State Specific Privacy Policy
Effective Date: January 1, 2020
Last Reviewed on: April 17, 2023
This U.S. State Privacy Notice (“Notice”) applies to “Consumers” as defined under the California Consumer Privacy Act, including as amended by the California Privacy Rights Act (“CPRA”) (together, the “CCPA”), Chapter 603A of the Nevada Revised Statutes, and all laws implementing, supplementing, or amending the foregoing, including regulations promulgated thereunder. Capitalized terms used but not defined in this Notice shall have the meanings given to them under the CCPA.
This Notice is designed to meet our obligations under U.S. Privacy Laws and supplements, for Consumers, the general privacy policies of Cintas Corporation (together with its relevant subsidiaries, associates, and affiliated companies, “Cintas,” “we,” “us,” “our” or “Company”) including, without limitation, the General Privacy Policy, and any other privacy policies, notice, or statements on a “Service” (e.g., website, mobile app, or any other digital asset) that is owned and operated by Cintas.
In the event of a conflict between any other Company policy, notice, or statement and this Notice, this Notice will prevail as to Consumers unless stated otherwise. Please also see any other privacy policies, notices or statements posted or referenced on our Services.
Non-Applicability, Human Resources: This Notice does not apply to our job applicants, current employees, former employees, or independent contractors (“Personnel”), however, our California Personnel may obtain a separate privacy notice that applies to them by contacting location management and/or Human Resources.Table of Contents
A. PI Collection, Disclosure, and Retention – By Categories of PI
A. Right to Limit Sensitive PI Processing
1. Categories (available for California Residents Only)
F. Automated Decision-Making / Profiling
G. Exercising Access, Data Portability, and Deletion Rights
1. Your Request Must be a Verifiable Consumer Request
H. Response Timing and Formats
IV. NOTICE OF FINANCIAL INCENTIVE PROGRAMS
V. OUR RIGHTS AND THE RIGHTS OF OTHERS
VI. ADDITIONAL NOTICE FOR CALIFORNIA RESIDENTS
VII. CHANGES TO OUR PRIVACY NOTICE
I. Notice of Data Practices
We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“Personal Information”). This Notice provides notice of our data practices, including our collection, use, disclosure, and sale of Consumers’ Personal Information or Personal Data (collectively, “PI”), which does not include:
- Publicly available information from government records.
- Deidentified or aggregated consumer information.
- Information excluded from the CCPA’s scope, like:
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
- PI covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.
The description of our data practices in this Notice covers the twelve (12) months prior to the Effective Date (“Reporting Period”) and will be updated at least annually. Our data practices may differ between updates, however, if materially different from this Notice, we will provide supplemental pre-collection notice of the current practices, which may include references to other privacy policies, notices, or statements posted or referenced on the Service that reflect current practices. Otherwise, this Notice serves as our notice at collection.
A. PI Collection, Disclosure, and Retention – By Categories of PI
During the Reporting Period, we collected, retained, disclosed, and otherwise Processed PI about Consumers, as follows:
| Category of PI | Examples of PI Collected and Retained | Categories of Recipients |
| Identifiers | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. | Disclosures for Business Purposes:
Sale/Share: Shared with Third Party Digital Businesses |
| Personal Records | Name, signature, address, telephone number, financial information (e.g., bank account number or payment card information), information. Some PI included in this category may overlap with other categories. | Disclosures for Business Purposes:
Sale/Share: N/A |
| Customer Account Details/Commercial Information | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | Disclosures for Business Purposes:
Sale/Share: Shared with Third-Party Digital Businesses |
| Internet Usage Information | When you browse our Services or otherwise interact with us online, we may collect browsing history, search history, and other information regarding your interaction with our Services or other sites, applications, or advertisements. | Disclosures for Business Purposes:
Sale/Share: Shared with Third Party Digital Businesses |
| Sensory Data | We may collect audio, electronic, or similar information when you or contact us through our customer service line. | Disclosures for Business Purposes:
Sale/Share: N/A |
| Professional or Employment Information (such as your current employer) | We may collect information regarding your current employer and position to enable us to provide products or services to you on behalf of your employer (our customer). | Disclosures for Business Purposes:
Sale/Share: N/A |
| Inferences from PI Collected | Inferences drawn from PI to create a profile about a Consumer reflecting preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | Disclosures for Business Purposes:
Sale/Share: Shared with Third-Party Digital Businesses |
| Sensitive PI | Government Issued Identification Numbers (e.g., social security, driver’s license, state identification card, or passport number) | Disclosures for Business Purposes:
Sale/Share: N/A |
There may be additional information we Collect that meets the definition of PI under California Law but is not reflected by a category above, in which case we will treat it as PI as required, but will not include it when we describe our practices by PI category. Because there are numerous types of PI in each category, and various uses for each PI type, actual retention periods vary. We retain specific PI pieces based on how long we have a legitimate purpose for the retention.
