Skip to content
banner image

Privacy Policy

Please read this privacy policy (this “Privacy Policy”) carefully; once you consent to this Privacy Policy and its terms, it creates legal obligations on you and on G&W.

This Privacy Policy applies to our E-commerce website available at https://store.gwrr.com (the “Website”) operated by Genesee & Wyoming Railroad Services, Inc., along with our U.S. and Canadian affiliates and subsidiaries (“G&W,” “we,” “our”, or “us”), as well as to the services and information available on the Website (collectively, the “Services”). This Privacy Policy describes how we collect, use, and disclose information obtained through our Website or that you otherwise provide to us, including Personally Identifiable Information (hereinafter defined), governs how we treat this information, and lets you know your associated rights, including how to contact us about our privacy practices. From time to time, we may change this Privacy Policy for our business purposes and to comply with changes in Applicable Law. Your continued use of the Website following the posting of such updated Privacy Policy constitutes your agreement to follow and be bound by the updated Privacy Policy.

1.    Scope of This Privacy Policy.

This Privacy Policy applies to our affiliates in the U.S. and Canada.

2.    Your Consent to This Privacy Policy.

You indicate your consent to the terms of this Privacy Policy in different ways.

2.1    Your Consent for Our Collection and Use of Information Other than Personally Identifiable Information.

Our Website allows you to use certain of our Services or review certain information available on our Website, without providing us with any Personally Identifiable Information. For users who do not provide us with Personally Identifiable Information (as such term is defined in Section 3.1 (Personally Identifiable Information)), we consider their continued use of our Website as their consent to this Privacy Policy with regard to our collection and use of any information other than their Personally Identifiable Information.

2.2    Your Consent for Our Collection and Use of Personally Identifiable Information.

In order to participate in certain of our Services, you must provide us with your Personally Identifiable Information. Users who provide us with their Personally Identifiable Information will be asked for their consent to this Privacy Policy at the point we collect such information.

2.3    Consent by User Acting in a Representative Capacity. 

If you are agreeing to our Privacy Policy on behalf of a company or other legal entity (“Your Organization”), then (i) you represent and warrant that you have authority to act on behalf of, and to bind, Your Organization, and (ii) for all purposes in this Privacy Policy, the term “you” means Your Organization upon whose behalf you are acting.

2.4    Right to Withdraw Consent. 

You have the right to withdraw your consent at any time – please see Section 11 (Your Right to Opt-Out; Object to Processing; Deleting Information) for more information about withdrawing your consent.

3.    The Information We Collect.

To provide our Services, and to otherwise conduct our business via the Website, we rely on information provided by, and collected from, our users. This information consists of the following:

3.1    Personally Identifiable Information. 

We collect certain information that identifies you as an individual (collectively, “Personally Identifiable Information”). The Personally Identifiable Information we collect may include the following:

• Your name;
• Your phone number;
• Your address;
• Your email address;
• Your profession and/or title;
• Your employer and/or company;
• Your academic and/or work history;
• Your equal employment opportunity (EEO) information, such as your gender, race, and ethnicity.

3.2    Non-Personally Identifiable Information.

We also collect technical and device-related information that is not Personally Identifiable Information, and instead identifies, or may reasonably be used to identify, a particular user device (collectively, “Non-Personally Identifiable Information”). Non-Personally Identifiable Information is typically collected automatically by technical means and, subject to Section 3.4 (Treatment of Combined Information), for purposes of our Website and Services, consists of the following:

Device identifiers, such as cookies;
• Device information, such as hardware and software settings;
• IP addresses and log information, such as your device’s name, the type and version of your web browser, and referrer addresses that can function to identify a user device; and
• Tracking information that we, or a third party, may collect.

To the extent that statutes, regulations, and any other laws that apply to the Website or the Services (“Applicable Law”) establish that Non-Personally Identifiable Information constitutes Personally Identifiable Information, and such Applicable Law applies to information about you, we will treat the relevant Non-Personally Identifiable Information as Personally Identifiable Information.

3.3    Anonymous Information.

Our Website also collects, processes, and/or uses information that does not identify you or your devices, including Personally Identifiable Information that has been made anonymous by (i) removing identifying fields and aggregating the information with other information so that individual subjects of the information cannot be re-identified, or (ii) anonymizing the information with techniques that remove or modify the identifying data so as to prevent re-identification of the anonymized information (collectively, “Anonymous Information”). Information that meets these criteria may include, for example, demographic information, statistical information (e.g., page views and hit counts), and general tracking information.

