.

Response Time

We respond within 45 days, extendable where permitted.

Appeals

Appeals:

If your request is denied, you may appeal by contacting:

• Email: support@autorevolution.com

17. Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

18. Data Security

• We implement reasonable administrative, technical, and physical safeguards designed to protect personal information;
• No internet system is fully secure; we do not guarantee absolute security;
• In the event of a data breach, we will follow section 20. Data Breach Notification Clause in accordance with applicable federal and state laws.

19. Data Transfers

We operate in the United States and Canada. Data may be processed in the U.S. and other jurisdictions.

Your information may be processed in jurisdictions with different privacy laws.

20. Data Breach Notification Clause

In the event of a data breach involving personal information, we will:

• Investigate and contain the incident promptly
• Notify affected individuals without unreasonable delay and in accordance with applicable state laws
• Provide notice within required statutory timelines, including 30 days where mandated
• Notify relevant regulatory authorities when required

Notifications will include:

• Nature of the breach
• Categories of data affected
• Provide steps individuals can take to protect themselves
• Contact individuals for further assistance

21. Financial Information (GLBA Notice)

If you submit financial or credit-related information:

• Such data may be subject to the Gramm-Leach-Bliley Act (GLBA)
• We implement safeguards to protect this information
• Data is used only for permitted purposes
• Additional privacy notices may apply

22. Image Data / Vehicle Photography and Biometric Data

Biometric Information and Image Data Processing

Our photography application is designed to capture and process images of vehicles for inventory, marketing, and analytics purposes.

While images are intended to capture vehicles, they may incidentally include individuals or facial features that could be considered biometric identifiers under applicable law.

To the extent biometric information is collected, we will:

• Limit collection to what is necessary;
• Obtain consent where required by law;
• Not sell or profit from biometric data;
• Retain data only as long as necessary;
• Use safeguards to protect such data;
• Delete biometric data in accordance with legal requirements.

We use technologies designed to blur, minimize, or remove incidental human capture.

We do not use facial recognition to identify individuals.

23. Third-Party Links

Our Services may contain links to third-party websites.

We are not responsible for their privacy practices.

24. Children’s Online Privacy Protection Act (COPPA)

Our Sites are not directed to children under 13, and we do not knowingly collect personal information from children under 13.

If such data is identified:

• If we discover such information, we will delete it immediately.
• Parents may contact us to request deletion

25. Changes to This Policy

We may update this Privacy Policy periodically.

Changes will be posted with a revised “Last Updated” date.

26. Contact Information

• Metzger Enterprises LLC dba AutoRevolution
• Mailing Address: 334 East Church Street, Lewisville TX 75057
• Email: support@autorevolution.com
• Phone: (972) 243-8460

27. Notice of Right to Opt Out

You have the right to opt out of the sale or sharing of your personal information.

• See: Do Not Sell or Share My Personal Information

28. Data Broker Disclosure

If we qualify as a data broker under applicable law, we will:

• Register as required
• Provide deletion mechanisms
• Comply with applicable data broker obligations

Critical Exceptions

AutoRevolution is not a data broker.

You are NOT a data broker if:

• Acting purely as a service provider/processor
• Processing data only on behalf of a client
• No independent use or monetization