Privacy notice

Introduction

chevron_right
Purpose and scope

Carrot Fertility, Inc. (“Carrot,” “we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Notice explains how your Personal Information is collected, used, stored, processed, transferred, and disclosed by Carrot.

This Privacy Notice applies to our website https://get-carrot.com (our "Website") and any other website, mobile application, or online service that links to this Privacy Notice (collectively, our "Service").

The Service may contain links to and from third party websites of our business partners, advertisers, and social media sites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. We may also share a user ID with third-party websites allowing us and the third-party website provider to jointly track specified activities across both websites. We strongly recommend that you read their privacy policies and terms and conditions of use to understand how they collect, use, and share information.We are not responsible for the privacy practices or the content on the websites of third party sites.

Before accessing or using our Service, please ensure that you have read and understood our collection, storage, use, and disclosure of your Personal Information as described in this Privacy Notice.

chevron_right
HIPAA Applicability

To the extent that you are subject to United States benefit and taxation laws, and that your employer has established a health reimbursement arrangement plan or HRA (i.e., the “Covered Entity”), Carrot is considered a Business Associate to the Covered Entity under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Please review the Covered Entity’s “Notice of Privacy Practices (NPP)” for an explanation of how that entity will collect, use, disclose, and protect your “Protected Health Information (PHI).”

chevron_right
Important Terminology

Carrot is the “Data Controller” responsible for protecting your Personal Information, which means we determine and are responsible for how your Personal Information is handled. Your employer will also initially send us your name and eligibility information ("Employee Eligibility File"). If you have queries regarding the information contained in the Employee Eligibility File, please contact your employer, who is the Data Controller of such information.

"Personal information" encompasses all “Personal Data” as defined in Art. 4 (1) of the General Data Protection Regulation ("GDPR"), meaning any information that relates to an identified or identifiable individual; provided, that in such circumstance(s) that applicable data protection laws require otherwise, “Personal information” has the meaning ascribed to it in such law(s).

Geographic considerations

chevron_right
Supplemental information for certain states

If your state of residence has specific privacy requirements that go beyond the general scope of this Privacy Notice, it is listed below:

  • California
  • Texas
  • Washington
  • Nevada

Please click here to see more detailed information.

If you are a resident of Washington, you can also click here.

If you are resident of Nevada, you can also click here.

Also, please note that we will update this list as necessary to address evolving operations and regulations.

If you are a resident of a state that is not listed above, please contact us at legal@get-carrot.com if you have any questions about this Privacy Notice.

chevron_right
Supplemental Information for certain countries

If your country of residence has specific privacy requirements that go beyond the general scope of this Privacy Notice, it is listed below:

Region
Jurisdictions
Europe, the Middle East, and Africa (EMEA)
European Union (EU); United Kingdom (U.K.); Switzerland; Serbia; Turkey; South Africa
Latin America
Chile; Colombia; Guatemala; Brazil
Asia
China; The Philippines; Thailand; India
North America
Canada; Mexico
Oceania
Australia; New Zealand

Please click here to see more detailed information.

Also, please note that we will update this list as necessary to address evolving operations and regulations.

If you are a resident of a jurisdiction that is not listed above, please contact us at legal@get-carrot.com if you have any questions about this Privacy Notice.

chevron_right
International data transfers

In order to provide services, Carrot will store and process your Personal Information in the United States. To the extent that your local jurisdiction considers this an “international data transfer,” we will comply with that jurisdiction’s requirements for transferring Personal Information to other countries.

For Residents of the EEA, Switzerland, and the United Kingdom

When your employer sends us your name and eligibility information ("Employee Eligibility File"), we will store and process that information in the United States. To comply with applicable regulatory requirements (e.g., the GPDR) on “international data transfers,” we will sign appropriate contractual mechanisms with the “data exporter” (i.e, your employer). For instance, if you are an EEA resident, Carrot and your employer will sign Module 2 of the EU Standard Contractual Clauses (SCCs).

