Last Updated: [February 17, 2025]

This Privacy Policy relates to the information collection and use practices of Ibotta, Inc. (“we,” “us,” or “our") in connection with this investor relations website (investors.ibotta.com) (the “Website”). 

Description of Users and Acceptance of Terms

This Privacy Policy applies to visitors to the Website (“Visitors,” “you,” or “your”).

By accessing our Website, Visitors agree to the terms of this Privacy Policy.

The Information We Collect and How We Use It

We collect or otherwise receive the following types of information in connection with the Website:

Contact Information

The contact information collected on our Website varies depending on the webpage but typically includes some combination of your name, email address, contact type, company information (including address), and any information you provide in messages to us. We use such contact information for purposes such as responding to, and following up on, your inquiries, providing you with requested information, or sending you email alerts or other communications (including marketing emails). Depending on the nature of your message (e.g., purchase of products), we may route your information to an appropriate third party, such as a distributor, to better address such message.

In some cases, such as where you sign up for a webcast, presentation, or other event/service, we may receive your contact information from a third-party website, including those white-labeled under our brand. Where we collect such contact information, our use of such contact information shall be pursuant to this Privacy Policy.  In addition, please see Links to External Websites below for more information on submission of information to third party websites.

Server Logs

Like most websites today, we use web servers that keep log files that record data each time a device accesses those servers. These log files are maintained by our website hosting service and contain data about the nature of such access, including the device’s IP address, user agent string (e.g., operating system and browser type/version), and referral URL (i.e., the external source by which you arrived at our Website, or the pages you’ve clicked on while on our Website). We may wish to use these log files for purposes such as monitoring and troubleshooting errors and incidents, analyzing web traffic, or optimizing the user experience.

Analytics and Usage Data

As is true of many digital properties, we and our third-party partners may automatically collect or process information you provide to us, and information about your device and visit/use of the Services, through technologies such as cookies, local Storage, pixel tags, and other technologies. 

The type of information collected via these technologies may include the following (collectively, “Analytics/Usage Data”):

  • Browser and device information, such as IP address, device or other digital user IDs, browser or device type and version, other user agent string data, preferences and other settings.
  • Website analytics and usage data, such as the path taken to, through, or when exiting our Website, log-in and account credentials, what page you are on or have visited, links clicked, videos or other content viewed, email open rates, mouse movements, scrolls, clicks, keystroke activity, browsing, search, or purchasing behavior, chat function usage and logging of such conversations).

This Analytics/Usage Data is used for purposes such as providing our Website and other services, better understanding our Visitors and how our Website and how other content (e.g., marketing emails, webcasts) are being used, personalizing your Website experience, and remembering “preferences” (e.g., storing log-in credentials, remembering shopping cart items, language or currency preferences).

Google Analytics: To opt-out of Google Analytics (one of the analytics providers we may utilize), you may download the Google-provided browser add-on here: https://tools.google.com/dlpage/gaoptout

General Controls: Please consult your device’s or browser's documentation or settings menus for the choices you may have regarding blocking cookies or other tracking technologies. For example, some browsers allow you to block all third-party cookies on websites.

Aggregate Data

In an ongoing effort to better understand our Visitors and the Website, we might analyze your information in aggregate form to carry out, maintain, manage, and improve operations in connection with the Website.  This aggregate information does not identify you personally.  We may share this aggregate data with our affiliates, agents, and business partners.  We may also disclose aggregated user statistics to current and prospective business partners and to other third parties for other lawful purposes.

Business Transfers

In the event of a merger, dissolution, reorganization, or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal information, would be transferred to the surviving entity in a merger or the acquiring entity and you hereby consent to such transfers. 

Security and Business Integrity

We may use your information to protect our company, our affiliates, our customers, and our services.  We may also use information in order to comply with laws, regulations, court orders, or other legal or financial obligations or to assist in an investigation, protect and defend our rights and property, or the rights or safety of third parties, enforce our Terms of Use, this Privacy Policy, or agreements with third parties, detect and prevent fraud or for crime-prevention purposes, or establish, exercise, or defend legal claims.  

