XPO California Consumer Privacy Act Notice

Consumers, Applicants, Employees and Contractors

This California Consumer Privacy Act (“CCPA”) Notice at Collection (“Notice”) describes the categories of Personal Information that XPO, Inc. and its subsidiaries, divisions, and affiliates (sometimes referred to as “XPO”, “Company,” “us,” “we,” or “our”) collect from California residents (“Consumers”) and the purposes for which such information may be used and disclosed. It also describes rights Consumers may have under the CCPA. For additional information, please see our Privacy Policy at https://www.xpo.com/privacy-policy/

Please read this Notice carefully since specific provisions may apply based on the nature of your relationship with XPO.

Any terms defined within the CCPA have the same meaning when utilized within this CCPA Notice. By submitting your Personal Information, you indicate that you understand the collection, use, and disclosure of your Personal Information is subject to the terms of this Notice.

The Categories of Personal Information We Collect.

Where permitted by applicable law, we may collect the following categories of Personal Information from Consumers, including job applicants, employees, and contractors, when you interact with us or when a service provider collects your Personal Information on our behalf.

Identifiers and Contact Information. This category includes names, addresses, telephone numbers, mobile numbers, email addresses, signatures, dates of birth, tax identification, government identification numbers, internal identification numbers, physical characteristics, and other similar contact information and identifiers.

Protected Classification Information under California or U.S. federal law, where applicable.

Commercial information. For example, products and services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Internet or Other Electronic Network Activity Information. This category includes, without limitation:

• interaction with our internet website, applications, or advertisements.

• all activity on XPO’s information systems, such as internet browsing history, search history, intranet activity, email communications, stored documents and emails, usernames and passwords

• all activity on XPO’s communications systems, including phone calls, call logs, voice mails, text messages, chat logs, app use, and search history, mobile email communications, and other information regarding a worker’s use of company-issued devices.

Geolocation Data. This category includes, without limitation, GPS location data from company-owned or issued mobile devices, applications, or vehicles; location information while using one of our apps.

Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information. This category includes, for example, information collected from CCTV or video cameras, information from voicemail messagesand conversations with our service representatives.

Biometric Information. For example, an individual’s physiological, biological, or behavioral characteristics used or intended to be used singly or in combination with each other or with other identifying data, to establish individual identity. This category includes the use of biometric equipment, devices, or software to record time worked, entry or exit from our facilities or rooms, equipment access or use, and other business purposes.

Professional and Employment-Related Information. This category includes, without limitation, where permitted by law:

• data submitted with employment applications, including salary history, employment history, education history, employment recommendations, etc.

• interest in employment opportunities

• background check and criminal history

• drug test results

• work authorization

• ability to work or fitness for duty data and reports

• height requirements for certain job requirements

• performance and disciplinary records

• salary and bonus data

• benefit plan enrollment, participation, and claims information

• leave of absence information, including religious and family obligations, and physical and mental health data, concerning workers and their family members

• other information necessary to manage your working relationship with us (e.g., scheduling information, ability to work information, workplace safety information, etc.).

Education Information. This category relates to information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, Sec. 1232g; 34 C.F.R. Part 99).

Sensitive Personal Information. This category includes information such as:

• Social Security, driver’s license, state identification card, or passport number

• financial account information that allows access to an account, including log-in credentials, financial account numbers, passwords, etc.

• precise geolocation

• racial or ethnic origin;

• content of mail, email, and text messages (unless XPO is the intended recipient of the communication)

• biometric information for the purpose of uniquely identifying a Consumer for time keeping

• health information

Other. For applicants and employees, this may also include citizenship, eligibility or right to work, answers to job specific questions that relate to your fitness for a particular position, information regarding potential conflict of interest issues, information you provide to create security questions and answers used to validate your identity when you return to the career portal, beneficiary information.

Inferences Drawn from the Personal Information in the Categories Above. This includes, inferences drawn from any of the information identified above to create a profile about a Consumer reflecting preferences, characteristics, and behaviors; human capital analytics, including, without limitation, identifying correlations between certain characteristics and job success, analyzing data to improve retention, and analyzing worker preferences to inform HR policies, programs, and procedures.

Sources of Personal Information

We may collect your Personal Information from the following sources, where permitted by applicable law:

• You. We may collect your Personal Information when you place an order or make a purchase, submit forms, send an e-mail requesting information about products, support, or training, or otherwise interact with us. We may also collect information when you attend an event or program we sponsor. We collect information when you are an applicant for employment oremployed by us.

