Privacy Notice

PRIVACY NOTICE

Carrot Fertility, Inc. (“Carrot,” “we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Notice explains how your personal information is collected, used, stored, processed, transferred, and disclosed by Carrot.

This Privacy Notice applies to our website https://get-carrot.com (our "Website") and any other website, mobile application, or online service that links to this Privacy Notice (collectively, our "Service").

Before accessing or using our Service, please ensure that you have read and understood our collection, storage, use, and disclosure of your personal information as described in this Privacy Notice.

Unless applicable law requires a longer retention period, we will retain your information only as long as necessary for the purposes outlined in this Privacy Notice and for a commercially reasonable time thereafter for backup, archival, fraud prevention or detection, or audit purposes.

1. CARROT AS CONTROLLER

Carrot is the controller responsible for protecting your personal information, which means we determine and are responsible for how your personal information is handled. Your employer will also initially send us your name and eligibility information ("Employee Eligibility File"). If you have queries regarding the information contained in the Employee Eligibility File, please contact your employer, who is the controller of such information.

"Personal information" encompasses all personal data as defined in Art. 4 (1) of the General Data Protection Regulation ("GDPR"), meaning any information that relates to an identified or identifiable individual; provided, that in such circumstance(s) that applicable data protection laws require otherwise, “Personal information” has the meaning ascribed to it in such law(s).

2. FOR UNITED STATES RESIDENTS

To the extent your employer establishes a health reimbursement arrangement plan or HRA (i.e., the “Covered Entity”) and enters into a Business Associate Agreement with Carrot, Carrot will be considered a Business Associate to the Covered Entity under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").

In addition, if you are a resident of California, Texas, or Washington State, please see ANNEX 4.

3. FOR RESIDENTS OF OTHER COUNTRIES

To the extent that your country of residence has specific privacy requirements that go beyond the general scope of this Privacy Notice, please see ANNEX 5. 

Currently, ANNEX 5 includes the following jurisdictions (but please note that we will update this list as necessary to address evolving global operations and regulations):

  • The European Union (EU)
  • The United Kingdom (U.K.) 
  • Switzerland
  • Canada
  • China
  • The Philippines

For residents of non-U.S. jurisdictions that are not listed above:

If you have questions about this Privacy Notice, please contact us at legal@get-carrot.com.

4. WHAT INFORMATION DO WE COLLECT ABOUT YOU AND HOW DO WE USE IT?

We collect personal information about you when you voluntarily submit information to us when you use our Service. This can include information you provide to us when you register for an account, send us messages, subscribe to our mailing lists, newsletters or other forms of marketing communications related to the Service, participate in a survey, or use some other feature of our Service.

We collect certain information automatically when you use the Service, such as information about the pages you look at on our Service, the actions you take while using our Service, and the device you use to access our Service. See Annexes 2 and 3 for more information. 

We may also collect information about you from our third party partners, as described in Annex 1.

The categories of personal information we collect include:

  • Contact and profile information
  • Sensitive Personal Data, including health data and data about your sexual orientation
  • Comments, chat, and opinions
  • Payment and transaction information
  • Location information
  • Information provided by third parties
  • Information about fraudulent or criminal activity related to your account


Annex 1 sets out the categories of personal information we collect about you and how we use that information. It also lists the legal bases on which we rely to process personal information and describes applicable retention periods. You hereby expressly acknowledge and agree that the collection and processing described in this Privacy Notice are necessary for our performance of our obligations under the Terms & Conditions found at https://www.get-carrot.com/terms.

We may also share information with others, such as your employer and third parties, in (1) an aggregated or otherwise de-identified form (e.g., outcomes reporting); and (2) as specified in Annex 1.

For further information on your rights and choices regarding your information, see the “Your Choices and Control Over Your Information” and “Your Rights In Respect Of Your Personal Information” sections below.

We will indicate to you where the provision of certain personal information is mandatory and where it is optional. If you choose not to provide personal information marked as mandatory, we may not be able to provide you with requested products, services, or information.

