プライバシー通知に関する州の補足事項

以下の「州の補足事項」はプライバシー通知を補足し、その一部を形成します。

一貫性を保つため、大文字で表記された用語の意味は、別途明記されていない限り、こちらで説明されている意味になります。

ワシントン州にお住まいの方は、こちらをクリックしてください。

ネバダ州にお住まいの方は、こちらをクリックしてください。

このページは、運用や規制の変化に対応するために必要に応じて更新されることにご注意ください。

本項の大文字の用語は、カリフォルニア州プライバシー権法（CPRA）によって改正されたカリフォルニア州消費者プライバシー法（CCPA）に基づいて定義された意味を持ちます。

CPRAに基づき、お客様には以下の権利があります。

• 個人情報を削除する権利。お客様には、当社にお客様の個人情報を削除するようリクエストする権利があります。このリクエストを確認した後、特定の例外が適用されない限り、この情報を削除いたします。
• 不正確な情報を訂正する権利。お客様には、個人情報が不正確である場合、その修正を要求する権利があります。このリクエストを確認した後、特定の例外が適用されない限り、当社は商業的に合理的な努力をもってこの情報を修正いたします。
• 個人情報のカテゴリおよび特定の情報を知る権利。お客様には、当社が収集、使用、開示、および/または販売する個人情報を知る権利があります。
• 個人情報の販売または共有を拒否する権利。お客様には、自身の個人情報の販売または共有の拒否を要求する権利があります。
• 機密性の高い個人情報の使用と開示を制限する権利。お客様には、当社がお客様の機密個人情報を使用することを、当該商品またはサービスを依頼する平均的な消費者が合理的に期待するサービスの実行または商品の提供に必要な範囲に限定し、または具体的に列挙された事業目的の遂行に限定するよう指示する権利があります。
• 報復されない権利。これらの権利を行使したことに対して、報復や差別を受けることはありません。
  

これらの権利のいずれかを行使したい場合は、data-requests@get-carrot.comまでお問い合わせください。機密個人情報の使用を制限する権利を行使するには、提供されたメールアドレスで当社に連絡するだけでなくて、このページからリクエストを送信することもできます。

This Connecticut Addendum supplements the information set forth in our Privacy Notice and applies if you are a resident of Connecticut. It describes how Carrot collects, uses, discloses, and protects your Personal Information, and the rights you have under the Connecticut Data Privacy Act (“CTDPA”), as amended, and the consumer health data provisions of Connecticut law.

To the extent there is any conflict between this Addendum and the Privacy Notice, this Addendum controls for Connecticut residents.

Categories of Personal Information We Collect, Use, and Disclose

For details about the categories of Personal Information we collect, the purposes for which we process Personal Information, the legal bases on which we rely, and the categories of third parties with whom we share Personal Information, please see the “Collection, Use, and Disclosure of Personal Information” section of the Privacy Notice.

The Personal Information we collect about you may include sensitive data under Connecticut law, including data that reveals your mental or physical health condition, diagnosis, disability, or treatment; biometric data (when processed to uniquely identify you); precise geolocation data; and data revealing racial or ethnic origin or sexual orientation. We process sensitive data only with your consent, and we obtain separate consent before selling any sensitive data.

Sources of Personal Information

We collect Personal Information directly from you, automatically through your use of the Service, from your Plan Sponsor, from third parties acting on your behalf or on behalf of your Plan Sponsor, and from connected sources you elect to link to your Carrot experience (such as Apple HealthKit, Android Health Connect, or Withings devices).

Sale of Personal Information

We do not sell your Personal Information for monetary consideration. To the extent any disclosure of your Personal Information constitutes a “sale” under the CTDPA, you have the right to opt out as described below.

Profiling and Automated Decision-Making

We do not use solely automated processing to make decisions about you that produce legal or similarly significant effects without meaningful human review. For more information about our use of artificial intelligence and machine learning, including our approach to human oversight, see the “Use of Artificial Intelligence (AI) and Machine Learning (ML)” section of the Privacy Notice.

If a decision concerning you has been made through profiling that produces a legal or similarly significant effect, you have the right to question the outcome, be informed of the reasoning behind the decision, review the personal data used in the decision, and, where applicable, request that the decision be reevaluated.