3.4    Treatment of Combined Information. 

We may combine Personally Identifiable Information that you provide to us with other data, including demographic information (such as age, job industry, or job title) for purposes specified in this Privacy Policy. If information we combine in this manner includes your Personally Identifiable Information, we will treat the combined information as your Personally Identifiable Information for all purposes under this Privacy Policy.

4.    How We Collect This Information.

We collect the above information through the following means and technologies:

4.1    Contact with G&W. 

There are a range of methods by which you can communicate with us, including by sending us emails or letters, contacting us by phone, or submitting information via forms (including those managed by third parties on our behalf) or other methods available on our Website. In order to communicate with us through these methods, you must provide certain Personally Identifiable Information.

4.2    Device Identifiers; Logs; IP Addresses. 

To determine whether your device is supported by our Website and Services, we may collect certain information about your device and network, including your IP address, your operating system and browser, your device model, information about your use of the Website or Services, and the presence of any software that our Website or Services may require to operate with your device, or other third party software or mobile apps on your device. We automatically receive and record this information in log files, and this is generally Non-Personally Identifiable Information.

4.3    Cookies. 

A cookie is a small amount of data that is sent to your browser from a website and stored on your computer’s hard drive. Cookies can be used to provide you with a tailored user experience and to make it easier for you to use a website upon a future visit. We may include cookies on our Website and use them to recognize you when you return to our Website. You may choose not to accept cookies; however, you may need to enable cookies if you wish to access certain personalized features of our Services. Cookies alone are typically Non-Personally Identifiable Information.

4.4    Other Technologies and Data Sources.

The Website may use certain data collection technologies that rely on: (i) beacons; (ii) pixel tags and object hyperlinking tags; and (iii) other means to link an object to an Internet address, a remote software application, a remote database, or other remote means of receiving or processing information. We may also send email messages or display links that use a “click-through URL” linked to our Website or to another resource. When you click one of these URLs, you pass through our web server before arriving at the destination website page or other resource. Click-throughs may use and collect Anonymous Information and Non-Personally Identifiable Information. These technologies provide us with Anonymous Information, Non-Personally Identifiable Information and, in certain instances, Personally Identifiable Information.

5.    How We Use This Information.

We use the information we collect or process, including Anonymous Information, Non-Personally Identifiable Information, and Personally Identifiable Information, as permitted under Applicable Law, including where the use is based on: (i) the consent you provide to us at the point of collection and/or during your registration as a registered user; (ii) performance of our agreement to provide you with the Services; (iii) compliance with our legal obligations; and/or (iv) our Legitimate Interests (as defined below), as well as a third party’s Legitimate Interests.

Note that when determining the bases for our use of your information, we rely on what we consider to be the most appropriate basis, even if there are multiple bases available in connection with our use. Furthermore, our “Legitimate Interests” means that there is a good reason for processing your Personally Identifiable Information, and that the processing is carried out in a way that minimizes impacts (if any) on your privacy rights and interests. “Legitimate Interests” also refers to our use of information in ways that you would reasonably expect, based on your relationship to us. For example, there is a Legitimate Interest in collecting and processing your Personally Identifiable Information: (i) to safeguard our Website, Services, networks, content, and related information and resources; (ii) to administer and generally conduct our business; and (iii) to prevent fraud.

We use the information we collect for some or all of the following, with additional information set forth under Section 15 (E-Commerce) below:

Our Uses of the InformationBasis for Our Use
To provide you with the Services you request and, specifically, to allow us to send you email with informationPerformance and management of our agreement with you
To conduct fraud monitoring, prevention, and detection activitiesOur Legitimate Interests
To respond to your inquiries, comments, or complaints that you provide to us via the Website, including service issuesPerformance and management of our agreement with you Our Legitimate Interests
To consider your submittals and other expressions of interest in connection with our career opportunitiesOur Legitimate Interests
To customize your visit to and use of the Website and ServicesOur Legitimate Interests
To determine which of our products, services, and content (including, if applicable, our newsletter, questionnaires, and surveys) might interest you and, upon making this determination, to provide you with the associated informationYour consent Our Legitimate Interests
To track access to, and use of, our Website and Services, and conduct data and other analyses, including anonymization and aggregation of Personally Identifiable InformationOur Legitimate Interests
To perform internal administration, auditing, operation, and troubleshooting for our Website and ServicesOur Legitimate Interests
To engage in the activities specified in Section 6 (How We Share This Information)Our Legitimate Interests Compliance with our legal obligations Performance and management of our agreement with you
To evaluate and improve our Website, Services, and our communications, and to develop and test new services and contentOur Legitimate Interests
To comply with Applicable LawCompliance with our legal obligation