We also link or combine your activities and information collected from you on our websites with information we collect automatically through tracking technologies. This allows us to provide you with a personalized experience regardless of how you interact with us.

5. WHAT INFORMATION ABOUT YOU IS COLLECTED AUTOMATICALLY AND HOW DO WE USE IT?

When you use our Service, read our emails, or otherwise engage with us through a computer or mobile device, we and our third-party partners automatically collect information about how you access and use the Service and information about the device you use to access the Service.

We use this information to enhance and personalize your user experience, to monitor and improve our Service, and for other business purposes.

We typically collect this information through a variety of tracking technologies, including cookies, location-identifying technologies, and similar technology (collectively, “tracking technologies”).

Information we collect automatically about you may be combined with other personal information we collect directly. For example, we may combine your location based on your IP address that we have collected automatically with your email address that you have provided.

Annex 2 sets out the categories of personal information we and our third party partners collect about you automatically and how we use that information. It also lists the legal basis which we rely on to process the personal information and information as to applicable retention periods. We may also share this information with others, such as your employer or third parties, in (1) an aggregated or otherwise de-identified form and (2) as otherwise specified in Annex 1.

For further information on third parties using tracking technologies please see Annex 3.

For further information on your choices regarding your information, including choices around tracking technologies, see “Your Choices and Control Over Your Information” below.

6. THIRD PARTY DATA COLLECTION OF USER EXPERIENCE INFORMATION  

When you use the Service,  we may use third party tools to monitor user experience information. These tools automatically collect usage information, including mouse clicks and movements, page scrolling and any text keyed into website forms. The information collected is de-identified and does not include passwords, payment details, or other sensitive personal data. We use this information for site analytics, optimization, and to improve website usability. We do not permit this information to be shared with or used by third parties for their own purposes.

7. YOUR CHOICES AND CONTROL OVER YOUR INFORMATION

Profile: You may update your profile information, such as your name, address, or bank account information.

California Do-Not-Track Disclosure Requirements: Carrot Fertility does not currently honor the Do Not Track (DNT) browser signal.

How to control your communication preferences:  To the extent provided in applicable data protection laws, we will only send you promotional and marketing emails, or contact you for promotional or marketing purposes by phone or SMS, if you have given us your explicit consent.  For US-based members, we will only contact you for promotional or marketing purposes by phone or SMS if you have given us your explicit consent.  You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications. You may opt-out of receiving promotional calls, SMS/texts and direct mail communications from Carrot at any time with future effect as set forth in our Terms of Service. You may not opt out of service-related communications (e.g., account verification, transactional communications, changes/updates to features of the Service, technical and security notices).

Modifying or deleting your information: If you have any questions about reviewing, modifying, or deleting your information, or if you want to remove your name or comments from our website or publicly displayed content, you can contact us directly at data-requests@get-carrot.com. We may not be able to modify or delete your information in all circumstances.  Your request to modify or delete your information may affect our ability to provide the Service.

Geolocation: We approximate your location based on your IP address when you access the Service through a computer or device.

Cookies and tracking preferences:

  • Cookies and Flash cookies. Most browsers allow you to adjust your browser settings to: (i) notify you when you receive a cookie, which lets you choose whether or not to accept it; (ii) disable existing cookies; or (iii) set your browser to automatically reject cookies. Blocking or deleting cookies may negatively impact your experience using the Service, as some features and services may not work properly.

    You may set your email options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you viewed or engaged with our emails.
  • Deleting cookies does not delete Local Storage Objects (LSOs) such as Flash objects and HTML5. To manage Flash cookie settings and preferences, you must use the settings manager on Adobe’s website or by clicking here. If you choose to delete Flash objects from our Service, then you may not be able to access and use all or part of the Service or benefit from the information and services offered.
  • Some of these opt-outs may not be effective unless your browser is set to accept cookies. If you delete cookies, change your browser settings, switch browsers or computers, or use another operating system, you will need to opt-out again.