• Related Entities and Affiliates. We may collect information about you from our related parties and affiliates including joint ventures.

• Service providers and contractors. When you obtain products and services from us, apply for a position, or work with us, we may collect Personal Information from service providers and contractors who collect information about you as needed to provide products, services, and information.

• Third parties. In performing services or marketing activities we or third parties on our behalf may conduct research and other activities resulting in the collection of Personal Information. We may also collect Personal Information from third parties such as sales representatives, background check vendors, recruiting and staffing agencies, your employer, references or other third-party sources that are lawfully entitled to share your information with us.

• Social media and related services. We may collect information about you through your social media services consistent with your settings on such services.

• Third parties. We may collect information about you from third parties such as your references, background check vendors, recruiting and staffing agencies or other third-party sources that are lawfully entitled to share your information with us. This may include service providers or contractors who collect or process your Personal Information on our behalf.

• Information Collected Automatically. As you navigate through and interact with our website, we or third parties on our behalf collect information through certain online tracking tools, such as browser cookies, flash cookies, and web beacons. Please see our Privacy Policy at https://www.xpo.com/privacy-policy/ for additional information.

How We Use Your Personal Information

XPO will use your Personal Information for the purposes described below or in ways that are compatible with these purposes. We may change or add to the purposes we collect Personal Information. In that case, we will inform you and obtain your consent when required by law.

XPO takes commercially reasonable steps to ensure that the collected Personal Information is relevant for its intended use and is accurate, up-to-date, and complete.

In general, we collect and use non-applicant, employee and contractor Consumer Personal Information for the following business or commercial purposes:

• To provide you with information, products, or services you request from us.

• To fulfill or meet the reason for which the information is provided.

• To provide regulatory required communications.

• To open, maintain, and close accounts.

• To process payments.

• To engage third party service providers to perform transportation or logistics services.

• To contact you and/or provide you with email alerts and other notices concerning our products, services, events, or news that may be of interest to you. For example, we may send you announcements, and newsletters using any communications preferences you have expressed. We may provide these communications via email, postal mail, online advertising, social media, telephone, text message (including SMS and MMS), push notifications, in-app messaging, and other means. Of course, if at any time you no longer wish to receive such communications, you have the option of unsubscribing from our mailing list for that communication.

• To engage in data analytics, advertising and marketing activities including serving retargeted ads.

• To communicate with you in social media concerning our products and services.

• To ensure your information is accurate and to personalize our communications to you. For example, we may aggregate your Personal Information with data from various sources for purposes of keeping information up to date. If you connect your social media services or other accounts to our services, we may use this information to make your experiences with us more personal or share and use it as described elsewhere in this Policy.

• To carry out our obligations and enforce our rights including those arising from any contracts entered into with you including for billing, payment, and collections.

• To review, improve, and monitor our website, applications, online services, and overall Consumer experience, including to provide customization to meet the specific needs.

• To provide customer service and engage in quality control activities concerning our products and services.

• For testing, research, analysis and product and service development. We may use data, including public feedback and surveys, to conduct research and for the development of the Site and the services, products, and information we provide.

• To respond to law enforcement requests and as required by applicable law, court order, governmental regulations, or other lawful processes.

• As described to you when collecting your Personal Information.

• To manage our recruiting efforts and employment and workforce relationships. These activities include, for example, sourcing and processing employment applications, onboarding employees and contingent workers, and carrying out a range of employments activities relating to the employment relationship, such as compensation, benefits, promotion, discipline, termination, and certain post termination activities.

• As necessary or appropriate to protect the rights, property, security, and safety of us, our employees, our Consumers, our information systems, and the public.

• As XPO grows and develops its business, it is possible that its corporate structure or organization might change or that it might merge or otherwise combine with, or that it or portions of its business might be acquired by, another company. In any such transactions, customer information generally is, and should be expected to be, one of the transferred business assets.

Where applicable and to the extent permitted by law, we may collect and use applicant, worker, and contractor Personal Information for the following purposes:

• Collecting and processing employment applications, including confirming eligibility for employment, background and related checks, drug tests, references, onboarding, and related recruiting efforts.

• Maintaining applicant information for future employment opportunities.

• Communicating with applicants about a current application, future job opportunities or current and past employment.

• If your application is successful, your Personal Information will be transferred to the HR file system for the purposes of your hiring process and employment contract in accordance with our employment privacy policies.

• Maintaining physician records and occupational health programs.

• Maintaining records and satisfying record retention requirements.

• Submitting relevant information to prospective employers.