For Residents of the EEA and Switzerland

In addition, we are currently in the process of “self-certifying” to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles, and we will update this page if and when our application is approved to reflect our participation in and commitment to these Principles.

Collection, use, and disclosure of personal information

Collection

chevron_right
Personal information we collect from you and from third parties

How we collect Personal Information

We collect Personal Information about you when you voluntarily submit information to us when you use our Service. This can include information you provide to us when you register for an account, send us messages, subscribe to our mailing lists, newsletters or other forms of marketing communications related to the Service, participate in a survey, or use some other feature of our Service.

We may also collect information about you from our third party partners, as further described here.  

Your Choices and Preferences Regarding How we Collect your Information

For further information on your rights and choices regarding your information, see here.

We will indicate to you where the provision of certain Personal Information is mandatory and where it is optional. If you choose not to provide Personal Information marked as mandatory, we may not be able to provide you with requested products, services, or information.

Categories of Personal Information we Collect

The categories of Personal Information we collect may include, without limitation:

  • Contact and profile information
  • Sensitive Personal Information, such as health data and data about your sexual orientation
  • Information provided through comments, chats, and opinions
  • Payment and transaction information
  • Location information
  • Information provided by third parties
  • Information about fraudulent or criminal activity related to your account

Linking and Combining Personal Information from Different Sources

We also link or combine your activities and information collected from you on our websites with information we collect automatically through tracking technologies. This allows us to provide you with a personalized experience regardless of how you interact with us.

A Note on Children’s Privacy

Carrot does not knowingly collect or solicit any information from anyone under the age of 18 on this Service. In the event that we learn that we have inadvertently collected Personal Information from a child under age 18, we will delete that information as quickly as possible. If you believe that we might have any information from a child under 18, please contact us using the contact details set out at the end of this Privacy Notice. We encourage parents and guardians to spend time online with their children and to participate and monitor the interactive activities of their children.

chevron_right
Personal information we collect through automated means

How we Collect this Information

When you use our Service, read our emails, or otherwise engage with us through a computer or mobile device, we and our third-party partners automatically collect information about how you access and use the Service and information about the device you use to access the Service.

We typically collect this information through a variety of tracking technologies, including cookies, location-identifying technologies, and similar technology (collectively, “tracking technologies”).

See here for more detail on the tracking technologies we use.

Third Party Data Collection of User Experience Information

When you use the Service, we may use third party tools to monitor user experience information. These tools automatically collect usage information, including mouse clicks and movements, page scrolling and any text keyed into website forms. The information collected is de-identified and does not include passwords, payment details, or other sensitive Personal Information. We use this information for site analytics, optimization, and to improve website usability. We do not permit this information to be shared with or used by third parties for their own purposes.

Linking and Combining Personal Information from Different Sources

Information we collect automatically about you may be combined with other Personal Information we collect directly. For example, we may combine your location based on your IP address that we have collected automatically with your email address that you have provided.

For further information on third parties using tracking technologies please see here.

For further information on your choices regarding your information, including choices around tracking technologies, see here.

Use

chevron_right
Overview of how and why we use personal information

This section sets out the categories of Personal Information we collect about you, and explains how and why we use that information. It also lists the legal bases on which we rely to process personal Information. You hereby expressly acknowledge and agree that the collection and processing described in this Privacy Notice are necessary for our performance of our obligations under the Terms & Conditions.

For further information on your rights and choices regarding your information, see here.

chevron_right
Contact and profile information

This category includes Personal Information we collect--such as your name, phone number, address, date of birth, and e-mail address, and your partner’s name, phone number, address, date of birth, and e-mail address--when you register for our Service, request a Carrot Card or any other product offered through the Service, or otherwise communicate or interact with us.