8. HOW WE STORE AND PROTECT YOUR INFORMATION

Data storage and transfer:  Your information collected through our Website may be stored and processed in the United States or processed in any other country in which Carrot or its affiliates or service providers maintain or have access to facilities. Please note that these internal and external international transfers of your personal information are made pursuant to appropriate safeguards, for example as provided in applicable data protection law(s).

If you wish to enquire further about these appropriate safeguards, please contact us using the details set out at section 13 below.

Keeping your information safe:  We care about the security of your information and employ physical, administrative, and technological safeguards designed to preserve the integrity and security of all information collected through our Service. When you enter sensitive information (such as a credit card number) on our order forms or login credentials (such as username and password) on our platform login, we encrypt the transmission of that information. However, no security system is impenetrable, and we cannot guarantee the security of our systems 100%. In the event that any information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and, where appropriate, notify those individuals whose information may have been compromised and take other steps, in accordance with any applicable laws and regulations.

Retention of your information: The sections in Annexes 1 and 2 set out the applicable retention periods that we use with respect to your personal information.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and the applicable legal requirements.

In summary, we will retain your information only as long as necessary for the purposes outlined in this Privacy Notice and for a commercially reasonable time thereafter for backup, archival, fraud prevention or detection, or audit purposes, or as otherwise required by law.

9. DISCLOSURE OF YOUR INFORMATION

We will share your personal information with the following categories of recipients for the purposes set forth in this section and the Annexes:

Your employer: We will share certain personal information with your employer including, but not limited to, the following:

  • When you submit reimbursement requests for processing, we may share the following information with your employer for disbursement, payroll, and tax purposes, or as otherwise required by applicable law:
    • Your name;
    • Your Employee ID (or other unique identifier);
    • The amount of your reimbursement request; and
    • Whether the reimbursement was related to an infertility diagnosis (and/or another reimbursement category).
  • Your information may also be shared with your employer for:
    • Reporting purposes;
    • To meet administrative obligations;
    • To investigate suspected fraud or misuse;
    • As necessary to assist the employer with verifying and correcting information related to the service (e.g., payment correction).

Health plans: We will share certain personal information with health plans to help make our Service available to you and/or for deductible tracking purposes.

Third party partners and service providers: We will share certain personal information with third party partners and service providers, as necessary to achieve the purpose for which we have shared it, which may include (but is not limited to) fulfilling your orders for products available through our Service as requested by you, confirming your eligibility for services provided by third party partners and service providers, as described in Annex I, improving our Service and business, providing mailing services, web hosting, or providing analytic services.  Any such service providers and partners will be given limited access to personal information as reasonably necessary to achieve such purpose and will, by appropriate data processing agreements or analogous contractual provisions, be bound to only process personal information on our behalf and for specifically enumerated purposes; if you would like to more specifically understand the services our third party partners render, please contact us using the details set out at section 13 below.

Independent third party providers and advisors: We may share your personal information with third party providers and advisors where this is necessary to achieve our legitimate interests, such as conducting security audits, consulting tax consultants and lawyers, or engaging payment processors to process payment transactions.

Purchasers and third parties in connection with a business transaction: Personal information may be disclosed to third parties in connection with a Carrot-related transaction, such as a merger, sale of Carrot assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by a third party, or in the event of a bankruptcy or related or similar proceedings.

Law enforcement: In the event that we receive a request for personal information from law enforcement, we will follow three basic principles to protect your privacy: 

  • To the extent permitted by applicable law or regulatory authority, we will promptly notify you of any such request. 
  • We will not share any personal information with law enforcement unless we are required to do so under a valid and legally binding request (e.g., subpoena, court order) specifying the data that is sought.
  • Even then, we will only share the bare minimum necessary to comply with that request and will never provide information beyond the scope of that request.

Payments provider: We may use third-party payment services to process payments made through the Service. If you wish to make a payment through the Service, for example by using the Carrot Card, your payment information may be collected by a third-party payment service provider, such as Stripe Inc., and not by us, and thus will be subject to the third-party’s privacy notice (https://stripe.com/gb/privacy) rather than this Privacy notice.