Disclosure to Public Authorities

We are required to disclose personal information in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal information to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

Other Purposes

We may process your personal information for other purposes as otherwise disclosed to you (or pursuant to your consent) during your experience on, or in relation to, our Website, or any other reason permitted by law.

Sharing with Third Parties

We engage other companies and individuals to perform certain business-related functions in connection with our Website or Visitors. Examples include cloud storage and web hosting providers, distributors, technical assistance and security vendors, database management/back-up services, analytics services, email clients, digital marketing services (e.g., email marketing automation) and other marketing services providers, customer relationship management/CRM platforms, and customer service vendors.  We may also share your information with any of our parent companies, subsidiaries, affiliates, or other companies under common control with us in order to support the purposes described in this Privacy Policy. 

Opt-Out for Email Marketing and Certain Other Communications

You may also manage your receipt of marketing communications by clicking on the "Unsubscribe" (or similar) link located on the bottom of an applicable marketing email and following the instructions found on any page to which the link may take you.

You may also manage your receipt of press releases and other communications (e.g., SEC filings) that you’ve signed up to receive via email by clicking on the link on the bottom of such applicable email communication and following the instructions found on any page to which the link may take you.

You cannot opt out of receiving administrative or transactional e-mails. In all such cases, please allow us a reasonable time to process your request.

How We Protect Your Information

We take commercially reasonable steps to protect your personal information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction.  Please understand, however, that no security system is impenetrable. We cannot guarantee the security of our databases, nor can we guarantee that the information you supply will not be intercepted while being transmitted to and from us over the Internet.

Retention of Personal Information

We will retain your personal information in a form that identifies you only for as long as it serves the purposes for which it was initially collected as stated in this Privacy Policy, subsequently authorized, or as allowed under applicable law.

Children

We do not knowingly collect personal information from children under the age of 13 through the Website. If you are under 13, please do not give us any personal information.  We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Policy by instructing their children to never provide personal information to us. If you have reason to believe that a child under the age of 13 has provided personal information to us, please contact us at privacy@ibotta.com and we will endeavor to delete that information from our databases.

Important Notice to All Non-US Residents

Our servers are located in the US. If you are located outside of the US, please be aware that any information provided to us, including personal information, will be transferred from your country of origin to the US. To the extent permitted under applicable law, your decision to provide such data to us, or allow us to collect such data through our Website, constitutes your consent to this data transfer.

Your U.S. State Privacy Rights

Depending on your state of residency, you may be able to exercise additional rights granted by applicable law in relation to the personal information about you that we have collected, subject to certain limitations. Please click here for additional information regarding these rights and other information under the U.S. state privacy laws.

GDPR

If you are located in the European Economic Area or are otherwise afforded the protections of the General Data Protection Regulation (GDPR), please click here regarding your rights and other information under the GDPR.

Do Not Track

You may enable in your web browser, where and when applicable, the Global privacy Control (GPC) universal opt out mechanism. If enabled in your browser, then the GPC automatically communicates your opt-out preferences with us. Besides the Global Privacy Control (GPC), we do not respond to "Do Not Track" settings or other related mechanisms at this time. Links to External Websites

Our Website may provide links to other digital properties that are controlled by third parties.  Linked digital properties may have their own privacy notices or policies, which we suggest you review.  We are not responsible for the content, usage, terms, privacy policies, or digital properties of any third party. 

Changes to This Privacy Policy

This Privacy Policy is effective as of the ‘Last Updated’ date stated at the top of this Privacy Policy.  We may change this Privacy Policy from time to time with or without notice to you.  By visiting the Website after we make any such changes to this Privacy Policy, you are deemed to have accepted such changes. Please be aware that, to the extent permitted by applicable law, and without prejudice to the foregoing, our use of your information is governed by the Privacy Policy in current effect. Please refer back to this Privacy Policy on a regular basis.

How to Contact Us

If you have questions about this Privacy Policy, please e-mail us at legal@ibotta.com with “Privacy Policy” in the subject line.

