PRIVACY POLICY FOR U.S. CUSTOMERS & PRIVACY NOTICE FOR U.S. APPLICANTS AND EMPLOYEES

At Driven Brands, we respect the privacy of our customers, applicants, and employees and strive to protect their Personal Data while delivering excellent products, services, and customer support.

• If you are a customer, please refer to the Privacy Policy for U.S. Customers.
• If you are an applicant or employee, please refer to the Privacy Notice for U.S. Applicants and Employees.

PRIVACY POLICY FOR U.S. CUSTOMERS

Last Updated: November 26, 2024

This Privacy Policy describes how Driven Brands–including Auto Body Repair of America (“ABRA”), Auto Glass Now, CARSTAR, MAACO, Take 5 Car Wash, Take 5 Oil Change, 1-800-Radiator & A/C, Meineke, Driven Advantage, and our subsidiaries and affiliated companies (collectively “Driven”, “we,” “us,” or “our”)–collects, stores, uses, discloses and otherwise processes Personal Data of our U.S. customers. This Privacy Policy applies whenever and through whatever means you interact with us in the United States, including through our websites, mobile applications, and our physical locations, and to all of our products and services (collectively our “Services”).

This Privacy Policy does not apply to Personal Data that is collected by or that you provide directly to an owner or operator of one of our independent franchises (“Franchisees”). Franchisees may have their own privacy policies that apply in those cases.

If you reside in California, you can view our California-specific disclosures here. To the extent this Privacy Policy conflicts with local law in your jurisdiction, local law controls.

BROWSE A TOPIC

1. Personal Data we Collect and Process
2. Sources of Personal Data
3. Purposes for Collecting and Processing Personal Data
4. Disclosure of Personal Data
5. Retention of Personal Data
6. Sensitive Personal Data
7. Privacy Rights and Choices
8. Security
9. Children
10. Changes to This Privacy Notice
11. How to Contact Us

1. PERSONAL DATA WE COLLECT AND PROCESS

Personal Data is any information that directly identifies you (such as your name) or that reasonably can be used to identify you, indirectly (such as your telephone number). When you interact with us, the Personal Data we process can include, but is not limited to, the following:

• Identifiers, such as your name, signature, alias, postal address, email address, device identifiers, telephone number, account name, Social Security number, driver's license number, passport number, and other similar identifiers.
• Vehicle Information, such as your license plate number, vehicle identification number (“VIN”), automobile insurance policy number, vehicle make, model and year, and general vehicle condition.
• Demographic Information, such as your age, veteran or military status, socioeconomic status, and sensitive information as described below.
• Sensitive Information, such as your race, color, ancestry, national origin, citizenship, marital status, sex (including gender, gender identity, and gender expression), and sexual orientation.
• Commercial Information, such as which of our Services you purchase, obtain, or consider; your other purchasing histories and consumer tendencies; and transactional information including your credit card or debit card number or other payment information, time and place of purchase, and rewards program balance.
• Activity and Usage Information, such as your use of our Services, including the time, date, and length of time of use; the pages you view, including the time spent on each page and clicks on each page; how you got to the Services (i.e., referring URL) and any links you click on to leave the Services; metadata about your use of the Services and your email conversions with us (including clicks and opens) including communications when you interact with our chatbots; and other interactions with us.
• Device Information, such as unique personal identifier, online identifier, Internet Protocol address (which may be used to infer general location at a city or country level), and browser type and version when interacting with us.
• Geolocation Data, such as your physical location or movements when interacting with us.
• Audiovisual Information, such as recordings of phone calls with us or our representatives and CCTV footage of you and your vehicle in our locations.

2. SOURCES OF PERSONAL DATA

We collect and obtain your Personal Data from multiple sources. In the past twelve (12) months, we have obtained Personal Data as follows:

• Directly from you: For example, we may collect your Personal Data when you submit a form to us, purchase our products or services, or interact with us through our chatbots or on social media.
• Indirectly from you: For example, we may collect usage information from your interactions with us through our website and mobile applications, including through the use of cookies and pixels. Some of these technologies may be supported by service providers or third parties.
• From our Franchisees: We may receive Personal Data about you directly from our Franchisees.
• From our service providers: We collect Personal Data about you from service providers and processors that assist us in running our business.
• From third parties: In some cases, third parties such as those who help support our marketing, advertising, and promotions may provide us with Personal Data about you. For example, third-party vendors may provide us with personal identifiers, vehicle information, demographic information, internet or other electronic network activity information, or other types of Personal Data when you browse our website, open our emails, or click on an online advertisement. The collection and use of your Personal Data by these third parties is governed by their respective privacy policies.

