Privacy Policy

Effective Date: February 12, 2026

Last Updated: February 12, 2026

Route Consultant Purchasing Alliance (“RCPA,” “we,” “us,” or “our”) provides business-to-
business fuel and purchasing program services to commercial customers. This Privacy Policy
describes how we collect, use, disclose, and protect personal information in connection with our
websites, customer portal, mobile application, and related services (collectively, the “Services”).
This Privacy Policy applies to individuals who interact with the Services on behalf of a business
customer, including employees, drivers, and other authorized users designated by our customers
(“Authorized Users”). The Services are intended solely for commercial use, and RCPA does not
knowingly provide Services to individuals acting in a personal or household context.

1. Scope and Definitions

Business Customers. RCPA’s customers are businesses. RCPA provides Services to business
customers and to Authorized Users acting on those customers’ behalf.
Personal Information. “Personal information” means information that identifies, relates to,
describes, is reasonably capable of being associated with, or could reasonably be linked (directly
or indirectly) with a particular individual. For purposes of this Policy, “personal information”
refers to information relating to Authorized Users acting in a business or employment capacity.

2. Information We Collect

We collect personal information in the following ways:

A. Information You or Your Employer Provides

Depending on how the Services are used, we may collect:

  • Account and profile information: name, business email address, phone number, username, password (stored in protected form), role, and permissions.

  • Business information: employer or business name, business address, department, job title, and related identifiers.

  • Program administration information: driver identifiers, vehicle identifiers, and similar information provided by our business customers to administer the program.

  • Communications: information you provide when contacting support or communicating with us (e.g., emails, chat messages, call notes).

B. Information Collected Automatically

When you access or use the Services, we may automatically collect:

  • Device and usage information: device type, operating system, browser type, app version, language settings, referring URLs, pages or screens viewed, session activity, interaction data (such as clicks or form submissions), and similar technical details.

  • Log and security data: access times, authentication events, IP address, security- and fraud-prevention signals (such as automated traffic or bot-detection data), and other system or security logs.

  • Online identifiers and tracking technologies: cookies, pixels, tags, and similar technologies that collect information about how users interact with the Services, including performance measurement, analytics, and security-related purposes.

  • Approximate location information: general location such as city or region derived from IP address, network information, or usage context.

The Services do not intentionally collect precise geolocation information (such as GPS
coordinates). Any location-related information is derived from network signals, device settings, or
transactional context rather than real-time location tracking.

C. Information from Program Partners

To administer the program and provide Services to our Business Customers, RCPA may receive
information from program partners and technology providers, including:

  • Transaction and usage data: transaction-lever information such as timestamps, merchant identifiers, purchase location, product category, quantities, and amounts.

  • Authorized User and vehicle identifiers: driver identifiers, vehicle identifiers, card identifiers, PIN-based identifiers, or similar credentials used to associate transactions with an Authorized User or vehicle for program administration and reporting purposes.

  • Account and reporting information: account status, balances, usage summaries, exception
    reporting, and related administrative data.

RCPA does not receive or collect precise real-time GPS location data for Authorized Users. However, transaction data may include merchant or terminal location information that can indicate where a transaction occurred. Such information is used for program administration, reporting, fraud prevention, and customer support purposes.

In some cases, Business Customers may separately engage third-party service providers (such as telematics or fleet management providers) that collect additional data, including precise location information. RCPA does not control and is not responsible for data collection practices of those
third parties, which are governed by the Business Customer’s agreements and applicable policies.

3. How We Use Personal Information

We use personal information to:

  • provide, operate, and administer the Services;

  • manage accounts and Authorized User access;

  • support our business customers and respond to requests;

  • provide customer support and troubleshooting;

  • process and reconcile transactions, generate reports, and administer program features requested by Business Customers;

  • monitor, maintain, and improve the Services, including analyzing usage patterns, performance metrics, and feature adoption;

  • conduct analytics and measurement relating to website performance, service functionality, marketing effectiveness, and operation planning;

  • protect the security and integrity of the Services, including detecting, preventing, and responding to fraud or security incidents;

  • verify users, prevent automated or malicious activity, and maintain system reliability;

  • comply with legal, regulatory, and contractual obligations and enforce our rights.