• Submitting relevant information for payment of wages and bonuses.

• Complying with applicable state and federal health, labor, employment, disability, equal employment opportunity, workplace safety, and related laws, guidance, or recommendations.

• Preventing unauthorized access to, use, or disclosure/removal of XPO’s property, including XPO’s information systems, electronic devices, network, and data.

• Processing payroll, other forms of compensation, and worker benefit plan and program design and administration including enrollment and claims handling and leave of absence administration.

• Communicating with workers and/or workers’ emergency contacts and plan beneficiaries.

• Ensuring and enhancing worker productivity and adherence to XPO’s policies.

• Time keeping, attendance, and Paid Time Off.

• Providing training and development opportunities.

• Investigating complaints, grievances, and suspected violations of Company policy.

• Designing, implementing, and promoting XPO’s diversity and inclusion programs.

• Facilitating the efficient and secure use of XPO’s information systems.

• Ensuring compliance with XPO information systems policies and procedures.

• Improving safety of applicants, workers, customers and the public with regard to use of Company property and equipment.

• Improving efficiency.

• Evaluating an individual’s appropriateness for a particular position at XPO or promotion to a new position.

• Protecting the legal rights, privacy, safety or property of Company or its workers, agents, contractors, customers or the public.

• Protecting against fraud or other illegal activity or for risk management purposes.

• Responding to and managing legal claims against XPO and/or its personnel, including civil discovery in litigation.

• Confirming eligibility for entry into the FMCSA Training Provider Registry.

• Processing tuition reimbursement requests, business expense reimbursement requests, adoption reimbursement requests, driver physical reimbursement requests, relocation reimbursement requests, and other reimbursement requests.

• Managing worker engagement and other legitimate business purposes.

• Facilitating other business administrative functions and strategic activities, such as risk management, information technology and communications, financial management and reporting, workforce and succession planning, merger and acquisition activities, and maintenance of licenses, permits and authorization applicable to Company operations.

XPO may also ask applicants, employees, and contractors to voluntarily self-identify or disclose certain Personal Information such as their ethnicity, gender, veteran status, and disability information. Your decision to provide or withhold any of that information will not negatively impact your employment with XPO or whether/how XPO will consider you for employment. XPO will treat any Personal Information considered sensitive in accordance with applicable law. The collection and use of sensitive Personal Information will be limited to that which is strictly necessary for the purposes for which it was collected.

IT Use Information

XPO monitors its user traffic patterns throughout XPO’s IT network and systems. This includes a user’s domain name, browser type, date and time of access, software usage, application access times, and internet viewing history. This information is collected for XPO to manage its IT resources, protect its workers and visitors, enhance its users’ experience on websites and XPO’s intranet, and to generally run its business.

XPO uses a number of automated technologies to collect this kind of IT use data. For example, cookies and web beacons are used internally and externally to collect aggregate and anonymous usage data, as well as worker-specific activity inside the XPO network. XPO may also use Personal Information to personalize its user’s interaction with XPO. For example, the XPO applicant website may permit you to select a language and/or geographic location preference, which will be stored for future visits.

XPO’s service providers also use automated tracking technology to manage IT activity while users are in the network. These technologies track sessions, user inputs, and user authentication.

For additional information on IT use and web technologies, please see our Privacy Policy athttps://www.xpo.com/privacy-policy/

Most popular Internet browser applications will allow you to configure the browser so as not to accept cookies. If you are an applicant and do not want cookies to be accessible by our job applicant site, you can adjust the settings on your browser program to deny or disable the use of cookies. You can find additional information on cookies and web beacons at http://www.allaboutcookies.org/.

Disclosing, Selling and Sharing Your Personal Information

We may disclose Personal Information to affiliates, service providers, contractors, government entities and other third parties. If necessary, we may disclose your Personal Information to: (1) provide the services or products you request, (2) assist with our daily business and commercial operations, (3) comply with applicable laws; (4) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons public authorities; (5) cooperate with law enforcement agencies concerning conduct or activity that we reasonably and in good faith believe may violate applicable laws; or (6) to investigate a complaint and exercise or defend a legal claim.

We may disclose or transfer Personal Information to a third party as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control or acquires of all or part of the assets of our business.

Lastly, we may Sell or Share limited Personal Information collected through our website to or with third parties. Under the CCPA, Selling means an exchange of Personal Information for monetary or other valuable consideration. Sharing means the disclosure of Personal Information to a third party, regardless of monetary or other valuable consideration, for cross context behavioral advertising purposes.