3. PURPOSES FOR COLLECTING AND PROCESSING PERSONAL DATA

We use Personal Data for the following purposes described below and as otherwise permitted or required by applicable law.

• Driven Services: To provide our Service and operate our business, including providing customer service, supporting our Franchisees, and administering our website and mobile applications. Driven also uses Personal Data to process your purchases or requests for products or services and related administration.
• Communications: To communicate with you (including to inform you about our Services) including when you interact with our chatbots, to respond to your inquiries, and for other customer service purposes, to advise you of changes or additions to the sites, and/or any of our products or services.
• Product Research and Development: For research and analytical purposes, including to better understand how users access and use our Services, to improve our Services, and to respond to user preferences.
• Inferences: To draw inferences about you, including your preferences and demographic information, your vehicle condition, and our Services that may interest you.
• Authentication, Integrity, Security, and Safety: To help maintain the safety, security, and integrity of our Services, databases and other technology assets, our business, as well as your account, orders, and deliveries.
• Marketing and Promotions: To assist in marketing and advertising our Services, including on third-party websites. Driven also uses Personal Data to tailor the content and information that we may send or display to you, to offer location customization and personalized help and instructions, and to otherwise personalize your experience while using our Services.
• Legal Reasons: To comply with federal, state and local laws, cooperate with and respond to law enforcement requests, and as otherwise required by applicable law, court order, or governmental regulations. Driven may also use your Personal Data to protect the rights and interests of us and/or our Franchisees, such as to resolve any disputes, to enforce this Privacy Policy or any other policy, to protect the rights or property of another, or to prevent harm.
• Change of Ownership: We may use your Personal Data to evaluate or conduct a merger, sale, or other acquisition of some or all of our organization or its assets, as well as to evaluate prospective Franchisees.

4. DISCLOSURE OF PERSONAL DATA

Driven may disclose Personal Data in the following circumstances or as otherwise described in this Privacy Policy:

• Corporate Affiliates: Between and among Driven and our current and future affiliates, subsidiaries, and other companies under common control and ownership.
• Franchisees: With our Franchisees in order to provide our Services or for their own use, including for marketing purposes.
• Service Providers: With third-party service providers to perform certain tasks on our behalf, including to provide, support, and improve our Services, provide and support our technical infrastructure, and for business services such as payment processing. Driven may also rely on third-party service providers to provide marketing, advertising, and business analytics based on your interaction with Driven or our Services. Driven’s service providers are subject to contractual and technical requirements prohibiting them from using Personal Data for any purpose other than to provide services as requested by Driven or otherwise as required by law.
• Marketing and Advertising Partners: With third-party marketing and advertising providers to provide analysis about how people are using Driven products and services, including our website; and to provide advertising and marketing for Driven products and services, including targeted advertising based on your use of our website. These third- party partners may receive information about your activities on Driven’s website through third-party cookies placed on Driven’s website. To opt out of our use of third-party cookies that share data with these partners, visit our cookie management tool, available in Cookies Settings, or please refer to Section 7: Privacy Rights and Choices. Where required by law, Driven will first obtain your consent before engaging in the marketing or advertising activities described.
• Change of Control: We may share Personal Data with actual or prospective acquirers, their representatives and other relevant participants in, or during negotiations of, any sale, merger, acquisition, restructuring, or change in control involving all or a portion of Driven’s business or assets.
• Other: Driven may share Personal Data as needed to: (1) comply with applicable law or respond to, investigate, or participate in valid legal process and proceedings, including from law enforcement or government agencies; (2) enforce or investigate potential violations of its Terms of Service or policies; (3) detect, prevent, or investigate potential fraud, abuse, or safety and security concerns, including threats to the public; (4) protect our and our customers’ rights and property; (5) resolve disputes and enforce agreements; or (6) with your consent or at your direction.

5. RETENTION OF PERSONAL DATA

We retain Personal Data only for so long as necessary to fulfill the purposes for which it was collected or as otherwise required by applicable law. When assessing retention periods, we first carefully examine whether it is necessary to retain the Personal Data and, if retention is required, work to retain the Personal Data for the shortest possible period permissible under law.

6. SENSITIVE PERSONAL DATA

As described above, certain types of Personal Data may be considered “sensitive” and subject to additional legal rights and obligations. Driven collects sensitive Personal Data, including Social Security number, driver’s license, and certain demographic information only to provide our Services, as described in this Privacy Policy. Where required by law, we will obtain your consent before processing your sensitive Personal Data. If you have any questions about our handling of your sensitive Personal Data or to withdraw your consent, please contact privacy@drivenbrands.com. Please refer to Section 7: Privacy Rights and Choices for more information.