II. YOUR RIGHTS AND CHOICES
As described more below, subject to meeting the requirements for a Verifiable Consumer Request (defined below), Cintas provides Consumers the privacy rights described in this section. For non-California residents, we will consider requests but will apply our discretion with respect to and if and how we process such requests.
To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, use our Consumer Rights Request Portal, or call us at 1-844-378-7411 and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.). More details on the request and verification process is in Section 3. The Consumer rights we accommodate are as follows:
A. Right to Limit Sensitive PI Processing
We only Process Sensitive PI for purposes that are exempt from Consumer choice under U.S. Privacy Laws.
B. Right to Know/Access
Residents of California are entitled to access PI up to twice in a 12-month period. with subsequent requests subject to a service fee.
1. Categories
California residents have a right to submit a request for any of the following for the period that is 12 months prior to the request date:
- The categories of PI we Collected about you.
- The categories of sources for the PI we collected about you.
- Our Business Purposes or Commercial Purposes for our Collecting, Selling, or Sharing your PI.
- The categories of Third Parties with whom we have disclosed your PI.
- A list of the categories of PI disclosed for a Business Purpose and, for each, the categories of recipients, or that no disclosure occurred.
- A list of the categories of PI Sold or Shared about you and, for each, the categories of recipients, or that no Sale or Share occurred.
2. Specific Pieces
You may request to confirm if we are Processing your PI and, if we are, to obtain a transportable copy, subject to applicable request limits, of your PI that we have collected and are maintaining. For your specific pieces of PI, as required by applicable California law, we will apply the heightened verification standards as described below. We have no obligation to re-identify information or to keep PI longer than we need it or are required to by applicable law to comply with access requests.
C. Do Not Sell/Share/Target
Under the various U.S. Privacy Laws there are broad and differing concepts of “Selling” PI for which an opt-out is required. California also has an opt-out from “Sharing” for Cross-Context Behavioral Advertising (use of PI from different businesses or services to target advertisements). Other states have an opt-out of “Targeted Advertising” (defined differently but also addressing tracking, profiling, and targeting of advertisements). We may Sell or Share your PI, as these terms apply under California law.
Third-Party digital businesses (“Third-Party Digital Businesses”) may associate cookies and other tracking technologies that Collect PI about you on our services, or otherwise Collect and Process PI that we make available about you, including digital activity information. We understand that giving access to PI on our services, or otherwise, to Third-Party Digital Businesses could be deemed a Sale and/or Share under some state laws and thus we will treat such PI (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) collected by Third-Party Digital Businesses, where not limited to acting as our Service Provider (or Contractor or Processor), as a Sale and/or Share and subject to a Do Not Sell/Share/Target opt-out request. We will not Sell your PI, Share your PI for Cross-Context Behavioral Advertising, or Process your PI for Targeted Advertising if you make a Do Not Sell/Share/Target opt-out request.
Opt-out for non-cookie PI: If you want to limit our Processing of your non-cookie PI (e.g., your email address) for Targeted Advertising, or opt-out of the Sale/Sharing of such data, make an opt-out request here.
Opt-out for cookie PI: If you want to limit our Processing of your cookie-related PI for Targeted Advertising, or opt-out of the Sale/Sharing of such PI, you need to exercise a separate opt-out request on our cookie management tool here Cookie Settings. This is because we have to use different technologies to apply your opt-out of cookie PI and to non-cookie PI. Our cookie management tool enables you to exercise such an opt-out request and enable certain cookie preferences on your device. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective and you will need to enable them again via our cookie management tool. Note that if you use ad blocking software, our cookie banner may not appear when you visit our services and you may have to use the link above to access the tool.
Opt-out preference signals (also known as global privacy control or GPC): Some of the U.S. Privacy Laws require businesses to process GPC signals, which is referred to in California as opt-out preference signals (“OOPS”), which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt-out of the Sale or Sharing of personal information. To use an OOPS/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC. We have configured the settings of our consent management platform to receive and process GPC signals on our website, which is explained by our consent management platform here Cookie Settings. We process OOPS/GPC with respect to Sales and Sharing that may occur in the context of Collection of cookie PI by tracking technologies online by Third-Party Digital Businesses, discussed above, and apply it to the specific browser on which you enable OOPS/GPC. We process OOPS/GPC for opt-outs of Sales and Sharing in other contexts (e.g., non-cookie PI). We do not: (1) charge a fee for use of our service if you have enabled OOPS/GPC; (2) change your experience with any product or service if you use OOPS/GPC; or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the OOPS/GPC.
We do not knowingly Sell or Share the PI of Consumers under 16, unless we receive affirmative authorization (“opt-in”) from either the Consumer who is between 13 and 16 years old, or the parent or guardian of a Consumer who is less than 13 years old. If you think we may have unknowingly collected PI of a Consumer under 16 years old, please Contact Us.
We may disclose your PI for the following purposes, which are not a Sale or Share: (i) if you direct us to disclose PI; (ii) to comply with a Consumer rights request you submit to us; (iii) disclosures amongst the entities that constitute Company as defined above, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law.
