Privacy Policy
Privacy Policy
Last updated April 20, 2026 · oemwheel.com
Table of Contents
- What Information Do We Collect?
- How Do We Process Your Information?
- Data Classification
- Records of Processing Activities
- When and With Whom Do We Share Your Information?
- Third-Party Service Providers (Subprocessors)
- Amazon Marketplace Customer Information
- Do We Use Cookies and Other Tracking Technologies?
- How Do We Handle Social Logins?
- How Long Do We Keep Your Information?
- How Do We Keep Your Information Safe?
- Data Breach Notification
- Do We Collect Information from Minors?
- What Are Your Privacy Rights?
- Controls for Do-Not-Track Features
- Do United States Residents Have Specific Privacy Rights?
- Do We Make Updates to This Notice?
- How Can You Contact Us About This Notice?
- How Can You Review, Update, or Delete Your Data?
This privacy notice for Factory Parts, LLC (doing business as OEMWheel.com), located at 3725 E Lamar Alexander Pkwy, Maryville, TN 37804 ("we," "us," or "our"), describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:
- Visit our website at https://oemwheel.com, or any website of ours that links to this privacy notice
- Purchase or browse our OEM & replacement wheel products
- Place an order with us through a third-party marketplace (including Amazon and eBay)
- Engage with us in other related ways, including sales, marketing, or events
Questions or concerns? Reading this notice will help you understand your privacy rights and choices. If you do not agree with our policies, please discontinue use of our Services. For questions, contact us at help@OEMWheel.com.
1. What Information Do We Collect?
Personal information you disclose to us: We collect personal information that you voluntarily provide when you register on the Services, make a purchase, express interest in our products or services, participate in activities on the Services, or contact us. This may include:
- Names and email addresses
- Phone numbers
- Mailing and billing addresses
- Usernames and passwords
- Payment information (processed securely via Stripe; we do not store full card numbers)
- Order history and purchase data
Information we receive from third-party marketplaces: When you place an order with us through Amazon, eBay, or another marketplace, we receive the order information and customer contact details necessary to ship your order (name, shipping address, phone number, and marketplace order ID). See Section 7 for details on how we handle marketplace customer information.
Information automatically collected: When you visit our Services, certain information is collected automatically, including:
- Log and usage data (IP address, browser type, pages viewed, time spent)
- Device data (device type, operating system)
- Cookie and tracking data (see Section 8)
All personal information you provide must be true, complete, and accurate. Please notify us of any changes.
2. How Do We Process Your Information?
We process your information to provide, improve, and administer our Services, communicate with you, prevent fraud, comply with law, and fulfill any other purpose with your consent. Specifically, we process your information to:
- Facilitate account creation and authentication
- Process and fulfill your orders, payments, and returns
- Send you order confirmations, shipping updates, and customer service responses
- Respond to inquiries and offer support
- Send marketing and promotional communications (where permitted)
- Protect our Services and prevent fraudulent transactions
- Comply with our legal obligations (tax, accounting, recordkeeping)
3. Data Classification
We classify the information we handle into four tiers. Each tier has corresponding access, storage, and handling requirements.
| Tier | Examples | Handling Requirements |
|---|---|---|
| Tier 1Highly Sensitive | Full payment card numbers (never stored by us — tokenized by Stripe); account passwords (stored only as one-way hashes); government-issued ID information where collected | Encrypted in transit and at rest; strictly need-to-know access; never logged; never emailed |
| Tier 2Personal Information (PII) | Customer names, email addresses, phone numbers, shipping and billing addresses, order history, marketplace buyer details (Amazon/eBay) | Encrypted at rest; access limited to authorized staff with a business need; shared only with subprocessors listed in Section 6 |
| Tier 3Internal Business | Internal order numbers, SKUs, inventory counts, supplier cost data, internal analytics | Accessible to authorized staff; not shared externally without agreement |
| Tier 4Public | Product catalog, pricing, marketing content, published policies | Intended for public distribution |
4. Records of Processing Activities
The table below summarizes the categories of personal information we process, the purpose of processing, the legal basis, the retention period, and the recipients.