7. PRIVACY RIGHTS AND CHOICES

Depending on where you live, you may have certain rights to manage your Personal Data, such as:

• Right to Know and Access: The right to know and access the Personal Data we have collected about you.
• Right to Data Portability: The right to receive a copy of the Personal Data described above in a portable format.
• Right to Correct: The right to correct inaccuracies in your Personal Data, in certain circumstances.
• Right to Delete: The right to request that we delete your Personal Data.
• Right to Opt-Out of “Sales” and “Sharing” for Targeted Advertising: We may sell or share your Personal Data for targeted advertising purposes. You can opt out of our selling or sharing your Personal Data by submitting form and by implementing the Global Privacy Control (“GPC”). For instructions on how to download and use GPC, please visit https://globalprivacycontrol.org/.
• Right to No Discrimination: The right not to be discriminated against for exercising any of your privacy rights.
• Right to Appeal: Sometimes we are unable to process requests relating to your Personal Data, in which case, your request will be denied. Depending on where you live, you may have the right to appeal our denial of your privacy rights request if you believe we have done so in error. To appeal the denial of your privacy rights request, please email us at the address below.

To exercise any privacy rights available to you, you may submit a request to us using any of the following methods:

• Online Request Form: Complete the online Request Form located here.
• E-mail: Email privacy@drivenbrands.com
• Phone: Call 1-877-625-8499.

We will provide a timely response, in accordance with applicable law. In some instances, we may request additional information to verify your identity before we can process your request. You may designate an authorized agent to submit your verified consumer request by providing written permission and verifying your identity, or through proof of power of attorney.

8. SECURITY

We use appropriate technical, administrative, and physical controls to help protect your Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Please be aware that despite our efforts, no data security measures can guarantee security. Driven is not liable or responsible for use or disclosure of your Personal Data that is the result of unauthorized or illegal access to our systems or those of third parties. If you believe the security of your Personal Data has been compromised, please notify us immediately at privacy@drivenbrands.com.

9. CHILDREN

Driven’s Services are not intended for or directed at children under the age of 16, nor do we knowingly collect Personal Data from children under the age of 16. Where legally required, we obtain parental consent before collecting Personal Data from children under the age of 18. We also do not knowingly sell, share, use for targeted advertising or disclose the Personal Data of children under the age of 18.

10. CHANGES TO THIS PRIVACY POLICY

We occasionally may update this Privacy Policy to account for changes in our collection and/or processing of Personal Data and will publish the updated Privacy Policy on our website. When we do, we will revise the "Last Updated" date at the top. Your continued use of our Services after the effective date of any modification to this Privacy Policy will be deemed to be your agreement to the applicable terms. If we make material changes to this Privacy Policy, we will take required steps to notify you and provide you an opportunity to review before you choose to continue using our products and services. We encourage you to periodically review this Privacy Policy to learn how Driven collects, uses, and protects your Personal Data.

11. HOW TO CONTACT US

For questions or concerns about our Privacy Policy, please email us at privacy@drivenbrands.com.

CALIFORNIA PRIVACY NOTICE

Last Updated: November 16, 2024

This California Privacy Notice (“California Notice”) supplements the information contained in the Privacy Policy for U.S. Customers and applies solely to individual consumers in the State of California (“consumers” or “you”). Unless otherwise expressly stated, all terms in this California Notice have the same meaning as defined in our Privacy Policy or applicable law.

COLLECTION AND USE OF PERSONAL DATA

Last Updated: November 16, 2024

We collect Personal Data from and about consumers for a variety of purposes. To learn more about the types of Personal Data we collect, the sources from which we collect or receive Personal Data, and the purposes for which we use this information, please refer to the Personal Data We Collect and Process, Sources of Personal Data, and Purposes for Collecting and Processing Personal Data sections of our Privacy Policy.

In the last twelve (12) months, we have collected the following categories of Personal Data:

• Identifiers, such as name, postal address, email address, telephone number, and other similar identifiers.
• Vehicle Information, such as license plate number, vehicle identification number (“VIN”), automobile insurance policy number, vehicle make, model and year, and general vehicle condition.
• Demographic Information, such as age, race, color, citizenship, marital status, socioeconomic status, and sex.
• Commercial Information, such as payment card number, time and place of purchase, and rewards program balance.
• Internet Activity and Usage Information, such as the pages you view, the links you click on to leave our Services, and other interactions with our Services, including when you interact with our chatbots.
• Device Information, such IP address, browser type, and other device identifiers.
• Geolocation Data, such as your physical location or movements during interactions with us.
• Audiovisual Information, such as recordings of phone calls with us or our representatives and CCTV footage in our locations.
• Inferences to create a profile about you, including your preferences, characteristics, and behavior.
• Sensitive Personal Data, such as Social Security number, driver's license number, passport number, race, color, ancestry, national origin, citizenship, sex (including gender, gender identity, and gender expression), and sexual orientation.