U.S. State Privacy Notice

Last Updated: [February 17, 2025]

This U.S. state privacy notice (this “State Privacy Notice”) is included in our Privacy Policy and applies to our processing of “personal information” of residents covered under the State Privacy Laws in relation to the Website (as the terms “personal information” and “personal data” are defined under those State Privacy Laws) (collectively, “Consumers, “you,” or “your”). Any capitalized terms or other terms not defined herein shall have the meaning given to them elsewhere in our Privacy Policy or, if not defined herein or elsewhere in our Privacy Policy, the applicable State Privacy Law. The term “State Privacy Laws” means, as applicable, the California Consumer Privacy Act (the “CCPA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, and other applicable US state data privacy laws.  

To the extent of any conflict between this State Privacy Notice and the rest of our Privacy Policy, this State Privacy Notice shall control only with respect to Consumers and their personal information. If you are located elsewhere, please see our Privacy Policy here.

I. Personal Information We Collect

A. Collection: We collect the categories of personal information listed below and have done so within the past twelve (12) months:
  1. Identifiers – Examples include name, email address, physical address, company name, and title.
  2. Commercial Information – Examples include products or services purchased, obtained, or considered and demographics/interests.
  3. Internet or Network Activity – Examples include page views, clickthroughs, referral and exiting URLs, time spent on pages, latency, and IP address.
  4. Inferences, such as predictions about your interests and preferences.

More on Sensitive Data: With respect to California’s privacy law (the CCPA), we do not process any data that may be deemed “sensitive” for the purpose of inferring characteristics about you or for a purpose that requires a corresponding opt-out right (the “right to limit”). With respect to the other State Privacy Laws, we do not process any “sensitive data” (as such term or similar term is defined under those laws) in such a manner that requires opt-in consent but, rather, only use such data to provide the services that you request.

B. Sources: The above categories of personal information are collected from you directly or, in the context of Internet or Network Activity, from server logs, or from our third-party partners (e.g., analytics vendors).
C. Business Purposes: We use the above categories of personal information as relevant for the following business purposes:
  • Providing our Website and services
  • Responding to inquiries and other messages
  • To assist us in marketing to you, which includes but is not limited to the provision of marketing materials and emails
  • Analytics (e.g., understanding of how the Website is used, the locations where Consumers engage with the Website, engagement with marketing channels such as email, measuring clickthroughs from URLs)
  • Providing location-specific services (e.g., finding a distributor, store, or event near you)
  • Cybersecurity 
  • Fraud detection and crime prevention
  • Compliance with applicable law
  • Responding to requests by public authorities or assist with investigations 
  • Establishing, exercising, or defending legal claims or otherwise protecting our business and our customers and enforcing our agreements and rights.
  • Optimizing the Website and related services
  • A merger, dissolution, reorganization, or similar corporate event, or the sale of all or substantially all of our assets (including, in each case, any due diligence relating thereto)
  • Internal purposes aligned with Consumer expectations
  • As otherwise either disclosed to you (e.g., via “just-in-time” notices) or pursuant to Consumer consent.
D. Disclosures: For the above business purposes, we disclose each of the categories of personal information above to third parties and service providers such as cloud storage and web hosting providers, distributors, technical assistance and security vendors, database management/back-up services, analytics services, email clients, digital marketing services (e.g., marketing automation), customer relationship management/CRM platforms, and customer service vendors. 

    III. Your Privacy Rights

    Under the state privacy laws covered under this notice, you have the following rights subject to certain limitations under such laws, such as exceptions found in such laws or, in some cases, the inability to verify your identity:

    The Right to Access

    Under the State Privacy Laws, you have the right to obtain confirmation regarding whether we are processing your personal information and to access that personal information. You also have the right to access that personal information in a portable, readily usable format, unless not technically feasible to provide in such a format. 


    Specifically with respect to the CCPA’s right to access, you have the right to request the following: (a) the specific pieces of personal information the business has collected about you and (b) the categories of personal information collected, the sources of collection, the business/commercial purpose for collecting or "selling/sharing" personal information, and the categories of third party to whom the business discloses personal information.

    The Right to Delete

    You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions under the State Privacy Laws.

    The Right to Correction

    You have the right to request that inaccuracies in your personal information be corrected, taking into account the nature of the personal information and the purposes of the processing of your personal information.