6.    How We Share This Information.

We value your privacy, and we share the information we collect only in the manner set out below.

6.1    Our Service Providers. 

We engage third parties to perform functions on our behalf, such as maintaining or managing the Website, collecting information, responding to and sending email or other messages, and other functions useful to our business. To this end, we may provide service providers with Personally Identifiable Information, Non-Personally Identifiable Information, and Anonymous Information.
Use of your information by our service providers as provided in this Privacy Policy may result in your information, including Personally Identifiable Information, being transferred across international borders. It may be transferred to countries that have a different level of data protection laws than the one existing in the county from where you submitted your information. We take appropriate measures to maintain the privacy and security of your information both during transit and at the receiving location by implementing contractual clauses with our service providers in accordance with Applicable Law, including applicable privacy laws. Additional tracking and third party vendors associated with the E-Commerce Website is set forth below under Section 15 (E-Commerce).

6.2    Questions of Harm; Legal Process. 

We may disclose your Personally Identifiable Information and Non-Personally Identifiable Information to third parties, including law enforcement agencies, attorneys, and private investigator organizations, where it is necessary, or where we have a good faith belief that it is necessary:

• To comply with legal process, including to comply with a subpoena or warrant or an order made by a court, person or body with jurisdiction to compel the production of information;
• To protect and defend our rights and property, including the Website, Services, and associated content or to enforce any agreement we have with you;
• To protect against misuse or unauthorized use of our Website or Services, and associated content;
• To protect the personal safety or property of Website users or the public, including your personal safety or property (it being understood that we assume no duty to provide, or monitor the need for, such protections); and
• To cooperate with public and government authorities including, where required, authorities outside your jurisdiction.

While you are not able to opt out of this use of information, we will take reasonable steps to limit such use, and disclose only the information we reasonably believe is necessary for the above purposes. If we receive legal process calling for the disclosure of your Personally Identifiable Information, then we will attempt to notify you within a reasonable amount of time unless such notification is not permitted by Applicable Law.

Further, we will report any unlawful data breach of this Website’s database or the breach of a database(s) of any of our third party data processors that we are aware of to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data, stored in an identifiable manner, has been stolen.

6.3    Business Transfers. 

We shall be entitled to transfer information that we collect (including Personally Identifiable Information) to a third party in contemplation of, or in connection with, a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or substantially all assets or stock of the business unit or division responsible for the information under this Privacy Policy; provided that the acquiring third party has agreed to safeguard your Personally Identifiable Information with protections that are consistent with those set out in this Privacy Policy.

6.4    Our Affiliates. 

We may choose to share the information we collect with our affiliates. By “affiliate” we mean an entity that is closely related to us, such as an entity that controls, is controlled by, or is under common control with, Genesee & Wyoming Inc. Our affiliates will be bound by the terms of this Privacy Policy.

7.    How We Safeguard the Information We Collect.

We recognize the sensitivity of our users’ Personally Identifiable Information and we have put in place security systems designed to prevent unauthorized access to, or disclosure of, Personally Identifiable Information. Our security systems include physical, technical, and administrative information security controls, and we take commercially reasonable steps to secure and safeguard such Personally Identifiable Information in accordance with Applicable Law.

8.    Our Retention of Data.

We retain Personally Identifiable Information for as long as reasonably necessary to fulfill the purposes for which we obtained the Personally Identifiable Information and consistent with Applicable Law. We use the following criteria to set our retention periods: (i) the duration of our relationship with you; (ii) the existence of a legal obligation as to the retention period; and (iii) the advisability of retaining the information in light of our legal position (for example, in light of applicable statutes of limitations, litigation, or regulatory investigations).