SOURCES OF PERSONAL DATA

We collect Personal Data from a variety of sources including, but not limited to:

• Directly from you.
• Indirectly from you.
• From our Franchisees.
• From our service providers.
• From third parties.

PURPOSES FOR COLLECTING AND PROCESSING PERSONAL DATA

We use Personal Data for the following purposes described below and as otherwise permitted or required by applicable law.

• Driven Services: To provide our Services and operate our business, including providing customer service, supporting our franchisees, and administering our website and mobile applications. Driven also uses Personal Data to process your purchases or requests for products or services and related administration.
• Communications: To communicate with you (including to inform you about our Services) including when you interact with our chatbots, to respond to your inquiries, and for other customer service purposes, to advise you of changes or additions to our websites and applicable policies, and/or any of our products or services.
• Product Research and Development: For research and analytical purposes, including to better understand how users access and use our Services, to improve our Services, and to respond to user preferences.
• Inferences: To draw inferences about you, including your preferences, our Services that may interest you, vehicle condition, and demographic information.
• Authentication, Integrity, Security, and Safety: To help maintain the safety, security, and integrity of our Services, databases and other technology assets, our business, as well as your account, orders, and deliveries.
• Marketing and Promotions: To assist in marketing and advertising our Services, including on third-party websites. Driven also uses Personal Data to tailor the content and information that we may send or display to you, to offer location customization and personalized help and instructions, and to otherwise personalize your experience while using our Services.
• Legal Reasons: To comply with federal, state and local laws, cooperate with and respond to law enforcement requests, and as otherwise required by applicable law, court order, or governmental regulations. Driven may also use your Personal Data to protect our rights and interests and those of our independently owned and operated Franchisees, such as to resolve any disputes, to enforce our Privacy Policy or any other policy, to protect the rights or property of another, or to prevent harm.
• Change of Ownership: We may use your Personal Data to evaluate or conduct a merger, sale, or other acquisition of some or all of our organization or its assets, as well as to evaluate prospective Franchisees of ours.

DISCLOSURE OF PERSONAL DATA

In the previous twelve (12) months, we have disclosed all of the categories of Personal Data we collect to corporate affiliates, Franchisees, service providers, and marketing and advertising partners for the various uses, including to provide Driven Services, for communications, for product research and development, to make inferences about you, for authentication, integrity, security and safety, for marketing and promotions, for legal reasons, or for change of ownership, as described in more detail in the Purposes for Collecting and Processing Personal Data section above.

PRIVACY RIGHTS AND CHOICES

California consumers have specific rights regarding their Personal Data, including a right to knowledge, access, correction, and deletion of their Personal Data, including to know the categories of Personal Data disclosed to third parties for marketing purposes. California consumers also have a right to opt out of the sale or sharing of their Personal Data by a business, a right not to be discriminated against for exercising their California privacy rights, and the right to limit the use of their sensitive Personal Data.

We may sell or share the Personal Data described in the Collection and Use of Personal Data section with Franchisees and marketing and advertising partners for various purposes, including cross-context behavioral advertising. You have the right to opt out of any such selling or sharing.

You can opt out of our selling or sharing your Personal Data by implementing the Global Privacy Control (“GPC”). For instructions on how to download and use GPC, please visit https://globalprivacycontrol.org/.

To exercise any privacy rights available to you, you may also submit a request to us using any of the following methods:

• Online Request Form: Complete the online Request Form located here.
• E-mail: Email privacy@drivenbrands.com
• Phone: Call 1-877-625-8499.

We will provide a timely response, in accordance with applicable law. In some instances, we may request additional information to verify your identity before we can process your request. You may designate an authorized agent to submit your verified consumer request by providing written permission and verifying your identity, or through proof of power of attorney. Sometimes, we may be unable to process requests relating to your Personal Data, in which case, your request will be denied. To appeal the denial of your privacy rights request, please email us at privacy@drivenbrands.com.

If you would like to opt-out of receiving marketing communications from us, please contact us at privacy@drivenbrands.com.

Driven does not knowingly sell or share for cross-context behavioral advertising the Personal Data of consumers under 16 years of age. For more information about the treatment of children’s Personal Data, please refer to our Privacy Policy, Section 9: Children.