D. DELETION REQUEST RIGHTS
You have the right to request that we delete any of your PI that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your PI from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s):
- To complete transactions and services you have requested.
- For security purposes.
- For legitimate internal Business Purposes (e.g., maintaining business records);
- To comply with law and to cooperate with law enforcement; and
- To exercise or defend legal claims.
Please be aware that making a deletion request does not ensure complete or comprehensive removal or deletion of PI or content you may have posted. Note also that under California law we may not be required to delete your PI that we did not Collect directly from you.
E. CORRECT YOUR PI
Consumers may bring inaccuracies they find in their PI that we maintain to our attention and we will act upon such a complaint as required by applicable law. You can also make changes to your online account in the account settings section of the account. That will not, however, change your information that exists in other places.
F. Automated Decision Making/Profiling
We do not engage in Automated Decision Making or Profiling.
G. EXERCISING ACCESS, DATA PORTABILITY, AND DELETION RIGHTS
To exercise the Consumer privacy rights described above, or to submit a request as an authorized agent, please use our Consumer Rights Request Portal or calling us at 1-844-378-7411.
1. Your Request Must be a Verifiable Consumer Request
Only you, or someone legally authorized to act on your behalf (your authorized agent), may make a verifiable consumer request related to your PI. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12-month period.
As permitted or required by California law, any request you submit to us must be a Verifiable Consumer Request, meaning when you make a request, we may ask you to provide verifying information, such as your name, e-mail, phone number, account, and/or transaction information. We will review the information provided and may request additional information (e.g., transaction history) via e-mail or other means to ensure we are interacting with the correct individual. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. We do not verify opt-outs of Sell/Share/Target or Limitation of Sensitive PI requests unless we suspect fraud.
We verify each request as follows:
- Right to Know (Categories) (available for California residents only):We verify your Request to Know Categories of PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. If we cannot do so, we will refer you to this Notice for a general description of our data practices.
- Right to Know (Specific Pieces): We verify your Request To Know Specific Pieces of PI to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you together with a signed declaration under penalty of perjury that you are the Consumer whose PI is the subject of the request. If you fail to provide requested information, we will be unable to verify you sufficiently to honor your request, but we will then treat it as a Right to Know Categories Request.
- Do Not Sell/Share/Target: No specific verification required unless we suspect fraud.
- Right to Delete: We verify your Request to Delete to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized deletion. If we cannot verify you sufficiently to honor a deletion request, you can still make a Do Not Sell/Share/Target.
- Correction: We verify your Request to Correct PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized correction.
To protect Consumers, if we are unable to verify you sufficiently, we will be unable to honor your request. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose
2. Agent Requests
You may use an authorized agent to make a request for you, subject to our verification of the agent, the agent’s authority to submit requests on your behalf, and of you. You can learn how to do this by visiting the agent section of our Consumer Rights Request Portal. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of applicable U.S. Privacy Laws.
H. RESPONSE TIMING AND FORMATS
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your PI that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
III. NON-DISCRIMINATION
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
IV. NOTICE OF FINANCIAL INCENTIVE PROGRAMS
We do not currently offer discounts or rewards to Consumers for providing us PI, or set price or service differences related to the collection, retention, sale, or sharing of PI. If we offer such programs in the future, we will update this Notice to describe such program(s), including how you may opt-in and how we value the PI required.
V. OUR RIGHTS AND THE RIGHTS OF OTHERS
Notwithstanding anything to the contrary, we may collect, use, and disclose your PI as required or permitted by applicable law and this may override your rights under California law. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.
VI. ADDITIONAL NOTICE FOR CALIFORNIA RESIDENTS
In addition to the CCPA, certain Californians are entitled to certain other notices, as follows:
This Notice provides information on our online practices and your California rights specific to our online services. Without limitation, Californians that visit our online services and seek to acquire goods, services, money or credit for personal, family or household purposes are entitled to the following notices of their rights:
California's “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website who are California residents to request certain information regarding our disclosure of PI to third parties for their direct marketing purposes. To make such a request, please send an email to [email protected] or write us at: Cintas Corporation, Chief Compliance Officer, 6800 Cintas Boulevard, Mason, Ohio, 45040. You must put the statement “Shine the Light Request” in the body of your correspondence. In your request, please attest to the fact that you are a California resident and provide a current California address for your response. This right is different than, and in addition to, CCPA rights, and must be requested separately. However, a Do Not Sell/Share/Target opt-out is broader and will limit our sharing with third parties for their own direct marketing purposes without the need for making a separate Shine the Light request. We will not accept Shine the Light requests by telephone or by fax, and are not responsible for requests not labeled or sent properly, or that are incomplete.
VII. CHANGES TO OUR PRIVACY NOTICE
We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.
VIII. CONTACT INFORMATION
If you have any questions or comments about this notice, the ways in which Cintas Corporation collects and uses your information described here and in the Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:
- Phone: 1-844-378-7411
- Website: Cintas.com
- Email: [email protected]
Cintas Corporation
Chief Compliance Officer
6800 Cintas Boulevard
Mason, Ohio 45040