| Data Category | Purpose | Legal Basis | Retention | Recipients |
|---|---|---|---|---|
| Account credentials (username, hashed password) | Account authentication and access control | Performance of contract | Duration of account + 90 days after closure | Internal only |
| Contact information (name, email, phone, billing/shipping address) | Order fulfillment, customer service, account management | Performance of contract; legal obligation (tax) | Up to 7 years (tax and accounting recordkeeping) | Shipping carriers; marketplace of origin (for marketplace orders); AWS (hosting) |
| Payment data (tokenized card reference, billing ZIP) | Payment processing, fraud prevention, refunds | Performance of contract; legitimate interest (fraud prevention) | Full card numbers are never stored; tokens retained by Stripe per Stripe policy | Stripe |
| Order history | Order fulfillment, reorders, returns, warranty, tax recordkeeping | Performance of contract; legal obligation | Up to 7 years | Internal; marketplaces (for orders originating there); tax authorities as required by law |
| Amazon / eBay marketplace buyer PII | Fulfillment of marketplace order only | Performance of contract | No longer than 30 days post-fulfillment unless a longer period is required by law (tax records, subject to access-controlled storage) | Shipping carriers only; never shared for marketing |
| Marketing preferences (email opt-in) | Marketing and promotional email | Consent | Until consent is withdrawn | Transactional/marketing email provider |
| Usage and log data (IP address, browser, pages viewed) | Security, fraud prevention, analytics, service improvement | Legitimate interest | Up to 12 months | Internal; Google (reCAPTCHA signals only) |
| Customer support correspondence | Respond to and resolve inquiries | Performance of contract; legitimate interest | Up to 3 years after last contact | Internal; email service provider |
6. Third-Party Service Providers (Subprocessors)
The table below lists the non-supplier subprocessors we use to operate the Services. Wheel and parts suppliers that may appear on an order invoice are not listed here because they do not receive customer personal information beyond the shipping label required to fulfill your order.
| Provider | Purpose | Data Categories | Region |
|---|---|---|---|
| Stripe, Inc. | Payment processing and fraud prevention | Payment token, billing address, order amount | United States |
| Amazon Web Services (AWS) | Cloud hosting, database (RDS), object storage (S3), application servers (Elastic Beanstalk) | All stored data, encrypted at rest | United States |
| Amazon.com, Inc. (Selling Partner APIs) | Source of marketplace orders placed on Amazon | Amazon buyer name, shipping address, phone, order details | United States |
| eBay Inc. | Source of marketplace orders placed on eBay | eBay buyer name, shipping address, phone, order details | United States |
| UPS | Shipping and delivery | Recipient name, shipping address, phone, package details | United States |
| Google (reCAPTCHA) | Bot and abuse prevention on forms | IP address, browser signals | United States |
| Transactional and marketing email provider | Order notifications and opt-in marketing email | Name, email address, message content | United States |
An up-to-date list is maintained in our internal processing register. Material additions will be reflected in an update to this notice.
7. Amazon Marketplace Customer Information
When a customer places an order with us on Amazon, we receive the personal information Amazon makes available to sellers for the purpose of fulfilling that order. We handle Amazon customer information in strict accordance with the Amazon Services Business Solutions Agreement, the Amazon Acceptable Use Policy, and the Amazon Data Protection Policy. Specifically:
- Purpose limitation: Amazon customer personal information is used solely to fulfill the Amazon order — including shipping, returns, refunds, warranty support, tax recordkeeping, and legally required reporting. It is never used to contact Amazon customers for marketing purposes.
- Retention: Amazon customer personal information is retained for no longer than 30 days after the order has been fulfilled, except where a longer retention period is required by law (for example, tax and accounting recordkeeping may require retention of order and invoice records for up to 7 years). Any information retained beyond 30 days is kept in access-controlled storage and used only for those legal purposes.
- No unauthorized disclosure: Amazon customer personal information is never shared with, sold to, or otherwise disclosed to any third party except (a) the shipping carrier required to deliver the order, (b) Amazon itself for order-status updates, or (c) where disclosure is required by law.
- Encryption in transit: Amazon customer personal information is transmitted only over TLS 1.2 or higher.
- Encryption at rest: Amazon customer personal information is stored only in encrypted databases and object storage (AES-256 encryption provided by AWS RDS and S3).
- Access controls: Access is limited to authorized personnel with a documented business need to fulfill Amazon orders. Access is logged.
- Incident response: See Section 12 for our data breach notification commitments, including 24-hour notification to Amazon as required by the Amazon Data Protection Policy.
The same handling principles described in this section apply to customer personal information we receive from any other third-party marketplace (including eBay).
8. Do We Use Cookies and Other Tracking Technologies?
We may use cookies and similar tracking technologies (web beacons, pixels) to collect and store information. Cookies help us:
- Keep you logged in across sessions
- Remember your cart and preferences
- Understand how visitors use our site (analytics)
- Deliver and measure reCAPTCHA security checks
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, some features of the Services may not function properly without cookies.