LIMIT THE USE AND DISCLOSURE OF SENSITIVE PERSONAL DATA

We may collect Personal Data that is considered “sensitive” under the CCPA, such as Social Security number, precise geolocation, sex, and racial or ethnic origin. We collect and use this sensitive Personal Data primarily to offer our Services to you. However, we may also use sensitive Personal Data for other purposes, such as cross-context behavioral advertising and to build consumer profiles. You have the right to ask that we limit our use and disclosure of your sensitive Personal Data to certain purposes permitted by law and can do so. Please refer to our Privacy Policy, Section 5: Retention of Personal Data.

CALIFORNIA NOTICE OF FINANCIAL INCENTIVE

This Notice of Financial Incentive explains our offerings that may be considered financial incentives under applicable California law. These include offerings we provide when you share Personal Data with us. From time to time, we offer price discounts, coupons, payments, and other benefits (“Incentives”) in exchange for your Personal Data. Incentives are offered to customers who share Personal Data with us (e.g. name, email address, phone number and other identifiers) by signing up for marketing emails, text messages, loyalty programs, and one-time promotions.

When you join our programs, we use the information you provide to personalize discounts, offers, and other marketing tailored to you. The value of your Personal Data varies depending on a number of factors including the resources required to collect and maintain such information. Incentives are not directly tied to, or exclusively based upon, a set value of any individual element of your Personal Data, but are reasonably based on our good faith estimate of the value of your Personal Data and a number of factors, including the value of the benefit we offer to you and the resources required to collect and maintain such information. Incentives are also impacted by performance targets, geographic location, seasonality and market trends. By participating in any of the above promotional programs, you agree that the benefits are reasonably related to the value of the Personal Data collected and retained. Your participation in these Programs is always optional. You may withdraw at any time online by unsubscribing from email promotions, replying "stop" to any of our text messages, or contacting us at 1-877-625- 8499 or privacy@drivenbrands.com.

RETENTION OF PERSONAL DATA

We retain Personal Data only for so long as necessary to fulfill the purposes for which it was collected, including as described in this California Notice, or as required by law. For more information on our retention practices, please refer to our Privacy Policy, Section 5: Retention of Personal Data.

CHANGES TO THIS CALIFORNIA PRIVACY POLICY

We may update this California Notice periodically to account for changes in our collection and/or processing of Personal Data and will publish the updated California Notice on our website. When we do, we will revise the “Last Updated” date at the top. Your continued use of our Services after the effective date of any modification to this California Notice will be deemed to be your agreement to the applicable terms. If we make material changes to this California Notice, we will take required steps to notify you and provide you an opportunity to review before you continue using our Services. We encourage you to periodically review this California Notice to learn how Driven collects, uses, and protects your Personal Data.

HOW TO CONTACT US

For questions or concerns about our privacy practices, please email us atprivacy@drivenbrands.com

PRIVACY NOTICE FOR U.S. APPLICANTS AND EMPLOYEES

Last Updated: November 26, 2024

Driven Brands–including Auto Body Repair of America (“ABRA”), Auto Glass Now, CARSTAR, MAACO, Take 5 Car Wash, Take 5 Oil Change, 1-800-Radiator & A/C, Meineke, Driven Advantage, and our subsidiaries and affiliated companies (collectively “Driven”, “we,” “us,” or “our”) are committed to protecting the privacy and security of your Personal Data.

This Privacy Notice for U.S. Applicants and Employees (“Employee Privacy Notice”) describes how Driven collects, stores, uses, discloses and otherwise processes Personal Data of our employees, former employees, applicants, agency temporary workers, outsourced staff, contractors, and business guests.

This Employee Privacy Notice does not apply to you as a customer, or outside of your employment or candidacy with Driven. To learn more about Driven’s data practices that cover you as a customer, please refer to our Privacy Policy for U.S. Customers.

If you reside in California, you can view our California-specific disclosures here. To the extent this Employee Privacy Notice conflicts with local law in your jurisdiction, local law controls.

1. PERSONAL DATA WE COLLECT AND PROCESS

Personal Data is any information that directly identifies you (such as your name) or that reasonably can be used to identify you, indirectly (such as your telephone number).