9.    Accuracy and Minimization of Data.

We take reasonable steps (i) to maintain the accuracy of the Personally Identifiable Information we process, and (ii) to limit the Personally Identifiable Information that we process to that which is reasonably necessary for the purposes for which we obtained the information.

10.    Accessing and Updating Your Information.

If you would like to review, correct, or update the Personally Identifiable Information that you have provided to us, or if you would like to request an electronic copy of this Personally Identifiable Information for purposes of transmitting it to another company (to the extent Applicable Law provides you with this right to data portability) you may make such requests of us as provided in Section 17 (Contact Us).

11.    Your Right to Opt-Out; Object to Processing; Deleting Information.

11.1    Deleting Information. 

If you request, we will take reasonable steps to remove your name and email address from our databases, within the time frames (if any) set out in Applicable Law. Please understand, however, that if you request the deletion of your information, you will no longer be able to receive certain Services. In addition, it may be impractical (or essentially impossible) to remove the requested information completely, due to requirements promulgated by Applicable Law, and/or data backups and records of deletions. As such, certain Personally Identifiable Information may remain in our databases following the deletion of your account; we will continue to treat the remaining information (if any) in accordance with this Privacy Policy and Applicable Law.

11.2    Objections.

If you object to our processing of your Personally Identifiable Information, and a request for us to delete this information is not, in your view, sufficient, please contact us as provided in Section 17 (Contact Us).

11.3    Anonymous Information. 

We will not delete Anonymous Information from our database, and nothing in this Privacy Policy restricts our use of Anonymous Information.

12.    Advisory Regarding Participation by Children and Teens.

Under U.S. Federal Law (as reflected in the Children’s Online Privacy Protection Act), WE DO NOT COLLECT OR STORE ANY PERSONALLY IDENTIFIABLE INFORMATION FROM INDIVIDUALS THAT WE KNOW ARE UNDER THE AGE OF 13.

13.    Notice of Privacy Rights to California Residents.

The following provisions of this Section 13 (Notice of Privacy Rights to California Residents) applies if you are a California resident.

13.1    Shine the Light Law.

California law requires certain businesses to respond to requests from California users who ask about business practices related to disclosing Personally Identifiable Information to third parties for direct marketing purposes. The California “Shine the Light” law further requires us to allow California residents to opt out of certain disclosures of Personally Identifiable Information to third parties for their direct marketing purposes.

13.2    California Consumer Privacy Act Disclosure.

The California Consumer Privacy Act (the “CCPA”) provides various rights to individuals and households with respect to the collection and use of Personally Identifiable Information that we have collected about you. Among other rights under the CCPA, you have the right to request that we (i) disclose to you any Personally Identifiable Information that we have about you (including Personally Identifiable Information about you that is sold), and (ii) subject to certain exceptions, delete Personally Identifiable Information that we have about you. Moreover, it is unlawful for us to discriminate against you because you exercised any of your rights under the CCPA.

13.2.1    Requesting Information from Us.

If you are a California resident and the CCPA applies to you, then you can submit to us a “verifiable consumer request” requesting that we disclose to you Personally Identifiable Information that we have about you and/or that we delete such Personally Identifiable Information. If you submit a verifiable consumer request that complies with the CCPA, then we will, at our sole cost and within 45 days of a receipt of a compliance verifiable consumer request (which we may extend for an additional 45 days), either (depending on the nature of the request):

• Disclose the following information to you in a readily usable format: (i) the categories of Personally Identifiable Information we have collected about you; (ii) the categories of sources from which such Personally Identifiable Information is collected; (iii) the business or commercial purpose for collecting or selling such Personally Identifiable Information; (iv) the categories of third parties with whom we share such Personally Identifiable Information; and (v) specific pieces of your Personally Identifiable Information that we have collected about you; or
• Delete, and direct our service providers to delete, the Personally Identifiable Information about you that we have collected, unless we are permitted or required to retain such information pursuant to the CCPA or other Applicable Law.

Note that, under the CCPA, you may submit a verifiable consumer request for information disclosures no more than twice in any 12-month period, and our disclosure shall only cover the 12-month period preceding our receipt of a compliant verifiable consumer request. Your right to request that we delete your Personally Identifiable Information is not subject to either of the two preceding limitations.

Finally, for purposes of complying with the CCPA, and with respect to California residents, the term “Personally Identifiable Information” as used in this Privacy Policy includes information about the applicable California resident and her or his household.