10. How Long Do We Keep Your Information?
We retain your personal information only as long as necessary for the purposes outlined in this notice, unless a longer period is required by law (such as tax and accounting requirements). The specific retention periods for each category of information are listed in the Records of Processing Activities table in Section 4. When we no longer have a legitimate business need to process your personal information, we will delete or anonymize it.
11. How Do We Keep Your Information Safe?
We have implemented appropriate technical and organizational security measures to protect your personal information, including:
- Encryption in transit: TLS 1.2 or higher is enforced for all connections to the Services and for all communication with subprocessors.
- Encryption at rest: All personal information stored in our databases is encrypted using AES-256 at the storage layer (AWS RDS encryption); file storage (AWS S3) is encrypted using AES-256 (SSE-S3); backups inherit the same encryption.
- Credential protection: Passwords are stored as one-way hashes (never in plain text). Application and database credentials are held in environment variables, not in source code.
- Payment isolation: Full payment card data is processed entirely by Stripe (PCI DSS Level 1). We do not store card numbers.
- Access control: Internal access to personal information is limited to authorized personnel with a documented business need; administrator actions are logged.
- Abuse and fraud prevention: Rate limiting, reCAPTCHA, and session controls on authentication and checkout flows.
- Patch and update management: Operating systems, frameworks, and dependencies are regularly updated to address known vulnerabilities.
No electronic transmission over the internet or information storage technology is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security.
12. Data Breach Notification
If we become aware of a security incident that results in — or is reasonably likely to have resulted in — the unauthorized access, disclosure, loss, alteration, or destruction of personal information, we will act promptly to investigate, contain, and remediate the incident.
Notification timeline. We will notify affected users, affected marketplace partners (including Amazon and eBay), and relevant supervisory authorities within 24 hours of our confirmed discovery of a qualifying incident, consistent with the Amazon Data Protection Policy and applicable law.
Notification contents. Each notification will include, to the extent known at the time of the notice:
- The nature of the incident and the approximate date it occurred
- The categories of personal information affected
- The likely consequences of the incident
- The remedial and containment actions we have taken or intend to take
- A point of contact for additional information
We maintain an internal incident response plan that assigns roles, escalation paths, and documentation requirements, and we test this plan periodically.
13. Do We Collect Information from Minors?
We do not knowingly collect data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18. If we learn that personal information from a user under age 18 has been collected without parental consent, we will deactivate the account and promptly delete such data. If you become aware of any such data, please contact us at help@OEMWheel.com.
14. What Are Your Privacy Rights?
Depending on your location, you may have the following rights regarding your personal information:
- Right to access — request a copy of the personal information we hold about you
- Right to rectification — request correction of inaccurate or incomplete information
- Right to erasure — request deletion of your personal information
- Right to object — object to processing of your personal information
- Right to data portability — request transfer of your data to another service
- Right to withdraw consent — withdraw consent at any time where processing is based on consent
To exercise these rights, contact us at help@OEMWheel.com. We will respond within 30 days.
Account holders may review or update their account information by logging in and visiting their account settings page.
Opting out of marketing emails: You may unsubscribe from our marketing emails at any time by clicking the "unsubscribe" link in any email or contacting us directly. Note that we may still send transactional emails related to your orders.
15. Controls for Do-Not-Track Features
Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature or setting. At this time, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.
16. Do United States Residents Have Specific Privacy Rights?
Residents of certain US states (California, Colorado, Connecticut, Virginia, etc.) may have additional privacy rights under applicable state laws, including the right to know what personal data is collected, the right to delete it, the right to opt out of its sale, and the right to non-discrimination for exercising these rights.
We do not sell personal information. To exercise your state-specific rights, contact us at help@OEMWheel.com.
17. Do We Make Updates to This Notice?
We may update this privacy notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this page. We encourage you to review this notice periodically. If we make material changes, we may notify you by posting a notice on our website or by emailing registered users.
18. How Can You Contact Us About This Notice?
If you have questions or comments about this notice, you may contact us at:
3725 E Lamar Alexander Pkwy
Maryville, TN 37804
United States
Phone: +1 (865) 324-0690
Email: help@OEMWheel.com
19. How Can You Review, Update, or Delete Your Data?
Based on the applicable laws of your country or state, you may have the right to request access to, correct, or delete the personal information we collect from you. To submit a data request, please email us at help@OEMWheel.com with the subject line "Data Request." We will respond within 30 days.
9. How Do We Handle Social Logins?
We do not currently offer social login (sign in with Google, Facebook, etc.). All accounts are created directly on oemwheel.com using your email and password.