The following chart describes the

• categories of Personal Information we may collect about you,

• the categories of third parties to whom we may disclose the categories of Personal Information, and

• the categories of third parties to whom we may Sell or Share the categories of Personal Information.

 Address and other identifiers – such as name, postal address, email address, phone number, account name, date of birth, Social Security number, driver’s license number, photograph, passport number, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiersNOTE: The information in this category may include the following elements of sensitive Personal Information: Social Security number, driver’s license number, state identification card Third parties as directed by you. Our affiliates and business partners. For example, we might disclose your Personal Information to a business partner for collaborating on services or events. Service Providers. For example, vendors that help us communicate with you or fulfill requests for services, products, materials and opportunities, provide web hosting, information technology services, marketing and advertising, background checks, staffing and recruiting, payroll and benefits management, data analytics and data storage. We might also authorize service providers to collect Personal Information on our behalf.Successors to all or portions of our business. Governmental entities. We may disclose your Personal Information to comply with the law and in providing our products and services and other business activities of the Company. We may also disclose information if a Advertising and marketing vendors.Analytics providers.number, and/or passport number. government agency or investigatory body submits a request.Professional services providers (e.g., legal, accounting, insurance). Trade unions, as necessary for union employees. Other companies and organizations for fraud protection, credit risk reduction, and collection activities.Protected status –such as citizenship, ethnic background, gender, or other similar identifiersNOTE: The information in this category may include the following elements of sensitive Personal Information: racial, ethnic, or national origin. Financial information –such as bank account details, credit history, income details or other similar identifiersNOTE: The information in this category may include the following elements of sensitive Personal Information: log-in, financial account in combination with any required security or access code, password, or credential allowing access to an account. Education or professional information, including veteran status or other similar identifiers NOTE: The information in this category may include the following elements of sensitive Personal Information: union membership. Internet or other electronic network activity – such as browsing history, search history, a Consumer’s interaction with an internet website, application, or advertisementNOTE: The information in this category may include the following elements of sensitive Personal Information: the contents of mail, email, or text messages, to which the business was not the intended recipient.Geolocation dataNOTE: The information in this category may include the following elements of sensitive Personal Information: precise geolocation. Audio, electronic, visual or similar information.Biometric InformationNOTE: Biometric information is considered an element of sensitive Personal Information.Inferences drawn from Personal Information – such as individual profiles, preferences, characteristics, behaviors or other similar identifiersNOTE: The information in this category may include the following elements of sensitive Personal Information: racial or ethnic origin, religious or philosophical beliefs, union membership, health information. Commercial information – such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies or other similar identifiers

Since XPO operates globally with locations in many different countries, we may transfer your information from one legal entity to another or from one country to another to accomplish purposes listed in this policy.

Safeguards

XPO takes steps to implement physical, electronic and procedural safeguards appropriate to the sensitivity of the information we maintain. Safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Information. They include physical, technical, and managerial measures to keep Personal Information protected from unauthorized access. No system for safeguarding personal or other information is 100% secure and even though we have taken steps to protect your Personal Information from being intercepted, accessed, used or disclosed by unauthorized persons, we cannot fully eliminate security risks associated with Personal Information.

Data Retention

XPO retains Personal Information as is reasonably necessary to fulfill the purposes described in this Policy and in accordance with XPO’s data retention schedule. We may retain your Personal Information for longer if it is necessary to comply with our legal or reporting obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, enforce our legal agreements and policies, address other legitimate business needs, or as permitted or required by applicable law. We may also retain your Personal Information in a deidentified or aggregated form so that it can no longer be associated with you.

To determine the appropriate retention period for your Personal Information, we consider various factors such as the amount, nature, and sensitivity of your information; the potential risk of unauthorized access, use or disclosure; the purposes for which we collect or process your Personal Information; and, applicable legal requirements. Personal Information does not include certain categories of information, such as publicly available information from government records, and deidentified or aggregated Consumer information.

Regarding the recruiting process, XPO keeps the Personal Information that we obtain about applicants for no longer than is necessary for the purpose for which it is processed, being specified that for unsuccessful applicants, this information will be erased at the latest two (2) years following the last contact or in accordance with local laws.

Consumer Rights

California Consumers including applicants, employees and contractors have certain individual rights, subject to limitations. These rights include the following:

Right To Know About Personal Information Collected or Disclosed. You have the right to request additional information beyond that disclosed above regarding the following, to the extent applicable:

• the categories of Personal Information XPO collected about you

• the categories of sources from which that Personal Information was collected

• the business or commercial purposes for which that information was collected, sold, or shared

• the categories of third parties to whom the information was disclosed

• the specific pieces of Personal Information collected

Upon receipt of a verifiable request to know, and as required by applicable law, we will provide a response to such request.