Purpose of Data Processing
Legal Basis for Data Processing
To create your account and to communicate with you directly about the Service.
The processing is necessary for the performance of a contract and to take steps prior to entering into a contract.
To set up and send you a Carrot Card, or any other product offered through the Service as requested by you.
The processing is necessary for the performance of a contract and to take steps prior to entering into a contract.
To communicate with you,  including to answer any questions, issues, or concerns you have.
The processing is necessary for our legitimate interests, namely communicating with users in relation to the Service.
To send you marketing communications in accordance with your preferences.
We will only process your Personal Information in this way to the extent you have given us consent to do so.
To better tailor the marketing communications that you receive.
The processing is necessary for our legitimate interests, namely to promote and advertise our products and services.
To verify eligibility for services offered by third party partners and service providers.
The processing is necessary for performance of a contract and our legitimate interests, namely improving the member experience.
chevron_right
Data regarding your health and information about your sexual orientation

This category includes sensitive information, such as your and your partner's gender identities, interest in various fertility health and family-forming options, any relevant diagnoses you may have received, and related health information.

Purpose of Data Processing
Legal Basis for Data Processing
To provide you with our Services, specifically to recommend appropriate providers, clinics, agencies, and lawyers in order to help you determine the most appropriate treatments and services.
We will only process your Personal Information in this way to the extent you have given us consent to do so.
To validate requests for reimbursement related to fertility treatments and other services, and to determine any taxes owed.
We will only process your Personal Information in this way to the extent you have given us consent to do so.
To validate your eligibility for and use of the Carrot Card®, as applicable, including to validate your Carrot Card® transactions and, in some cases, to determine whether or not you are eligible for the Carrot Card® based on eligibility rules set by your employer.
We will only process your Personal Information in this way to the extent you have given us consent to do so.
To send you relevant information and recommendations (such as learning material or contact details for appropriate providers and other professionals), and to support you with efficient and personalized guidance.
We will only process your Personal Information in this way to the extent you have given us consent to do so.
To collect clinical outcomes data, through voluntary surveys we may send to you, in order to improve services and further our mission of bringing fertility care to all.
We will only process your Personal Information in this way to the extent you have given us consent to do so, unless applicable data privacy laws provide an alternative legal basis, such as legitimate interests, in which case we may rely on a combination of consent and/or legitimate interest.
To grant your partner access to your account to help you throughout your fertility health and family-forming journey.
We will only process your Personal Information in this way to the extent you have given us consent to do so.
chevron_right
Comments, chats, and opinions

When you contact us directly, e.g., by email, phone, mail, or by completing an online form or participating in online chat, we will record your comments and opinions. We will also record comments and opinions you express when responding to surveys we run.

Purpose of Data Processing
Legal Basis for Data Processing
To address your questions, issues, and concerns and improve our products and services.
The processing is necessary for our legitimate interest, namely for communicating with users in relation to the Service.
We may use your comments and opinions to determine products and services that may be of interest to you.
The processing is necessary for our legitimate interest, namely to enable us to tailor our product and service recommendations to you and your interests.
To communicate with you, including to answer any questions, issues, or concerns you have.
The processing is necessary for our legitimate interests, namely communicating with users in relation to the Service.
We may use the personal details you provide to us via our public-facing online forms to analyze the results of our marketing efforts.
The processing is necessary for our legitimate interest, namely to analyze the use of our Service.
To record audio and video calls for quality assurance purposes.
We will only process your Personal Information in this way to the extent you have given us consent to do so.
chevron_right
Expense, payment, and transaction information

This category includes Information such as your Employee ID, your receipts for fertility care and other services, whether you or your partner received the care, the date of your or your partner’s treatments, and your payment information, such as your credit card or bank account details.

Purpose of Data Processing
Legal Basis for Data Processing
To validate your treatment expenses and to determine any taxes owed.
The processing is necessary for our legitimate interests, namely verifying the validity of your expenses incurred for fertility care treatment.
To arrange reimbursements from your employer.
The processing is necessary for the performance of a contract.
To detect and prevent fraud.
The processing is necessary for our legitimate interests, namely the detection and prevention of fraud.
To process any financial transactions when you purchase products available to you through the Service.
The processing is necessary for the performance of a contract.
chevron_right
Location information

This category includes Information about your location. We may approximate your location based on your IP address.