Your Rights Under the CTDPA

As a Connecticut resident, you have the following rights:

• Right to confirm and access. You may confirm whether we are processing your Personal Information and request access to that Personal Information, including, where applicable, the inferences we have derived from it. Certain categories of higher-risk data (including Social Security numbers, government identifiers, financial account numbers, account credentials, and biometric data) will not be disclosed in response to an access request; instead, we will confirm with sufficient particularity that we have collected such data.
• Right to correct. You may request that we correct inaccuracies in your Personal Information.
• Right to delete. You may request that we delete Personal Information we have collected from or about you.
• Right to data portability. You may obtain a copy of your Personal Information that you previously provided to us in a portable and, to the extent technically feasible, readily usable format.
• Right to obtain a list of third parties. You may request a list of the specific third parties (or, at our option, the categories of third parties) to whom we have disclosed your Personal Information.
• Right to opt out. You may opt out of (i) the sale of your Personal Information, (ii) targeted advertising, and (iii) profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning you.
• Right to question and reevaluate profiling decisions. Where a profiling decision produces a legal or similarly significant effect concerning you, you have the right to question the outcome, be informed of the reasoning, review the personal data used, and, where applicable, request reevaluation.
• Right to withdraw consent. Where we rely on your consent to process Personal Information, you may withdraw that consent at any time.
• Right to appeal. If we deny your request, you have the right to appeal our decision. We will respond to your appeal within 60 days. If we deny your appeal, we will provide you with information on how to submit a complaint to the Connecticut Attorney General.

How to Exercise Your Rights

To exercise any of these rights, contact us at data-requests@get-carrot.com. We will respond to verifiable consumer requests within 45 days. If we need additional time (up to an additional 45 days), we will inform you of the extension and the reason for it.

You may also designate an authorized agent to submit requests on your behalf. We may require reasonable proof of the agent’s authority and may require you to verify your identity.

Universal Opt-Out Mechanisms

We recognize universal opt-out preference signals (such as the Global Privacy Control) sent through privacy-protective browsers or browser extensions, where the signal allows us to accurately determine that you are a Connecticut resident.

Consumer Health Data

Consumer health data — including data that identifies your physical or mental health condition or diagnosis, gender-affirming health data, and reproductive or sexual health data — is subject to additional protections under Connecticut law. We obtain your consent before processing or selling consumer health data, and we maintain contractual safeguards with any processor that handles consumer health data on our behalf.

Complaints

You may file a complaint with the Connecticut Attorney General at Connecticut Office of the Attorney General .

‍

This Nebraska Addendum supplements the information set forth in our Privacy Notice and applies if you are a resident of Nebraska. It describes how Carrot collects, uses, discloses, and protects your Personal Information, and the rights you have under the Nebraska Data Privacy Act (“NDPA”).

To the extent there is any conflict between this Addendum and the Privacy Notice, this Addendum controls for Nebraska residents.

Categories of Personal Information We Collect, Use, and Disclose

For details about the categories of Personal Information we collect, the purposes for which we process Personal Information, the legal bases on which we rely, and the categories of third parties with whom we share Personal Information, please see the “Collection, Use, and Disclosure of Personal Information” section of the Privacy Notice.

The Personal Information we collect about you may include sensitive data under Nebraska law, including data that reveals your mental or physical health diagnosis; genetic or biometric data processed to uniquely identify you; precise geolocation data; data revealing racial or ethnic origin, religious beliefs, sexual orientation, or citizenship or immigration status; and personal data collected from a known child. We process sensitive data only with your consent.

Sources of Personal Information

We collect Personal Information directly from you, automatically through your use of the Service, from your Plan Sponsor, from third parties acting on your behalf or on behalf of your Plan Sponsor, and from connected sources you elect to link to your Carrot experience.

Sale of Personal Information

We do not sell your Personal Information for monetary consideration. To the extent any disclosure of your Personal Information constitutes a “sale” under the NDPA, you have the right to opt out as described below.

Profiling and Automated Decision-Making

We do not use solely automated processing to make decisions about you that produce legal or similarly significant effects without meaningful human review. For more information about our use of artificial intelligence and machine learning, including our approach to human oversight, see the “Use of Artificial Intelligence (AI) and Machine Learning (ML)” section of the Privacy Notice.