RCPA does not use personal information to make decisions producing legal or similarly significant
effects on individuals and does not use personal information for consumer profiling or targeted
advertising directed at individuals acting in a personal or household capacity.

4. Analytics and Tracking

We use analytics and similar technologies to understand how the Services and our websites are used, monitor performance, and improve functionality and user experience.

These technologies may include cookies, pixels, tags, and session-based tools that collect information about page views, navigation paths, interactions with forms or content, traffic sources, and general usage patterns. Such tools may be provided by third-party analytics or measurement providers and may involve the collection of online identifiers or device information.

RCPA uses these technologies for business purposes such as operational analytics, website optimization, service improvement, security, fraud prevention, and measurement of marketing effectiveness. RCPA does not use these technologies to engage in consumer profiling or to deliver
targeted advertising to individuals acting in a personal or household capacity.

Some analytics and measurement tools may enable third parties to collect information across different websites or online services over time. Where applicable, such activity may be considered “sharing” under certain U.S. state privacy laws. RCPA does not sell personal information.

Choices and Controls: Depending on applicable law, you may have the right to opt out of certain
uses of cookies or similar technologies that involve cross-context data sharing. You can also
manage cookies through browser settings; disabling certain cookies may affect functionality.

5. How We Disclose Personal Information

We may disclose personal information as follows:

A. Role of RCPA

RCPA provides the Services to Business Customers and processes personal information relating to Authorized Users on behalf of those Business Customers for program administration and related business purposes. In this context, Business Customers determine how and why Authorized User
information is used, and RCPA processes such information in accordance with its agreements and this Privacy Policy. RCPA does not independently use Authorized User personal information outside the operation and administration of the Services.

B. Service Providers

We disclose personal information to third-party service providers that perform services on our behalf, such as website hosting, cloud infrastructure, data storage, authentication, customer relationship management, form processing, communications, analytics, monitoring, fraud prevention, and security services. These providers are permitted to use personal information only as necessary to provide services to RCPA, in accordance with our instructions, and are required to implement appropriate safeguards. Service providers may include technology vendors supporting our websites, customer portal, mobile application, internal systems, customer support operations, analytics and measurement tools, and communications platforms. Personal information processed by service providers remains subject to confidentiality and security obligations consistent with this Privacy Policy and applicable agreements.

C. Program Partners

We disclose information to program partners as necessary to administer the program, provide
reporting, and support business customers.

D. Business Customers

Our Business Customers may access information relating to their Authorized Users and program activity. Business Customers control Authorized User accounts and permissions and may manage or request changes to certain information. RCPA is not responsible for how Business Customers
use information about their Authorized Users, which is governed by the Business Customer’s own policies and applicable law.

E. Legal, Compliance, and Safety

We may disclose information to comply with law or legal process, protect rights and safety, investigate or prevent misconduct, or respond to regulatory or contractual requirements.

F. Business Transfers

If RCPA is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be disclosed in connection with that transaction, subject to appropriate protections.

6. Cookies and Similar Technologies

We may use cookies and similar technologies such as pixels, tags, SDKs, and session-based tools to support functionality, authentication, security, analytics, performance measurement, and website optimization. These technologies help us understand how the Services and our websites are used, maintain reliability, and improve user experience.

Some cookies or similar technologies may be provided by third-party analytics or measurement providers and may collect information about interactions with our websites or Services, including online identifiers, device information, and usage data.

You can manage cookies through browser settings; depending on applicable law, you may also have the right to opt out of certain cookies or similar technologies that involve cross-context data sharing. Disabling certain cookies may affect functionality.

7. Mobile Application Information

If you use our mobile application, we may collect device information, usage data, and diagnostic information (such as crash logs) to operate and improve the app.

The mobile application does not intentionally collect precise real-time geolocation data (such as GPS coordinates). Any location-related information reflected in the Services is derived from transaction context, network signals, or information provided by program partners rather than continuous location tracking through the mobile application.

