What is Uber's privacy policy?

When you signed up for Uber, just like for most mobile apps, you clicked “yes” to its Terms of Service. Among the long paragraphs of legalese you probably read was the company’s privacy policy.

As a maelstrom rages over an Uber executive’s statements regarding recent media coverage, many may be wondering how far the company can go with all the information at its digital fingertips.

The quick answer: it’s complicated.

Essentially, Uber collects basic user data (your name, e-mail and credit card information) as well geo-location data. The company uses that for a range of “internal business purposes,” which could be interpreted broadly.

Now for the long answer.

Privacy policies are not legally required on a federal level unless you’re in a regulated industry such as healthcare, or financial services, although some states — California, for example — have laws on the books that demand them.

Apps like Uber fall under the jurisdiction of the Federal Trade Commission, which can sue companies over deceptive policies if they feel an organization lacks a needed, or sufficient, privacy policy, said Lisa Sotto, a privacy and cybersecurity lawyer at Hunton & Williams.

Uber’s nearly 6,000-word privacy policy is as long as most go, and not the easiest to understand, said Sotto. “They’ve done significant due diligence to put this together,” she said.

For comparison, Lyft’s privacy policy is about 2,000 words, Facebook’s (FB) policy is about 5,300 words and Apple’s (AAPL) is just over 3,000 words.

A typical privacy policy provides information on the data that’s collected, to whom it’s disclosed and the security in place to protect that information. Uber’s policy touches on each of those topics in depth, although the language leaves room for interpretation.

“The policy statement has been carefully crafted,” said Sotto. “So if it’s vague, it’s vague for a reason.”

So, what information does Uber collect, and what does the company say it can do with that information?

Uber collects a user’s name, email, password, mobile phone number, zip code and billing information at sign-up. In addition, it tracks where you are via geo-location and keeps a log of all your trips.

It uses that information “to determine the charge for the transportation you requested via our services, to provide you with support, to send you promotions and offers, to enhance our services and for our internal business purposes.”

Uber may also “from time to time” supplement user information with outside records from third parties.

The company says it may share anonymized data with third parties for industry analysis, and it may provide its vendors with personal information to carry out services, such as using an independent payment processor. Uber doesn’t take responsibility for the privacy practices of those third-party vendors.

Uber will store your personal information and usage data, including geo-location, for as long as an account is active as well as after it’s terminated for as long “as needed to comply with our legal and regulatory obligations … and for other business reason[s].”

This is a top-line summary of Uber’s policy. The full 6,000-plus word rundown is available on the company’s website.

Uber knows a lot about you, so what can it do with that information?