Care providers: If you request a self-referral to a care provider, including without limitation fertility clinics, third-party assisted reproduction agencies, or assisted reproduction attorneys, we may share your personal information with those care providers, as indicated at the time of your request.


10. YOUR RIGHTS WITH RESPECT TO YOUR INFORMATION

In addition to the ways in which you can manage the use of your information as outlined in section 7 above, in respect of your personal information that we hold, you may exercise the rights granted to you under applicable data protection laws, which may include:

  • Right to Object. The right to object, on grounds relating to your particular situation, to the processing of your personal information which is carried out in the public interest or in our legitimate interests, and to object to processing of your personal information for direct marketing purposes.
  • Right of access. The right to obtain access to your personal information along with certain related information;
  • Right to rectification. The right to obtain rectification of your personal information without undue delay where that personal information is inaccurate or incomplete;
  • Right to erasure. The right to obtain the erasure of your personal information without undue delay in certain circumstances, such as where the personal information is no longer necessary in relation to the purposes for which it was collected or processed;
  • Right to restriction. The right to obtain the restriction of the processing undertaken by us on your personal information in certain circumstances, such as where the accuracy of the personal information is contested by you, for a period enabling us to verify the accuracy of that personal information; and
  • Right to data portability. The right to receive your personal information in a commonly used format and to have your personal information ported to another data controller;
  • Right to withdraw consent. If you have provided consent for the processing of your personal information, you have the right to withdraw your consent. If you withdraw your consent, this will not affect the lawfulness of our use of your personal information before your withdrawal.


If you wish to exercise one of these rights, contact us at data-requests@get-carrot.com.

Right to lodge a complaint. You may have the right to lodge a complaint with the applicable data protection authority in your jurisdiction, if you consider that a processing of your personal data infringes the applicable data protection laws. If you are an EU resident, further information about how to contact your local data protection authority is available at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. However, we encourage you to first reach out to us by using the contact details set out at section 13 below so that we have an opportunity to address your concerns directly and find a solution together before you lodge a complaint.

11. LINKS TO OTHER WEB SITES AND SERVICES

The Service may contain links to and from third party websites of our business partners, advertisers, and social media sites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. We may also share a user ID with third-party websites allowing us and the third-party website provider to jointly track specified activities across both websites. We strongly recommend that you read their privacy policies and terms and conditions of use to understand how they collect, use, and share information.We are not responsible for the privacy practices or the content on the websites of third party sites.

12. CHILDREN’S PRIVACY

Carrot does not knowingly collect or solicit any information from anyone under the age of 18 on this Service. In the event that we learn that we have inadvertently collected personal information from a child under age 18, we will delete that information as quickly as possible. If you believe that we might have any information from a child under 18, please contact us using the contact details set out at the end of this Privacy Notice. We encourage parents and guardians to spend time online with their children and to participate and monitor the interactive activities of their children.

13. HOW TO CONTACT US

If you have any questions about this Privacy Notice or the website, please contact us at legal@get-carrot.com.

14. CHANGES TO OUR PRIVACY NOTICE

As a general practice, we plan to update this Privacy Notice once every six months. We may, however, update it more or less frequently, depending on operational and regulatory circumstances. Either way, if we have your email address, we will notify you of any material changes. We will update the ‘last modified’ date at the bottom of this page when we post changes to this Privacy Notice. If you object to any changes, you may close your account. Continuing to use our Service after we publish changes to this Privacy Notice means that you have read and understood the changes.

Effective date: September 29, 2023



ANNEX 1 – PERSONAL INFORMATION WE COLLECT

Contact and profile information. Personal information, such as your name, phone number, address, date of birth, and e-mail address, and your partner’s name, phone number, address, date of birth, and e-mail address, when you register for our Service, request a Carrot Card or any other product offered through the Service, or otherwise communicate or interact with us. 