13.2.2    Submission of a Verifiable Consumer Request.

You may submit a verifiable consumer request to us through either of the following methods:

13.2.3    No Sale of Personally Identifiable Information; General Disclosures.

We will update our Privacy Policy regularly as required under Applicable Law. We do not sell your Personally Identifiable Information or otherwise share this information in a manner that would constitute a “sale” under the CCPA. We may, however disclose your Personally Identifiable Information for our business purposes in accordance with this Privacy Policy. If you would like to learn about the categories of Personally Identifiable Information that we collect or disclose about you, please refer to the following Sections of our Privacy Policy: (i) Section 3 (The Information We Collect); (ii) Section 4 (How We Collect this Information); (iii) Section 5 (How We Use this Information); and (iv) Section 6 (How We Share this Information).

14.    Do Not Track Notice. 

Our Website does not change its behavior when receiving “Do Not Track” signals from browser software.

15.    E-Commerce

15.1    Site Visitation Tracking

This Website uses Google Analytics (GA) to track user interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey throughout the Website.

Although GA records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to us. GA also records your computer’s IP address which could be used to personally identify you but Google do not grant us access to this. We consider Google to be a third party data processor (see Section 15.4 below).

15.2    E-commerce orders

Should you use this Website to place an order for goods, details of the order including personally identifiable information such as your name, delivery address, telephone numbers and email address (but excluding your payment card details) will be stored within this Website’s internal database. This information will also be sent to us via email (via Postmark – see Section 15.4 below) to notify us of your order and also to you in order to confirm or keep you updated on the progress of your order.

15.3    How we store your personal information

Personal data submitted to this Website is stored on encrypted solid state drives on US-based servers operating from one of the world’s leading data centers that are all hosted within phoenixNAP’s Ashburn data center located in ‘Data Center Alley’ in Virginia within the United States of America and is operated by Prostack (see Section 15.4 below).

Some of the data center’s more notable security features are as follows:

  • SOC 1, SOC 2, SOC 3, PCI DSS and SSAE-16 compliant and HIPPAA ready.
  • Multi-level security systems and video surveillance.
  • On-site access via security team escort only.
  • A multi-tenant environment with multi-layered data protection, zero trust policies, industry-leading threat intelligence, and state-of-the-art hardware-enhanced security.

All traffic (transfer of files) between this Website and your browser is encrypted and delivered over HTTPS.

All email from this Website is sent via SMTP mail servers provided by Postmark. Postmark aim to make the sending of email as secure as it can be and we follow all of their best practice recommendations to secure the emails that we send from our Website through their systems.

We consider Postmark to be a third-party data processor (see Section 15.4 below).

15.4    Third-party data processors

We use a number of third parties to process personal data collected by or instigated by this Website on our behalf. These third parties have been carefully chosen and all of them comply with Applicable Law.

15.4.1 Google LLC

Used for Website analytics as outlined in section 3.1Privacy policy

15.4.2 AC PM LLC (Active Campaign / Postmark)

Used to send all email from this Website as outlined in section 15.2. above.

15.4.3 Fellowship Productions Ltd.

The UK-based design and digital marketing agency responsible for building and maintaining this Website.

15.4.4 Stripe Inc.

The global payment provider that we use to process online payments made on this Website. For more information please see Stripe’s Privacy Policy.

6.5 Sharpstack Hosting Ltd. (trading as Prostack)

The UK-based web hosting company used to host this Website’s files and database. For more information please see Prostack’s privacy statement.

16.    Complaints.

If you have complaints regarding our Website or privacy practices that you would like us to address, please contact us at the address set out in Section 16 (Contact Us). You are informed that you can also lodge a complaint with the privacy commissioner or supervisory authority of the state or province where you are located if you have any concerns about our information collection or processing practices. If you are a California resident, you may report complaints to the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs. Please check with your state or province’s consumer protection authority.
If you are protected by the GDPR with respect to our use of your information, you may lodge a complaint with a data protection authority for your country or region. A list of EU data protection authorities is available at the following website: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

17.    Contact Us.

You can contact us regarding this Privacy Policy at dataprivacy@gwrr.com.

Copyright © 2024 Genesee & Wyoming Inc. All Rights Reserved.