The Personal Data we process can include, but is not limited to, the following:

• Identifiers, such as name, postal address, email address, telephone number, employee identification number, government identifiers, photo, beneficiary and emergency contact details, and other similar identifiers.
• Demographic Information, such as your age, race, color, citizenship, marital status, socioeconomic status, sex, and sensitive Personal Data as described below.
• Sensitive Information, such as Social Security number, driver's license number, passport number, race, color, ancestry, national origin, citizenship, sex (including gender, gender identity, and gender expression), and sexual orientation.
• Internet Activity and Usage Information on Driven Systems and Devices, such as the pages you view, the links you click on, and application data from email services or communications technologies, including emails sent and received, calendar entries, IP address, browser type, and other device identifiers in connection with accessing and using Driven corporate buildings and assets.
• Geolocation Data, such as your physical location or movements when operating or utilizing company vehicles.
• Audiovisual Information, such as recordings of closed-circuit television (“CCTV”) footage in our locations, your video, voice and image data.
• Inferences, to create a profile about you, including your preferences, characteristics, and behavior.
• Employment Information, such as any professional or employment information that you share with us or direct others to share with or make available to us, such as your employment history, any professional degrees or certifications, or union membership.
• Background Information, such as your academic and professional qualifications, education, CV/Resume, transcripts, credit history, driving records, and criminal records data (in accordance with applicable law and consultation requirements).
• Financial Information, such as your bank account details, tax information, salary, retirement account information, company allowances, work-related purchases and other information necessary to administer payroll, taxes, benefits, expense reimbursement, and equity and incentive compensation.

If we ask you to provide additional Personal Data not described above, it will be made clear to you at the point we collect it, the reasons for collection. If we ask you to provide Personal Data that we consider to be mandatory for us to administer your relationship with us, we will inform you of such at the time of collection. In addition, we will also inform you of the consequences for not providing us with the Personal Data.

2. SOURCES OF PERSONAL DATA

We collect this information from a variety of sources including, but not limited to:

• Directly from you.
• Indirectly from you.
• From our service providers.
• From third parties.

3. PURPOSES FOR COLLECTING AND PROCESSING PERSONAL DATA

We use Personal Data for business purposes, including to:

• Manage your Employment Relationship, including to respond to your inquiries, investigate and address your concerns, monitor and improve our responses, secure personnel files, and otherwise manage our relationship with you.
• Administer Benefits, including to perform human resources functions, manage expense reimbursements, maintain group health insurance benefits, 401(k) and retirement plans, leaves of absence, and other Driven benefits, as applicable.
• Assess your Employment or Candidacy, including your skills, qualifications, and interests against our career opportunities.
• Maintain the Security of Our Systems, including the app or website, services, databases and other technology assets, data, and business.
• Ensure a Safe Working Environment, including to protect the rights, property, or safety of Driven, its employees, and applicants.
• Comply with Applicable Law or Regulations, such as to respond to law enforcement requests, or to comply with laws related to records retention and employer reporting obligations.
• Evaluate or Conduct a Merger, including divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all Driven’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Driven is among the assets transferred.

4. DISCLOSURE OF PERSONAL DATA

We may disclose your Personal Data to other Driven companies and third-party service providers to carry out the business purposes of our Personal Data processing as described above in Section 3: Purposes for Collecting and Processing Personal Data.

When we disclose Personal Data for a business purpose, we enter a contract that describes the purpose and requires the recipient to keep that Personal Data confidential and not use it for any purpose except performing the contract.

Please note that where legal requirements limit the disclosure of your Personal Data, Driven will respect such requirements.

5. RETENTION OF PERSONAL DATA

We retain Personal Data only for so long as necessary to fulfill the purposes for which it was collected or as otherwise required by applicable law. When assessing retention periods, we first carefully examine whether it is necessary to retain the Personal Data and, if retention is required, work to retain the Personal Data for the shortest possible period permissible under law.

6. SENSITIVE PERSONAL DATA

As described above, certain types of Personal Data may be considered “sensitive” and subject to additional legal rights and obligations. Driven collects sensitive Personal Data, including Social Security number, driver’s license, and certain demographic information only for business purposes, as described in this Employee Privacy Notice. If you are an employee and have any questions about our handling of sensitive Personal Data, please contact our human resources department by accessing your account on DrivenLink at https://drivenbrands.okta.com/. If you are an applicant, please contact us at https://drivenbrands.okta.com/. Please refer to Section 7: Privacy Rights and Choices for more information.

7. PRIVACY RIGHTS AND CHOICES

If you are an applicant, you may rectify or update your Personal Data at any time by accessing your account on DrivenLink at https://drivenbrands.okta.com/ or your account on Workday at https://www.myworkday.com/wday/authgwy/drivenbrands/login.htmld. For employees, to access, correct or delete your Personal Data, please visit your account on DrivenLink at https://drivenbrands.okta.com/. Both applicants and employees may also email drivenhr@drivenbrands.com to exercise your privacy rights or call 1-877-625-8499. We will ask you for information that we consider necessary to verify your identity for security and to prevent fraud. This information may include name, contact information, and information related to your relationship with Driven, but the specific information requested may differ depending on the circumstances of your request. Driven does not discriminate or retaliate in response to privacy rights requests. Depending on the jurisdiction, we may be required to retain some applicant data for compliance purposes.