How we use it:

  1. To create your account and to communicate with you directly about the Service.

    Legal basis for processing
    : The processing is necessary for the performance of a contract and to take steps prior to entering into a contract.
  1. To set up and send you a Carrot Card, or any other product offered through the Service as requested by you.

    Legal basis for processing
    : The processing is necessary for the performance of a contract and to take steps prior to entering into a contract.
  1. To communicate with you,  including to answer any questions, issues, or concerns you have.

    Legal basis for processing
    : The processing is necessary for our legitimate interests, namely communicating with users in relation to the Service.
  1. To send you marketing communications in accordance with your preferences.

    Legal basis for processing
    : We will only process your personal information in this way to the extent you have given us consent to do so.
  1. To better tailor the marketing communications that you receive.

    Legal basis for processing
    : The processing is necessary for our legitimate interests, namely to promote and advertise our products and services.
  1. To verify eligibility for services offered by third party partners and service providers.

    Legal basis for processing:
    The processing is necessary for performance of a contract and our legitimate interests, namely improving the member experience. 


Data regarding your health and information about your sexual orientation. Sensitive information, such as your and your partner's gender identities, interest in various fertility health and family-forming options, any relevant diagnoses you may have received, and related health information. 

How we use it:

  1. To provide you with our Services, specifically, to recommend appropriate providers, clinics, agencies, and lawyers in order to help you determine the most appropriate treatments and services.

    Legal basis for processing
    : We will only process your personal information in this way to the extent you have given us consent to do so.
  1. To validate requests for reimbursement related to fertility treatments and other services, and to determine any taxes owed.

    Legal basis for processing
    : We will only process your personal information in this way to the extent you have given us consent to do so.
  1. To validate your eligibility for and use of the Carrot Card®, as applicable, including to validate your Carrot Card® transactions and, in some cases, to determine whether or not you are eligible for the Carrot Card® based on eligibility rules set by your employer.

    Legal basis for processing
    : We will only process your personal information in this way to the extent you have given us consent to do so.
  1. To send you relevant information and recommendations (such as learning material or contact details for appropriate providers and other professionals), and to support you with efficient and personalized guidance.

    Legal basis for processing
    : We will only process your personal information in this way to the extent you have given us consent to do so.
  1. To collect clinical outcomes data, through voluntary surveys we may send to you, in order to improve services and further our mission of bringing fertility care to all. 

    Legal basis for processing
    : We will only process your personal information in this way to the extent you have given us consent to do so.
  1. To grant your partner access to your account to help you throughout your fertility health and family-forming journey.

    Legal basis for processing
    : We will only process your personal information in this way to the extent you have given us consent to do so.

Comments, chat and opinions. When you contact us directly, e.g., by email, phone, mail or by completing an online form or participating in online chat, we will record your comments and opinions. We will also record comments and opinions you express when responding to surveys we run. 

How we use it:

  1. To address your questions, issues and concerns and improve our products and services.

    Legal basis for processing
    : The processing is necessary for our legitimate interest, namely for communicating with users in relation to the Service.
  1. We may use your comments and opinions to determine products and services that may be of interest to you.

    Legal basis for processing
    : The processing is necessary for our legitimate interest, namely to enable us to tailor our product and service recommendations to you and your interests.
  1. We may use the personal details you provide to us via our public-facing online forms to analyze the results of our marketing efforts.

    Legal basis for processing
    : The processing is necessary for our legitimate interest, namely to analyze the use of our Service.
  1. To record audio and video calls for quality assurance purposes.

    Legal basis for processing
    : We will only process your personal information in this way to the extent you have given us consent to do so.

Expenses, payment and transaction information. Information such as your Employee ID, your receipts for fertility care and other services, whether you or your partner received the care, the date of your or your partner’s treatments, and your payment information, such as your credit card or bank account details. 

How we use it:

  1. To validate your treatment expenses and to determine any taxes owed.

    Legal basis for processing
    : The processing is necessary for our legitimate interests, namely verifying the validity of your expenses incurred for fertility care treatment.
  1. To arrange reimbursements from your employer.