Your Rights Under the NDPA

As a Nebraska resident, you have the following rights:

• Right to confirm and access. You may confirm whether we are processing your Personal Information and request access to that Personal Information.
• Right to correct. You may request that we correct inaccuracies in your Personal Information.
• Right to delete. You may request that we delete Personal Information we have collected from or about you.
• Right to data portability. You may obtain a copy of your Personal Information that you previously provided to us in a portable and, to the extent technically feasible, readily usable format.
• Right to opt out. You may opt out of (i) the sale of your Personal Information, (ii) targeted advertising, and (iii) profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning you.
• Right to withdraw consent. Where we rely on your consent to process Personal Information, you may withdraw that consent at any time.
• Right to non-discrimination. You will not be discriminated against for exercising any of these rights, provided that the refusal to provide Personal Information or a deletion request does not prevent us from providing you the Service.

How to Exercise Your Rights

To exercise any of these rights, contact us at data-requests@get-carrot.com. We will respond to verifiable consumer requests within 45 days. If we need additional time (up to an additional 45 days), we will inform you of the extension and the reason for it.

You may also designate an authorized agent to submit opt-out requests on your behalf.

Universal Opt-Out Mechanisms

We recognize universal opt-out preference signals sent through privacy-protective browsers or browser extensions, where the signal allows us to accurately determine that you are a Nebraska resident.

Complaints

You may file a complaint with the Nebraska Attorney General at Data Privacy Homepage | Protect The Good Life .

This Delaware Addendum supplements the information set forth in our Privacy Notice and applies if you are a resident of Delaware. It describes how Carrot collects, uses, discloses, and protects your Personal Information, and the rights you have under the Delaware Personal Data Privacy Act (“DPDPA”).

To the extent there is any conflict between this Addendum and the Privacy Notice, this Addendum controls for Delaware residents.

Categories of Personal Information We Collect, Use, and Disclose

For details about the categories of Personal Information we collect, the purposes for which we process Personal Information, the legal bases on which we rely, and the categories of third parties with whom we share Personal Information, please see the “Collection, Use, and Disclosure of Personal Information” section of the Privacy Notice.

The Personal Information we collect about you may include sensitive data under Delaware law, including data that reveals your mental or physical health condition or diagnosis (including pregnancy status); genetic or biometric data processed to uniquely identify you; precise geolocation data; data revealing racial or ethnic origin, religious beliefs, sex life, sexual orientation, or citizenship or immigration status; status as transgender or nonbinary; and personal data collected from a known child. We process sensitive data only with your consent.

Sources of Personal Information

We collect Personal Information directly from you, automatically through your use of the Service, from your Plan Sponsor, from third parties acting on your behalf or on behalf of your Plan Sponsor, and from connected sources you elect to link to your Carrot experience.

Sale of Personal Information

We do not sell your Personal Information for monetary consideration. To the extent any disclosure of your Personal Information constitutes a “sale” under the DPDPA, you have the right to opt out as described below.

Profiling and Automated Decision-Making

We do not use solely automated processing to make decisions about you that produce legal or similarly significant effects without meaningful human review. For more information about our use of artificial intelligence and machine learning, including our approach to human oversight, see the “Use of Artificial Intelligence (AI) and Machine Learning (ML)” section of the Privacy Notice.

Your Rights Under the DPDPA

As a Delaware resident, you have the following rights:

• Right to confirm and access. You may confirm whether we are processing your Personal Information and request access to that Personal Information.
• Right to correct. You may request that we correct inaccuracies in your Personal Information.
• Right to delete. You may request that we delete Personal Information we have collected from or about you, including Personal Information we collected through third parties.
• Right to data portability. You may obtain a copy of your Personal Information that you previously provided to us in a portable and, to the extent technically feasible, readily usable format.
• Right to obtain a list of third parties. You may request a list of the categories of third parties to whom we have disclosed your Personal Information.
• Right to opt out. You may opt out of (i) the sale of your Personal Information, (ii) targeted advertising, and (iii) profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning you.
• Right to withdraw consent. Where we rely on your consent to process Personal Information, you may withdraw that consent at any time.
• Right to appeal. If we deny your request, you have the right to appeal our decision. We will respond to your appeal within 60 days. If we deny your appeal, we will provide you with information on how to submit a complaint to the Delaware Department of Justice.