You may also have certain rights to manage your Personal Data depending on where you live. Depending on your jurisdiction, the following rights may apply:

• Right to Know and Access: The right to know and access the Personal Data we have collected about you.
• Right to Data Portability: The right to receive a copy of the Personal Data described above in a portable format.
• Right to Correct: The right to correct inaccuracies in your Personal Data, in certain circumstances.
• Right to Delete: The right to request that we delete your Personal Data.
• Right to No Discrimination: The right not to be discriminated against for exercising any of your privacy rights.
• Right to Appeal: Sometimes we are unable to process requests relating to your Personal Data, in which case, your request will be denied. Depending on where you live, you may have the right to appeal our denial of your privacy rights request if you believe we have done so in error. To appeal the denial of your privacy rights request, please email us at the address below.

To exercise any privacy rights available to you, you may submit a request to us using any of the following methods:

• DrivenLink: Contact our human resources department using your account on DrivenLink at https://drivenbrands.okta.com/.
• E-mail: Email drivenhr@drivenbrands.com
• Phone: Call 1-877-625-8499.

We will provide a timely response, in accordance with applicable law. In some instances, we may request additional information to verify your identity before we can process your request. You may designate an authorized agent to submit your verified consumer request by providing written permission and verifying your identity, or through proof of power of attorney.

8. CORRECTNESS OF PERSONAL DATA

By submitting your application to a role within Driven, you confirm that all information you provide is complete and accurate. Driven expressly reserves the right to suspend, modify access to or remove your profile within our applicant tracking system if your profile violates any of our applicable policies, is deemed offensive, violent and/or for any other reason as determined by Driven, in its sole discretion.

9. AUTOMATED DECISION MAKING

Driven does not make any decisions involving the use of algorithms or profiling that significantly affect you.

10. SECURITY

We use appropriate technical, administrative, and physical controls to help protect your Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Please be aware that despite our best efforts, data security measures cannot fully guarantee security. Driven is not liable or responsible for use or disclosure of your Personal Data that is the result of unauthorized or illegal access to our systems or those of third parties. If you believe the security of your Personal Data has been compromised, please notify us immediately at drivenhr@drivenbrands.com.

11. WORKPLACE SECURITY AND MONITORING

To the extent permitted by applicable law, Driven may monitor its IT and communications systems through automated tools to protect our employees, customers, and business partners. Driven may also monitor our offices, and other workplace facilities, through video monitoring such as CCTV and badge scans for security, corporate workplace policy compliance, employee performance monitoring, and building management purposes. CCTV is not used in private spaces such as restrooms or as otherwise legally prohibited.

To the extent it relates to Driven’s business purposes, we may monitor or access your internet activity and usage information on our systems and devices, in accordance with applicable law and workplace agreements. Please refer to Section 3: Purposes for Collecting and Processing Personal Data.

12. CHILDREN

Where legally required, we obtain parental consent before collecting Personal Data from children under the age of 18.

13. CHANGES TO THIS EMPLOYEE PRIVACY NOTICE

We occasionally may update this Employee Privacy Notice to account for changes in our collection and/or processing of Personal Data and will publish the updated Employee Privacy Notice on our website. When we do, we will revise the "Last Updated" date at the top. If we make material changes to this Employee Privacy Notice, we will take required steps to notify you and provide you an opportunity to review. We encourage you to periodically review this Employee Privacy Notice to learn how Driven collects, uses, and protects your Personal Data.

4. HOW TO CONTACT US

If you are an employee and have questions or concerns about our Employee Privacy Notice, please contact our human resources department using your account on DrivenLink at https://drivenbrands.okta.com/. If you are an applicant, please email us at https://drivenbrands.okta.com.

CALIFORNIA PRIVACY NOTICE FOR APPLICANTS AND EMPLOYEES

Last Updated: November 26, 2024

This California Privacy Notice for Applicants and Employees (“CA Employee Notice”) incorporates by reference, and supplements the information contained in our Employee Privacy Notice. This CA Employee Notice applies to applicants and employees in California. Unless otherwise expressly stated, all terms in this CA Employee Notice have the same meaning as defined in our Employees Privacy Notice or applicable law.