    Legal basis for processing
    : The processing is necessary for the performance of a contract.
  1. To detect and prevent fraud.

    Legal basis for processing
    : The processing is necessary for our legitimate interests, namely the detection and prevention of fraud.
  1. To process any financial transactions when you purchase products available to you through the Service.

    Legal basis for processing
    : The processing is necessary for the performance of a contract.

Location Information. Information about your location. We may approximate your location based on your IP address. 


How we use it:

We use your location information to provide personalized content, to enhance your experience, to improve the effectiveness of our websites and mobile applications, and to analyze and evaluate our Service.

Legal basis for processing: The processing is necessary for our legitimate interest, namely to tailor our Service to the user and to improve our Service generally.

Information provided by social networks. When you interact with our Service through various social media networks, such as when you Like us on Facebook or when you follow Carrot or share Carrot content on Facebook, Twitter, Snapchat, LinkedIn, Instagram or other sites, we may receive information from those social networks including your profile information, picture, user ID associated with your social media account, friends list, and any other information you permit the social network to share with third parties. Records are kept until you delete your social media account.

How we use it:

We use this information to communicate or interact with you on the social network. The data we receive is dependent upon your privacy settings with the social network. You should always review, and if necessary, adjust your privacy settings on third party websites and social media networks and services before linking or connecting them to our website or Service.

Legal basis for processing: The processing is necessary for our legitimate interest, namely to communicate with individuals through social media.

Preferences. Preferences set for notifications, marketing communications and how our site is displayed. Records are deleted upon deactivation.

How we use it:

We use this information to personalize our Service to you and to better understand the interests and demographics of our users. For these purposes, we may combine this information with the information we collect from you directly.

Legal basis for processing: The processing is necessary for our legitimate interest, namely ensuring the user can view our site and receive correct marketing communications.

Information provided by third parties. We may receive information from third parties (1) from your employer, (2) that you have provided to those parties, or has been collected through their services, or (3) that are otherwise able to provide it to us.  This information may include sensitive information, such as health care claims history and health information. 

How we use it:

We use this information to personalize our Service to you, to better understand the interests and demographics of our users, and to analyze and evaluate our Service. For these purposes, we may combine this information with the information we collect from you directly.

Legal basis for processing: The processing is necessary for our legitimate interest, namely to tailor our Service to the user and to improve our Service generally.

Information about fraudulent or criminal activity relating to your account.

How we use it:

We will use information about fraudulent or criminal activity relating to your use of our Service for the purposes of detecting and preventing fraud or abuse.

Legal basis for processing: The processing is necessary for our legitimate interest, namely the detection and prevention of fraud.

All personal information set out above.

How we use it:

We will use all the personal information we collect to operate, maintain and provide to you the features and functionality of the Service, to communicate with you, to monitor and improve our Service and business, and to help us develop new products and services.

Legal basis for processing: The processing is necessary for our legitimate interest, namely to provide and improve our Service and to develop new products and services.

ANNEX 2 – PERSONAL INFORMATION COLLECTED AUTOMATICALLY

Information about how you access the Service. For example, the site from which you came and the site to which you are going when you leave our website, how frequently you access the Service, whether you open emails or click the links contained in emails, whether you access the Service from multiple devices.

Information about how you use the Service. For example, the pages you visit, the links you click, the products you purchase, purchase information and your checkout process, your approximate IP location when you access or interact with our Service, and other similar actions.

Information about the computer, tablet, smartphone or other device you use. Such as your IP address, browser type, Internet service provider, platform type, device type/model/manufacturer, operating system, date and time stamp, a unique ID that allows us to uniquely identify your browser, mobile device or your account (including, for example, a persistent device identifier or an Ad ID), and other such information.

Analytics information. We may collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends for the Service and to understand more about the demographics and behaviors of our users.