Purpose of Data Processing
Legal Basis for Data Processing
We use your location information to provide personalized content, to enhance your experience, to improve the effectiveness of our websites and mobile applications, and to analyze and evaluate our Service.
The processing is necessary for our legitimate interest, namely to tailor our Service to the user and to improve our Service generally.
chevron_right
Information provided by social networks

When you interact with our Service through various social media networks, such as when you Like us on Facebook or when you follow Carrot or share Carrot content on Facebook, Twitter, Snapchat, LinkedIn, Instagram or other sites, we may receive information from those social networks including your profile information, picture, user ID associated with your social media account, friends list, and any other information you permit the social network to share with third parties. Records are kept until you delete your social media account.

Purpose of Data Processing
Legal Basis for Data Processing
We use this information to communicate or interact with you on the social network. The data we receive is dependent upon your privacy settings with the social network. You should always review and, if necessary, adjust your privacy settings on third party websites and social media networks and services before linking or connecting them to our website or Service.
The processing is necessary for our legitimate interest, namely to communicate with individuals through social media.
chevron_right
Information about your communication preferences

You may select your preferences for notifications, marketing communications, and site display, as further detailed here. Records of your selections are deleted upon deactivation.

Purpose of Data Processing
Legal Basis for Data Processing
We use this information to personalize our Service to you and to better understand the interests and demographics of our users. For these purposes, we may combine this information with the information we collect from you directly.
The processing is necessary for our legitimate interest, namely ensuring the user can view our site and receive correct marketing communications.
chevron_right
Information provided by third parties

We may receive information from third parties. This information may include sensitive information, such as health care claims history and health information.

Purpose of Data Processing
Legal Basis for Data Processing
We use this information to personalize our Service to you, to better understand the interests and demographics of our users, and to analyze and evaluate our Service. For these purposes, we may combine this information with the information we collect from you directly.
The processing is necessary for our legitimate interest, namely to tailor our Service to the user and to improve our Service generally.
chevron_right
Information about fraudulent or criminal activity related to your account
Purpose of Data Processing
Legal Basis for Data Processing
We will use information about fraudulent or criminal activity relating to your use of our Service for the purposes of detecting and preventing fraud or abuse.
The processing is necessary for our legitimate interest, namely the detection and prevention of fraud.
chevron_right
All personal information set about above
Purpose of Data Processing
Legal Basis for Data Processing
We will use all the Personal Information we collect to operate, maintain and provide to you the features and functionality of the Service, to communicate with you, to monitor and improve our Service and business, and to help us develop new products and services.
The processing is necessary for our legitimate interest, namely to provide and improve our Service and to develop new products and services.

Disclosure

chevron_right
How and why we may disclose your information
Recipient Category
Personal Information Disclosed and Purpose of Disclosure
Your Employer

When you submit reimbursement requests for processing, we may share the following information with your employer for disbursement, payroll, and tax purposes, or as otherwise required by applicable law:

  • Your name;
  • Your Employee ID (or other unique identifier);
  • The amount of your reimbursement request; and
  • Whether the reimbursement was related to an infertility diagnosis (and/or another reimbursement category).

Your information may also be shared with your employer for:

  • Reporting purposes, including for enhanced metrics reporting provided in collaboration with data warehouse vendors and (as applicable) consultants;
  • To meet administrative obligations;
  • To investigate suspected fraud or misuse;
  • As necessary to assist the employer with verifying and correcting information related to the service (e.g., payment correction).
Health Plans

We will share certain Personal Information with health plans to help make our Service available to you and/or for deductible tracking purposes.

Third Party Partners and Service Providers

We will share certain Personal Information with third party partners and service providers, as necessary to achieve the purpose for which we have shared it, which may include (but is not limited to) fulfilling your orders for products available through our Service as requested by you, confirming your eligibility for services provided by third party partners and service providers, as described, improving our Service and business, providing mailing services, web hosting, or providing analytic services.  