COLLECTION AND USE OF PERSONAL DATA

In the last twelve (12) months, we have collected the following categories of Personal Data:

• Identifiers, such as name, postal address, email address, telephone number, employee identification number, photo, beneficiary and emergency contact details, and other similar identifiers.
• Demographic Information, such as age, race, color, citizenship, marital status, socioeconomic status, and sex.
• Internet Activity and Usage Information on Driven Systems and Devices, such as the pages you view, the links you click on, and application data from email services or communications technologies, including emails sent and received, calendar entries, IP address, browser type, and other device identifiers in connection with accessing and using Driven corporate buildings and assets.
• Geolocation Data, such as your physical location or movements during interactions with us.
• Audiovisual Information, such as recordings of CCTV footage in our locations, your video, voice and image data, subject to the requirements of local law, internal policy, and any consultation requirements with worker representatives (where appropriate).
• Inferences to create a profile about you, including your preferences, characteristics, and behavior.
• Sensitive Personal Data, such as Social Security number, driver's license number, passport number, race, color, ancestry, national origin, citizenship, sex (including gender, gender identity, and gender expression), and sexual orientation.
• Employment Information, such as any professional or employment information that you share with us or direct others to share with or make available to us, such as your employment history, any professional degrees or certifications, or union membership.
• Background Information, such as your academic and professional qualifications, education, CV/Resume, transcripts, credit history, driving records, and criminal records data (in accordance with applicable law and consultation requirements).
• Financial Information, such as your bank account details, tax information, salary, retirement account information, company allowances, work-related purchases and other information necessary to administer payroll, taxes, benefits, and equity and incentive compensation.

SOURCES OF PERSONAL DATA

We collect and obtain your Personal Data from multiple sources. In the past twelve (12) months, we have obtained Personal Data directly from you, indirectly from you, from our service providers, or from other third parties.

PURPOSES FOR COLLECTING AND PROCESSING PERSONAL DATA

We use Personal Data for the following purposes described in our Employee Privacy Notice, Section 3: Purposes for Collecting and Processing Personal Data.

DISCLOSURE OF PERSONAL DATA

In the previous twelve (12) months, we have disclosed all of the categories of Personal Data we collect to corporate affiliates, Franchisees, and service providers, for the various uses, including to manage your employment relationship, to administer benefits, for communications, to make inferences about you, for authentication, integrity, security and safety, for legal reasons, or for change of ownership. For more detail please refer to our Employee Privacy Notice, Section 3: Purposes for Collecting and Processing Personal Data.

PRIVACY RIGHTS AND CHOICES

California residents have specific rights regarding their Personal Data, including a right to knowledge, access, correction, and deletion of their Personal Data. You also have a right not to be discriminated against for exercising your California privacy rights. Driven does not sell or share applicant or employee Personal Data and collects and processes sensitive Personal Data of applicants and employees only for business purposes.

To exercise any privacy rights available to you, you may submit a request to us using the following methods:

• DrivenLink: Contact our human resources department using your account on DrivenLink at https://drivenbrands.okta.com/.
• E-mail: Email drivenhr@drivenbrands.com
• Phone: Call 1-877-625-8499.

We will provide a timely response, in accordance with applicable law. In some instances, we may request additional information to verify your identity before we can process your request. You may designate an authorized agent to submit your verified consumer request by providing written permission and verifying your identity, or through proof of power of attorney. Sometimes, we may be unable to process requests relating to your Personal Data, in which case, your request will be denied. To appeal the denial of your privacy rights request, please contact our human resources department by accessing your account on DrivenLink at https://drivenbrands.okta.com or email us at drivenhr@drivenbrands.com.

RETENTION OF PERSONAL DATA

We retain Personal Data only for so long as necessary to fulfill the purposes for which it was collected, including as described in this CA Employee Notice, or as required by law. For more information on our retention practices, please refer to our Employee Privacy Notice, Section 5: Retention of Personal Data.

CHANGES TO THIS CA EMPLOYEE NOTICE

We occasionally may update this CA Employee Notice to account for changes in our collection and/or processing of Personal Data and will publish the updated CA Employee Notice on our website. When we do, we will revise the “Last Updated” date at the top. If there are material changes to this CA Employee Notice, we will take required steps to notify you and provide you an opportunity to review. We encourage you to periodically review this CA Employee Notice to learn how Driven collects, uses, and protects your Personal Data.

HOW TO CONTACT US

For questions or concerns about our privacy practices as it relates to you as an employee, please contact our human resources department by accessing your account on DrivenLink at https://drivenbrands.okta.com/. If you are an applicant, please email us at drivenhr@drivenbrands.com.