How we use the above categories of information. For all personal information listed in this annex, we, or the third party partners we use (see Annex 3), may use the data collected through tracking technologies to:

  • remember information so that you will not have to re-enter it during your visit or the next time you visit the site;
  • provide custom, personalized content and information;
  • provide and monitor the effectiveness of our Service;
  • perform analytics and detect usage patterns on our Service;
  • diagnose or fix technology problems;
  • detect or prevent fraud or other harmful activities, and
  • otherwise to plan for and enhance our service.


Legal basis for the processing: The processing is necessary for our legitimate interests, namely: to tailor our service to the user and to improve our service generally; to monitor and resolve issues; for marketing purposes; to communicate with users; to contact users; and for the detection and prevention of fraud.

ANNEX 3 – THIRD PARTY TRACKING TECHNOLOGIES

We will strive to update this list if or when we work with new partners which offer you a choice about the collection of your information, but as partners change and new technologies become available, this list is likely to change over time and may not always reflect our current partners.

Please consult the published privacy policies of the third-party tracking technologies for additional information on their privacy practices.

Third Party Tracking Technologies:

Deployment
Application
Description
Member Application
Datadog
Carrot’s application performance monitoring platform that powers metrics visualization and troubleshooting for the Engineering team.
Public-facing website
Demandbase
To advertise to Customer (i.e., business-to-business, or B2B) accounts across display networks, score and prioritize accounts, and gain visibility into which topics Customers are viewing and interested in.
Member Application
Domo
Carrot’s data visualization platform, which is managed by the Business Intelligence team to build reporting dashboards and generate data-based insight for non-technical teams.
Public-facing website
Member Application
Google Analytics / Ads
To serve ads to both prospective Carrot Members and Customers who visit Carrot’s public-facing website across their devices, as well as capture metrics on their engagement with specific web pages to generate insight on the success of marketing campaigns aimed at driving enrollment. 
- Scheduled to be discontinued and removed from Member Application on Friday, October 13th
Member Application
Heap
To capture insights on Members' use of and interaction within the Carrot Application to evaluate product engagement, generate aggregated Customer reports, and troubleshoot issues with Carrot’s support teams.
Public-facing website
Marketo
To capture prospective and existing Customer engagement across online and offline channels (e.g., events, content downloads.) Additionally, Marketo enables Carrot to score, segment, message, and perform data changes across Customer accounts / B2B records.
Public-facing website
Member Application
Matomo
To capture de-identified metrics on the engagement of prospective Carrot Members and Customers who visit Carrot’s public-facing website to generate insight into the success of marketing campaigns aimed at driving enrollment. In addition, Matomo captures de-identified metrics on current Carrot Members within the in-app experience to generate insight on the Member experience.
Public-facing website
Meta Pixel
To serve ads to prospective Carrot Customers who visit Carrot’s public-facing website across their devices, as well as capture metrics on their engagement with specific web pages to generate insight on the success of marketing campaigns aimed at driving enrollment.
Member Application
Microsoft Azure
Carrot’s cloud infrastructure platform provider that hosts the Carrot application and associated assets.
Public-facing website
MNTN
To track Customer conversions generated from TV ad-impressions.
Public-facing website
Member Application
OneTrust
To power Carrot’s consent management system needed to capture and honor individual’s cookie choices and preferences.
Public-facing website
Rampmetrics
To generate visibility into how Customer marketing campaigns affect the Sales pipeline through the collection of de-identified Customer activity (e.g., pages visited, forms filled, etc.)
Member Application
Sentry
Carrot’s application performance monitoring & error tracking platform that powers issue notification for the Engineering team.
Member Application
Snowflake
Carrot’s data warehouse, which stores Carrot data for analytics and reporting purposes.
Member Application
Sumo Logic
Carrot’s log management platform, which monitors the health and aggregates logs for the backend of the Carrot application.
Public-facing website
UserWay
To power digital accessibility for Carrot’s public-facing website visitors needed to comply with WCAG.
Public-facing website
Wistia
To power hosting and advanced analytics for Carrot-branded videos and podcasts.
Public-facing website
ZoomInfo
To track prospective Customer visits and interactions on Carrot public-facing website.

