Privacy Shield Policy

A Supplement to our Privacy Policy

Last updated: January 14, 2019

Casto adheres to the EU-U.S. Privacy Shield Framework (the “Framework”) as set forth by the U.S. Department of Commerce regarding the processing of Personal Information (as defined below) that is transferred from the European Economic Area (“EEA”) and Switzerland to the United States. Casto certifies to the Department of Commerce that it adheres to the Privacy Shield Principles (the “Principles”). If there is any conflict between this Policy and the Principles, the Principles will govern. To learn more about the Framework, and to view our certification, please visit

This Privacy Shield Policy supplements our Privacy Policy. Capitalized terms used in this Privacy Shield Policy have the meaning given to them by our Privacy Policy. This Privacy Shield Policy applies to Casto, which is subject to the investigatory and enforcement powers of the Federal Trade Commission and the Department of Transportation.

Personal Information Received from the European Economic Area and Switzerland

Casto may receive from the EEA and Switzerland some or all of the information listed in our Privacy Policy. Some of that information may qualify as “personal information” or “personal data” (collectively, “Personal Information”) as defined in the Principles. To the extent that Casto receives Personal Information from the EEA and Switzerland in reliance on the Framework, Casto will handle such Personal Information in accordance with the Principles.

This Privacy Shield Policy does not apply to the processing of Personal Information we do on behalf of our customers. To learn more about the processing of your Personal Information in that context, please refer to the relevant customer’s privacy notice.

Data Integrity and Purpose Limitation

Casto may use the Personal Information it receives from the EEA and Switzerland for the purposes set forth in our Privacy Policy or as you may otherwise be notified. We take reasonable steps to ensure that the Personal Information we process is reliable for its intended use, accurate, complete, and current to the extent necessary for the purposes for which we use the Personal Information. We will not process Personal Information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by you. We will adhere to the Principles for as long as we retain the Personal Information collected under the Framework.

Onward Transfers

Our Privacy Policy describes the circumstances in which we may disclose your information to third parties. We remain responsible for the processing of Personal Information received under the Framework and subsequently transferred to a third party acting as an agent if the agent processes such Personal Information in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

We may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Data Security

We use reasonable and appropriate measures to protect your Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Information.


We will give you an opportunity to choose whether your Personal Information may be used for a purpose that is materially different from the purposes for which it was originally collected or subsequently authorized by you, or if we intend to disclose it to a category of third parties acting as data controllers that we have not previously disclosed to you. In such circumstances, we will notify you and offer you the opportunity to opt out of such uses and/or disclosures where non-sensitive Personal Information is involved, and to opt in where sensitive Personal Information is involved.

Access to Personal Information

Our Privacy Policy sets forth methods by which you may access and/or submit requests to review, correct, update, suppress, or delete information from or about you. Casto will comply with the Principles in its handling of such requests with respect to Personal Information.

Recourse and Enforcement

If you have any questions or concerns, please write to us at the address listed below. We will investigate and attempt to resolve any complaints and disputes regarding our use and disclosure of Personal Information in accordance with the Principles.

If an issue cannot be resolved through Casto’s internal dispute resolution mechanism, you may submit a complaint, at no cost, to JAMS, which serves as Casto’s third-party alternative dispute resolution provider. For claimed violations of the Principles not resolved by these mechanisms, you may be able to invoke binding arbitration as detailed in the Principles.

Contact Information

If you have questions, concerns, or complaints about this Privacy Shield Policy or Casto’s privacy practices, please contact us by email at or write to us at the following address:

Casto Travel
2560 North First Street, Suite 150
San Jose, CA 95131 USA
+1 408-984-7000

Privacy Shield Policy Changes

This Policy may be changed from time to time, consistent with the requirements of the Framework. You can determine when this Policy was last revised by referring to the “Last Updated” legend above. Any changes to this Policy will become effective when posted to our website.