    Opt-Out Rights

    Under State Privacy Laws, you have the right to opt-out of “sales” and “shares” of personal information, “targeted advertising,” and certain use/disclosure of “sensitive” personal information.  


    We do not “sell” or “share personal information or process personal information for “targeted advertising.” Further, pursuant to the CCPA, we do not process “sensitive information” for purposes of inferring characteristics about your or otherwise for a purpose that requires a corresponding opt-out right (i.e., the “right to limit”).


    We do not have actual knowledge of “sharing” or “selling” the personal information of consumers under sixteen (16) years old.

    Exercising Your Rights: To exercise the access, correction, and deletion rights described above, please submit a request to us by either: 

    • Filling out this form: LINK
    • Calling us at 720-664-3302
    • Email: privacy@ibotta.com

    You have the right to not receive retaliatory or discriminatory treatment for the exercise of your rights. However, please note that if the exercise of these rights limits our ability to process personal information (such as in the case of a deletion request), we may no longer be able to provide you our products and services or engage with you in the same manner. 

    Please note that a record of your requests, including how we responded and any correspondence or documentation related thereto, may be kept pursuant to our legal obligations.

    IV. Verifying Your Rights Requests

    Only you, or a person that you authorize to act on your behalf, may make a request related to your personal information. Before processing your request, we may need to verify your identity and confirm you are a resident of a state that offers the requested rights. 

    Verifying your request will require you to provide sufficient information for us to reasonably verify that you are the person about whom we collected personal information. This process may require us to request additional personal information from you, including, but not limited to, your email address or phone number or date of last interaction with us.

    In certain circumstances under the State Privacy Laws, you are permitted to use an authorized agent to submit requests on your behalf (using the mechanisms for submitting requests above), where we can verify the authorized agent’s authority to act on your behalf.

    In order to verify the authorized agent’s authority to submit requests on your behalf, we generally require evidence of either (i) a valid power of attorney under the relevant state laws or (ii) a signed letter containing your name and contact information, the name and contact information of the authorized agent, and a statement of authorization for the request. Depending on the evidence provided and your state of residency, we may still need to separately reach out to you to confirm the authorized agent has permission to act on your behalf and to verify your identity in connection with the request. 

    We will only use the personal information that you have provided in a verifiable request in order to verify your request. As stated above, we cannot respond to your request or provide you with personal information if we cannot verify your identity or authority.

    Please note that we may refuse to act on a request if such request is excessive, repetitive, manifestly unfounded, or falls within one or more of the permitted exceptions under State Privacy Laws.

    V. Appealing Privacy Rights Decisions

    If you are a resident of a state with a State Privacy Law giving you the right to appeal a privacy rights decision, then you may submit an appeal request by emailing us at privacy@ibotta.com with the subject line, “Privacy Request Appeal” and all relevant details.

    VI. How to Contact Us

    If you have any questions regarding our privacy practices as it relates to this State Privacy Notice, please contact us via email at privacy@ibotta.com with the subject line, “State Privacy Notice.”

    GDPR Privacy Notice

    Last Updated: [February 17, 2025]

    This General Data Protection Regulation (GDPR) privacy notice (this “GDPR Notice”) is included in our Privacy Policy and applies to the “personal data,” as defined in the GDPR, of natural persons located in the European Economic Area or otherwise subject to the protections of the GDPR (“Covered Individuals,” “you,” or “your”) processed by us in relation to the Website. Any capitalized terms or other terms not defined herein shall have the meaning given to them elsewhere in our Privacy Policy or, if not defined herein or elsewhere in our Privacy Policy, the GDPR.

    To the extent of any conflict between this GDPR Notice and any other provision of the Privacy Policy, this GDPR Notice shall control only with respect to Covered Individuals and their personal data. If you are located elsewhere, please see our Privacy Policy here.

    Controller Disclosure & Details:  We are a data controller of personal data regarding Visitors for the purposes and under the legal bases described in the table below.

    Data Subject Category

    Purpose & Legal Basis of Processing










    Visitors

    Provide Our Website and Services: We will process Visitors’ personal information to provide our Website and our services, and will do so as necessary to enter into or perform our contract with you or as otherwise in our legitimate interest in providing our services to you. 