How to Exercise Your Rights

To exercise any of these rights, contact us at data-requests@get-carrot.com. We will respond to verifiable consumer requests within 45 days. If we need additional time (up to an additional 45 days), we will inform you of the extension and the reason for it.

You may also designate an authorized agent to submit requests on your behalf. We may require reasonable proof of the agent’s authority and may require you to verify your identity.

Universal Opt-Out Mechanisms

We recognize universal opt-out preference signals sent through privacy-protective browsers or browser extensions, where the signal allows us to accurately determine that you are a Delaware resident.

Complaints

You may file a complaint with the Delaware Department of Justice at privacy@delaware.gov or at Personal Data Privacy Portal - Delaware Department of Justice - State of Delaware .

This New Jersey Addendum supplements the information set forth in our Privacy Notice and applies if you are a resident of New Jersey. It describes how Carrot collects, uses, discloses, and protects your Personal Information, and the rights you have under the New Jersey Data Privacy Act (“NJDPA”).

To the extent there is any conflict between this Addendum and the Privacy Notice, this Addendum controls for New Jersey residents.

Categories of Personal Information We Collect, Use, and Disclose

For details about the categories of Personal Information we collect, the purposes for which we process Personal Information, the legal bases on which we rely, and the categories of third parties with whom we share Personal Information, please see the “Collection, Use, and Disclosure of Personal Information” section of the Privacy Notice.

The Personal Information we collect about you may include sensitive data under New Jersey law, including data that reveals your mental or physical health condition or diagnosis; financial information (including account numbers and credentials providing access to financial accounts); genetic or biometric data processed to uniquely identify you; precise geolocation data; data revealing racial or ethnic origin, religious beliefs, sex life, sexual orientation, transgender or nonbinary status, or citizenship or immigration status; and personal data collected from a known child. We process sensitive data only with your consent.

Sources of Personal Information

We collect Personal Information directly from you, automatically through your use of the Service, from your Plan Sponsor, from third parties acting on your behalf or on behalf of your Plan Sponsor, and from connected sources you elect to link to your Carrot experience.

Sale of Personal Information

We do not sell your Personal Information for monetary consideration. To the extent any disclosure of your Personal Information constitutes a “sale” under the NJDPA, you have the right to opt out as described below.

Profiling and Automated Decision-Making

We do not use solely automated processing to make decisions about you that produce legal or similarly significant effects without meaningful human review. For more information about our use of artificial intelligence and machine learning, including our approach to human oversight, see the “Use of Artificial Intelligence (AI) and Machine Learning (ML)” section of the Privacy Notice.

Your Rights Under the NJDPA

As a New Jersey resident, you have the following rights:

• Right to confirm and access. You may confirm whether we are processing your Personal Information and request access to that Personal Information.
• Right to correct. You may request that we correct inaccuracies in your Personal Information.
• Right to delete. You may request that we delete Personal Information we have collected from or about you.
• Right to data portability. You may obtain a copy of your Personal Information that you previously provided to us in a portable and, to the extent technically feasible, readily usable format.
• Right to opt out. You may opt out of (i) the sale of your Personal Information, (ii) targeted advertising, and (iii) profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning you. We will process opt-out requests within 15 days of receipt.
• Right to withdraw consent. Where we rely on your consent to process Personal Information, you may withdraw that consent at any time.
• Right to non-discrimination. You will not be discriminated against for exercising any of these rights.
• Right to appeal. If we deny your request, you have the right to appeal our decision. We will respond to your appeal within a reasonable time. If we deny your appeal, we will provide you with information on how to submit a complaint to the New Jersey Division of Consumer Affairs.

How to Exercise Your Rights

To exercise any of these rights, contact us at data-requests@get-carrot.com. We will respond to verifiable consumer requests within 45 days (with the exception of opt-out requests, which we process within 15 days). If we need additional time (up to an additional 45 days), we will inform you of the extension and the reason for it.

You may also designate an authorized agent to submit opt-out requests on your behalf.

Universal Opt-Out Mechanisms

We recognize universal opt-out preference signals sent through privacy-protective browsers or browser extensions, where the signal allows us to accurately determine that you are a New Jersey resident.

Complaints

You may file a complaint with the New Jersey Division of Consumer Affairs at https://www.njconsumeraffairs.gov/.