Right To Request Deletion of Your Personal Information. You have the right to request that we delete the Personal Information we collected or maintain about you. Once we receive your request, we will let you know what, if any, Personal Information we can delete from our records, and will direct any service providers and contractors to whom we disclosed your Personal Information to also delete your Personal Information from their records.

There may be circumstances where we cannot delete your Personal Information or direct service providers or contractors to delete your Personal Information from their records. Such instances include, without limitation, when the information at issue is maintained: (a) to enable solely internal uses that are reasonably aligned with your expectations based on your relationship with XPO and compatible with the context in which you provided the information, or (b) to comply with a legal obligation.

Upon receipt of a verifiable request to delete (see below), and as required by applicable law, we will provide a response to such requests.

Right to Request Correction. You have the right to request that XPO correct any inaccurate Personal Information we maintain about you, considering the nature of that information and purpose for processing it. Upon receipt of a verifiable request to correct, and as required by the CCPA, we will provide a response to such requests.

Right to Non-Discrimination for the Exercise of Your Privacy Rights. We will not discriminate or retaliate against you for exercising any of the rights described above.

Right to Opt Out of Selling and Sharing. We may Sell or Share Personal Information collected from visitors to our website. Please see our Privacy Policy at https://www.xpo.com/privacy-policy/ for additional information including how you can opt out of the Sale or Sharing of Personal Information.Sensitive Personal Information. We do not use or disclose your sensitive Personal Information for purposes that, with limited exceptions, are not necessary to

• provide our products and services as reasonably expected by an average Consumer requesting those goods and services, or

• for the application or employment related purpose for which we collect it or as reasonably expected by an average individual in this context, or for other permitted purposes under the CCPA or as authorized by regulation.Submitting Consumer Rights Requests. To submit a rights request, please contact us at 1 (877) 255-9930 or email us at ccparequest@xpo.com. We reserve the right to only respond to verifiable Consumer requests to know, delete, or correct that are submitted as instructed. Verifiable Requests. A verifiable Consumer request is one made by any individual who is:

• the Consumer who is the subject of the request,

• a Consumer on behalf of the Consumer’s minor child, or

• the authorized agent of the Consumer.

If you do not have an account with XPO, we may ask for some Personal Information to verify your identity and your rights to the data subject to your request. To verify your identity, we may ask you to verify Personal Information we already have on file for you. If we cannot verify your identity from the information we have on file, we may request additional information which we will only use to verify your identity, and for security or fraud-prevention purposes. We may not be able to respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Additionally, you will need to describe your request with sufficient detail to allow us to review, understand, assess, and respond.

Our Response. We reserve the right to charge a fee to process or respond to your request if it is excessive, repetitive, or manifestly unfounded. If we determine that a request warrants a fee, we will attempt to notify you as to why we made that decision and provide a cost estimate before completing your request. We will endeavor to respond to a verifiable Consumer request within forty-five (45) calendar days of receipt, but we may require an extension of up to forty-five (45) additional calendar days to respond and we will notify you of the need for the extension.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. To the extent permitted by the CCPA, we will respond to no more than two requests during any 12-month period.

Designating an Authorized Agent. You may authorize a natural person or a business (the Agent) to submit a Request to Know, Correct, Delete, or Limit Use of Sensitive Personal Information on your behalf. The Agent must provide signed permission to submit the request, and you must either (i) verify your own identity with the business or (ii) directly confirm with us that you provide permission to the Agent. These steps are not required when you have provided the authorized agent with power of attorney pursuant to California Probate Code sections 4000 to 4465. We reserve the right to deny requests from persons or businesses claiming to be authorized agents that do not submit sufficient proof of their authorization.

Changes to this Policy

As XPO expands and improves this Site, we may need to update this policy. This policy may be modified from time to time without prior notice. We encourage you to review this policy on a regular basis for any changes.

Contact XPO

If you have any comments or questions about this Notice or if there are other things we can do to maximize the value of this Site to you, please email info@XPO.com. If you have questions about XPO’s privacy practices general, or wish to report a violation of the provisions of this Notice, please email:

privacy@XPO.com, or

write to:

XPO, Inc.
Attn: Chief Legal Officer and Corporate Secretary
179 Lincoln Street
Boston, MA 02111

Last Updated: This policy was last revised June 26, 2023