I. Introduction and Overview
II. Information we collect
1. Information you provide to us or allow others to provide to us
At various points in the Roombox experience, you may provide us with information about yourself. For example, when you create an account through the Services, you provide us with personal information like your name, email address, and zip or postal code. And if you place an order through the Services, we collect information including your address, phone number, birth date, driver’s license expiration date (for alcohol orders or prescription delivery, where available), credit card information, vehicle license plate number(s) (for curbside pickup orders) and the details of your order. Your account information may be updated or corrected by accessing your account settings.
We may also collect health information you provide directly to us regarding an experience with a retail partner that may require us to contact that retailer, or other retailer partners, for public health or safety reasons, or to facilitate a refund. We do not share your identity with the retailers that we may contact in such a capacity, but may share date, time and location of a transaction, which may allow a retailer to independently identify you.
Our partners may let us collect information about use of their sites/apps or share such information with us. For example, if you use an Roombox button or widget on another site or app, we may receive information about your use of that button or widget and the third-party site/app.
When you use the Services, we may collect precise location data. For instance, if you allow the Services to access location services through the permission system used by your device’s mobile operating system or browser, we may collect the precise location of your device. We use your location information to facilitate the prompt hand-off of pickup orders (where available), to assist you in finding nearby stores for which pickup or delivery are available, for other similar purposes and for analytics purposes. You can choose whether or not to enable the location tracking feature through the settings on your device or browser, or when prompted by the Roombox mobile app. We may also infer your general location information, for example by using your internet protocol (IP) address.
2. Technical information about usage of the Services
When you use the Services, or browse our sites, either through a browser or mobile app, we automatically receive some technical information about the hardware and software that is being used.
Cookies, Pixels, and Other Tracking Technologies:
We, our partners, our advertisers, and third-party advertising networks use various technologies to collect information, including but not limited to cookies, pixels, scripts, and device identifiers. Cookies are small text files that are sent by your computer when you access our services through a browser. We, our partners, our advertisers, and third-party advertising networks may use session cookies (which expire when you close your browser), persistent cookies (which only expire when you choose to clear them from your browser), pixels, scripts, and other identifiers to collect information from your browser or device that helps us do things such as understand how you use our services and other services; personalize your experience; measure, manage, and display advertising on the Services or on other services; understand your usage of the Services and other services in order to serve customized ads; and remember that you are logged into the Services. Our partners, advertisers, and third-party advertising networks may use these technologies to collect information about your online activity over time and across different websites or online services. By using your browser settings, you may block cookies or adjust settings for notifications when a cookie is set. Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. Note, however, there is no industry consensus as to what site and app operators should do with regard to these signals. Accordingly, unless and until the law is interpreted to require us to do so, we do not monitor or take action with respect to “Do Not Track” signals. For more information on “Do Not Track,” visit http://www.allaboutdnt.com .
We employ some third-party services to help us understand the usage of the Services and the performance of advertising, and these third parties may also deploy cookies, pixels, or other identifiers on the Services or collect information through our mobile applications. For example, we use Google Analytics to understand, in a non-personally identifying way, how users interact with various portions of the Services — you can learn more about information that Google may collect here.
When you use the Services, or browse our sites, our servers will record information about your usage of the Services and information that is sent by your browser or device. Log information can include things like the IP address of your device, information about the browser, operating system and/or app you are using, unique device identifiers, pages that you navigate to and links that you click, searches that you run on the Services, and other ways you interact with the Services. If you are logged into the Services, this information is stored with your account information.
Our Services are not intended for children under 13 years of age, and we do not knowingly collect personal information (as defined by the U.S. Children’s Online Privacy Protection Act, or “COPPA”) in a manner not permitted by COPPA. If we obtain actual knowledge that any information we collect has been provided by a child under the age of 13, we will delete that information to the extent required by applicable laws.
We do not knowingly “sell,” as that term is defined under the California Consumer Protect Act (“CCPA”), the personal information of minors under 16 years old who are California residents.
III. How we use your information
We may use the information we collect for various purposes, including to:
You can opt-out of receiving promotional communications from Roombox by using the settings on the Account Info page or by using the unsubscribe mechanism included in the message, where applicable.
IV. What we share
The Services comprise a platform that presents you with a set of one or more retailer virtual storefronts from which you can select goods for picking, packing, and delivery by individual Personal Shopper(s) to your location or, if available, for you to pick up in-store. In order to make this work, we need to share information about you and your order with the other parties who help enable the service. This includes, for example, the Personal Shopper(s) who pick and deliver your order, the payment processing partner(s) that we use to validate and charge your credit card, and the retail partner(s) from which you are purchasing goods. To be clear, only our payment processing partner(s) receive credit card information.
We also share information under the following principles:
V. Personal Health Information
Your PHI is protected under HIPAA and under certain state laws. Those laws give you rights with respect to the access, use, and disclosure of PHI by your health care providers, such as pharmacies, and us. When you place a pharmacy order using our Services, the pharmacy responds as we have described above under the Section entitled “Information we collect” by disclosing to Roombox your status as a patient of the pharmacy. Information concerning your status as a patient of the pharmacy is PHI and protected by HIPAA. As discussed above, no other PHI will be disclosed to us by your pharmacy and no other PHI will be disclosed by Roombox to your personal shopper other than your status as a patient of the pharmacy. For a more complete description of your rights under HIPAA and the uses and disclosures of your PHI, please refer to your pharmacy’s Notice of Privacy Practices. We will not disclose your PHI without your prior written consent with other people or non-affiliated companies unless: (i) it is needed to provide our Services, (ii) it has been “de-identified” so that it cannot identify you, (ii) we have your prior written consent, (iv) disclosure is required by law, or (v) we are acquired or file for bankruptcy.
We employ and maintain reasonable administrative, physical, and technical measures designed to safeguard and protect information under our control from unauthorized access, use, and disclosure. In addition, when we collect, maintain, access, use, or disclose your PHI, we will do so using systems and processes consistent with information privacy and security requirements under applicable federal and state laws, including, without limitation, HIPAA. All electronic PHI will be encrypted at rest and in transit. Nevertheless, transmission via the internet is not completely secure and we cannot guarantee the security of information about you.
We will make any legally required notifications of any breach of the security, confidentiality, or integrity of your PHI or PII, including, without limitation, breaches of your stored PHI or PII (as breaches are defined under applicable state or federal statutes on security breach notification). To the extent permitted by applicable laws, we will make such notifications to you without unreasonable delay, as consistent with (i) the legitimate needs of law enforcement or (ii) any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
VII. Changes to this Policy