Any such service providers and partners will be given limited access to Personal Information as reasonably necessary to achieve such purpose and will, by appropriate data processing agreements or analogous contractual provisions, be bound to only process Personal Information on our behalf and for specifically enumerated purposes; if you would like to more specifically understand the services our third party partners render, please contact us at legal@get-carrot.com.

Independent Third Party Providers and Advisors

We may share your Personal Information with third party providers and advisors where this is necessary to achieve our legitimate interests, such as conducting security audits, consulting tax consultants and lawyers, or engaging payment processors to process payment transactions.

Purchasers and Third Parties in Connection with a Business Transaction

Personal Information may be disclosed to third parties in connection with a Carrot-related transaction, such as a merger, sale of Carrot assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by a third party, or in the event of a bankruptcy or related or similar proceedings.

Law Enforcement

In the event that we receive a request for Personal Information from law enforcement, we will follow three basic principles to protect your privacy:

  • To the extent permitted by applicable law or regulatory authority, we will promptly notify you of any such request.
  • We will not share any Personal Information with law enforcement unless we are required to do so under a valid and legally binding request (e.g., subpoena, court order) specifying the data that is sought.
  • Even then, we will only share the bare minimum necessary to comply with that request and will never provide information beyond the scope of that request.
Payments Provider

We may use third-party payment services to process payments made through the Service. If you wish to make a payment through the Service, for example by using the Carrot Card, your payment information may be collected by a third-party payment service provider, such as Stripe Inc., and not by us, and thus will be subject to the third-party’s privacy notice (Privacy Policy) rather than this Privacy notice.

Care Providers

If you request a self-referral to a care provider, including without limitation fertility clinics, third-party assisted reproduction agencies, or assisted reproduction attorneys, we may share your Personal Information with those care providers, as indicated at the time of your request.

Your choices and control over your information

chevron_right
Your profile

You may update your profile information, such as your name, address, or bank account information.

chevron_right
California "Do Not Track (DNT)" disclosure requirements

Carrot Fertility does not currently honor the Do Not Track (DNT) browser signal.

If you are a resident of California, see here for more information about your rights.

chevron_right
How to control your communications preferences

To the extent provided in applicable data protection laws, we will only send you promotional and marketing emails, or contact you for promotional or marketing purposes by phone or SMS, if you have given us your explicit consent.  For US-based members, we will only contact you for promotional or marketing purposes by phone or SMS if you have given us your explicit consent.  You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications. You may opt-out of receiving promotional calls, SMS/texts and direct mail communications from Carrot at any time with future effect as set forth in our Terms of Service. You may not opt out of service-related communications (e.g., account verification, transactional communications, changes/updates to features of the Service, technical and security notices).

chevron_right
Cookies and tracking preferences

Most browsers allow you to adjust your browser settings to: (i) notify you when you receive a cookie, which lets you choose whether or not to accept it; (ii) disable existing cookies; or (iii) set your browser to automatically reject cookies. Blocking or deleting cookies may negatively impact your experience using the Service, as some features and services may not work properly.

You may set your email options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you viewed or engaged with our emails.

Deleting cookies does not delete Local Storage Objects (LSOs) such as Flash objects and HTML5. To manage Flash cookie settings and preferences, you must use the settings manager on Adobe’s website or by clicking here. If you choose to delete Flash objects from our Service, then you may not be able to access and use all or part of the Service or benefit from the information and services offered.

Some of these opt-outs may not be effective unless your browser is set to accept cookies. If you delete cookies, change your browser settings, switch browsers or computers, or use another operating system, you will need to opt-out again.

Your rights with respect to your information

chevron_right
Your rights under applicable data protection laws

In addition to the ways in which you can manage the use of your information as outlined in the previous section (“Your Choices and Control Over Your Information”), you may also exercise the rights granted to you under applicable data protection laws.