    Information Security: Our web servers will log Visitors’ IP address and other information (e.g., browser information, operating system, request date/time, user agent string, referral and exiting URL) in order to maintain an audit log of activities performed. We use this information pursuant to our legitimate interests in tracking Website usage, combating DDOS or other attacks, and removing or defending against malicious Visitors.

    Email Communications: We will answer inquiries, such as those sent through a Contact Us (or similar) page, pursuant to our legitimate interest in answering such inquiries, ensuring prospective or Visitor satisfaction, and furthering business relationships.

    We will send e-mail marketing communications to Visitors based on their consent. Visitors may also have the option to consent to other e-mail-based communications that are not marketing-related.


    General Business Development: We have a legitimate interest in processing the personal data of Visitors to further business relationships and ensure Visitor satisfaction (e.g., by storing Business Contact information within a CRM or other file, answering inquiries per Email Communications above). 

    Audience Analytics/Geolocation: We utilize web audience measurement tools such as Google Analytics pursuant to Visitors’ consent to understand how Site Visitors interact with our website and optimize the Website and related services. 

    Compliance With Applicable Law and Security and Business Integrity: We will process Visitors’ personal data pursuant to (a) our obligations under member state or Union law or (b) our legitimate interests in complying with applicable law generally. This includes responding to lawful governmental requests and establishing, exercising, or defending legal claims. 

    It also includes protecting our company, our affiliates, our customers, and our services. We may also use information in order to comply with laws, regulations, court orders, or other legal obligations or to assist in an investigation, protect and defend our rights and property, or the rights or safety of third parties, enforce our Terms of Use, this Privacy Policy, or agreements with third parties, detect and prevent fraud or for crime prevention purposes.  

    Other: We may process Visitors’ personal data for other purposes as otherwise disclosed to you (e.g., via “just-in-time” notices).

    Recipients: Our personnel process Visitors’ personal data for the purposes listed above. Such personal data is also disclosed to the following categories of recipients in relation thereto: Cloud storage and web hosting providers, distributors, technical assistance and security vendors, database management/back-up services, analytics services, email clients, digital marketing services (e.g., marketing automation), customer relationship management/CRM platforms, and customer service vendors. 

    Retention: We process Visitors’ personal data for as long as we have a legitimate business relationship with such Visitors or unless otherwise deleted upon request by such Visitors. 

    Your GDPR Rights: You have a right to: (i) request access to, correction and/or erasure of your personal data; (ii) object to processing of your personal data; (iii) restrict processing of your personal data; and (iv) request a copy of your personal data, or have a copy thereof sent to another controller, in a structured, commonly used and machine readable format under the right of data portability. You may exercise these rights and submit a GDPR complaint by contacting privacy@ibotta.com with the subject line “GDPR Notice.”  

    You also have the right to lodge a complaint about the processing of your personal data with an appropriate data protection authority, and, as applicable, to exercise third-party beneficiary rights under our Standard Contractual Clauses. 

    Contact details for the data protection authorities in the European Economic Area (EEA) can be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en. Contact details for the United Kingdom’s data protection authority, the Information Commissioner’s Office (ICO), can be found at: https://ico.org.uk/global/contact-us/

    Objecting to Legitimate Interest/Direct Marketing: You may object to personal data processed pursuant to our legitimate interest. In such case, we will no longer process your personal data unless we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. You may also object at any time to processing of your personal data for direct marketing purposes by clicking “Unsubscribe” within a marketing email. In such case, your personal data will no longer be used for that purpose. 

    Transfer of Personal Data To Outside the EEA: Where otherwise not transferring personal data to an “adequate” country or organization, we rely on Standard Contractual Clauses to ensure adequate protection for your personal data.

    Governmental Access Requests: We may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas. 

    Corporate Restructuring: In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity. 

    Updates to this GDPR Notice: If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this GDPR Notice, and the “Last Updated” date at the top of this page will be updated accordingly. 

    How to Contact Us: Reach out to Privacy@Ibotta.com with the subject line “GDPR Notice” for any questions, complaints, or requests regarding this GDPR Notice.