Business Customers may separately engage third-party providers (such as telematics, fleet management, or navigation services) whose applications or devices collect additional data, including precise location information. RCPA does not control and is not responsible for the data collection practices of those third parties.

App permissions can be managed through device settings.

8. Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including access controls, encryption where appropriate, logging and monitoring, and incident response procedures. No system is completely secure, and we cannot guarantee absolute security.

9. Data Retention

We retain personal information only for as long as reasonably necessary to provide the Services, administer the program, comply with legal and contractual obligations, and resolve disputes. We may retain information subject to legal holds or preservation obligations. When personal information is disposed of, RCPA uses reasonable measures to protect against unauthorized access or use, consistent with applicable data disposal laws.

10. Your Choices and Rights

A. Account Management

If you are an Authorized User, your employer or Business Customer administrator may control your account and access to information. Certain requests, including access, correction, or deletion of information associated with your account, may need to be directed through your employer or Business Customer administrator, depending on the nature of the request and applicable law.

B. Marketing Communications

You may opt out of promotional communications sent directly by RCPA where applicable. Operational or service-related messages may still be sent.

C. Cookies, Analytics, and Tracking Choices

Depending on applicable law, you may have the right to opt out of certain uses of cookies or similar technologies that involve cross-context data sharing. You may exercise such choices through browser settings, available opt-out mechanisms, or by contacting us as described in Section 14.

D. State Privacy Rights

Certain U.S. state laws provide residents with rights regarding personal information, subject to exceptions and applicability thresholds. Where such laws apply, and where an individual qualifies as a “consumer” under applicable law, we process verified requests in accordance with those laws. In many cases involving Authorized Users acting on behalf of a Business Customer, requests may be fulfilled through or in coordination with the Business Customer.

11. Children’s Privacy

The Services are intended for business use and are not directed to children under 13. We do not knowingly collect personal information from children.

12. California Privacy Notice (CPRA)

This section applies to California residents only to the extent that the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA”), applies to RCPA’s activities. This notice is provided for transparency and does not apply where statutory exemptions apply, including exemptions relating to business-to-business or employment-related personal information.

Categories of Personal Information Collected:

Depending on use of the Services, RCPA may collect:

  • Identifiers (name, email address, IP address, account credentials);

  • Business contact information;

  • Internet or network activity information;

  • Approximate geolocation data;

  • Professional or employment-related information;

  • Limited sensitive personal information (such as account log-in credentials).

Sale or Sharing of Personal Information:

RCPA does not sell personal information.

RCPA may share limited personal information, such as online identifiers or usage data, with third-party analytics or measurement providers in a manner that may be considered “sharing” for cross-context behavioral advertising under the CPRA. Such sharing is conducted for business purposes such as analytics, measurement, security, and website optimization, and not for the purpose of targeting individuals acting in a personal or household capacity.

Sensitive Personal Information:

RCPA does not use or disclose sensitive personal information for purposes of inferring characteristics about individuals and limits its use to purposes permitted under the CPRA, including providing the Services, maintaining security, and preventing fraud.

Retention:

Personal information is retained as described in Section 9 (Data Retention) above.

Your Rights:

California residents may have the right, subject to applicable exceptions and exemptions, to:

  • Request access to personal information;

  • Request correction of inaccurate personal information;

  • Request deletion of personal information;

  • Opt out of the sale or sharing of personal information, where applicable.

Where personal information relates to an Authorized User acting on behalf of a Business
Customer, RCPA may coordinate with or direct requests to the relevant Business Customer, as
permitted by law.

Submitting Requests:

Requests may be submitted by contacting us as described in Section 14 (Contact Us).

We may verify your identity and, where appropriate, verify your authority to make the request. Certain requests may be denied or limited where an exemption applies or where compliance would conflict with contractual or legal obligations.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last Updated” date and providing notice where required by law.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

Email: privacy@rcpasave.com
Mailing Address:
Route Consultant Purchasing Alliance
Attn: Privacy
5511 Virginia Way, Suite 400
Brentwood, TN 37027