At a minimum, you have and may exercise the rights listed below.

If you are a resident of a state or country listed in this section, please see State Addenda to Privacy Notice  and Country Addenda to Privacy Notice, respectively, to learn more about your jurisdiction-specific rights.

  • Right to object. The right to object, on grounds relating to your particular situation, to the processing of your Personal Information which is carried out in the public interest or in our legitimate interests, and to object to processing of your Personal Information for direct marketing purposes.
  • Right of access. The right to obtain access to your Personal Information along with certain related information;
  • Right to rectification. The right to obtain rectification of your Personal Information without undue delay where that Personal Information is inaccurate or incomplete;
  • Right to erasure. The right to obtain the erasure of your Personal Information without undue delay in certain circumstances, such as where the Personal Information is no longer necessary in relation to the purposes for which it was collected or processed;
  • Right to restriction. The right to obtain the restriction of the processing undertaken by us on your Personal Information in certain circumstances, such as where the accuracy of the Personal Information is contested by you, for a period enabling us to verify the accuracy of that Personal Information; and
  • Right to data portability. The right to receive your Personal Information in a commonly used format and to have your Personal Information ported to another Data Controller;
  • Right to withdraw consent. If you have provided consent for the processing of your Personal Information, you have the right to withdraw your consent. If you withdraw your consent, this will not affect the lawfulness of our use of your Personal Information before your withdrawal.

If you wish to exercise one of these rights, contact us at data-requests@get-carrot.com.

chevron_right
Your right to lodge a complaint with data protection authorities

In addition to the rights listed above, you may have the right to lodge a complaint with the applicable data protection authority in your jurisdiction, if you consider that a processing of your Personal Information infringes the applicable data protection laws. If you are an EU resident, further information about how to contact your local data protection authority is available at JUSTICE AND CONSUMERS ARTICLE 29 - National Data Protection Authorities. However, we encourage you to first reach out to us by using the contact details available here so that we have an opportunity to address your concerns directly and find a solution together before you lodge a complaint.

How we store and protect your information

chevron_right
Data storage and transfer

Your information collected through the Service will be stored and processed in the United States and may be processed in any other country in which Carrot or its affiliates or service providers maintain or have access to facilities. Please note that these internal and external international transfers of your Personal Information are made pursuant to appropriate safeguards, as further discussed here.

If you wish to inquire further about these appropriate safeguards, please contact us at legal@get-carrot.com.

chevron_right
Keeping your information safe

We care about the security of your information and employ physical, administrative, and technological safeguards designed to preserve the integrity and security of all information collected through our Service. When you enter sensitive information (such as a credit card number) on our order forms or login credentials (such as username and password) on our platform login, we encrypt the transmission of that information. However, no security system is impenetrable, and we cannot guarantee the security of our systems 100%. In the event that any information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and, where appropriate, notify those individuals whose information may have been compromised and take other steps, in accordance with any applicable laws and regulations.

chevron_right
Retention of your information

Unless applicable law requires a longer retention period, we will retain your information only as long as necessary for the purposes outlined in this Privacy Notice and for a commercially reasonable time thereafter for backup, archival, fraud prevention or detection, or audit purposes.

To determine the appropriate retention period for Personal Information, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information, and applicable legal requirements.

Questions about and changes to this privacy notice

chevron_right
Questions about this privacy notice

If you have any questions about this Privacy Notice or the website, please contact us at legal@get-carrot.com.

chevron_right
Changes to this privacy notice

As a general practice, we plan to update this Privacy Notice once every six months. We may, however, update it more or less frequently, depending on operational and regulatory circumstances. Either way, if we have your email address, we will notify you of any material changes. We will update the “Effective Date” at the bottom of this page when we post changes to this Privacy Notice. If you object to any changes, you may close your account. Continuing to use our Service after we publish changes to this Privacy Notice means that you have read and understood the changes.

Effective Date: March 1, 2024