ANNEX 4–NOTICE TO RESIDENTS OF CERTAIN STATES

California 

Capitalized terms in this section have the meaning given to them under the California Privacy Rights Act (CPRA).

You have the following rights under the CPRA:

  • The right to delete Personal Information. You have the right to request that we delete your Personal Information. Once we have verified this request, we will delete this information unless certain exceptions apply.
  • The right to correct inaccurate information. You have the right to request that we correct your Personal Information if it is inaccurate. Once we have verified this request, we will use commercially reasonable efforts to correct this information unless certain exceptions apply.
  • The right to know categories and specific pieces of Personal Information. You have the right to know which Personal Information we collect, use, disclose, and/or Sell, as applicable.
  • The right to opt-out of the Sale or Sharing of Personal Information. You have the right to request to be opted-out from the Sale or Sharing of your Personal Information.
  • The right to limit the use and disclosure of Sensitive Personal Information. You have the right to direct us to limit use of your Sensitive Personal Information to what is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services, or for the performance of specifically enumerated Business Purposes.
  • The right of non-retaliation. We will not retaliate or discriminate against you for exercising any of these enumerated rights. 


If you wish to exercise any of these rights, contact us at data-requests@get-carrot.com.

Texas 

Individuals residing in Texas are afforded certain additional rights with respect to their personal data under the Texas Data Privacy and Security Act (“DPSA”). If you are a Texas resident, this section applies to you. 

Categories of personal data
Purpose for use
Categories of third-parties your personal data is shared with
i.      Personal identifiers – such as your name or email address.
ii.     Geolocation – the state you reside in and/or receive care.
iii.    Sensitive personal data – Information related to your health, diagnoses and related health data.
iv.    Transactional information – related to your use of Services.
We process your personal data to make Services available to consumers pursuant to the terms of the Employer Agreement and as requested by the consumer.We also process your personal information to send you marketing communications in accordance with your preferences.
i.      Carrot employees who assist you with your request.
ii.     Your employer.
iii.    Health care service providers.

DPSA Rights.

Subject to verification of your identity and other information that we may need to honor your request, all Texas consumers have the following rights:

(i)         Right to know or confirm. You have the right to know and confirm whether we are processing your personal data and the right to access such data.

(ii)       Right to portability. You have the right to receive a portable copy of your personal data in a readily usable format.

(iii)     Right to correct. You have the right to request we correct inaccuracies in your personal data.

(iv)      Right to delete. You have the right to request we delete your personal data.

(v)       Right to opt-out. You have the right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, profiling or processing of sensitive personal data.

Please contact us at the following email if you have questions or would like [B1] to exercise your rights: data-requests@get-carrot.com. We will respond to your request within the period of time required by Texas State law. You have the right to appeal any negative decision and we will identify what steps you can take to appeal the applicable decision.

Washington State

Consumers residing in Washington State are afforded certain rights with respect to their consumer health data under the My Health My Data Act (“MHMD”). If you are a Washington State resident, this section applies to you.

Categories of consumer health information collected and shared
Purpose for use
Sources of consumer health data (by category)
Categories of third-parties and affiliates consumer health information is shared with
i. Individual health conditions, treatment and diagnosis.
ii.   Reproductive or sexual health information.
iii.  Prescribed medications and medications used.
iv.  Location where the consumer has acquired or may receive health services/supplies.
v.   Data that identifies a consumer seeking health care services.
Consumer health data is used to make Services available to consumers pursuant to the terms of the Employer Agreement and as requested by Users. This includes providing you with customer service and making referrals to providers.
i. Your Employer.
ii.   From you.
iii.  Health service providers.
iv.  Adoption agencies/attorneys.
i. Your employer.
ii.   Health care service providers.

MHMDA Rights

Subject to verification of your identity and other information that we may need to honor your request, all Washington State consumers have the following rights:

(i)         Right to know. You have the right to know and to confirm what categories of consumer health data you shared with us and to confirm the categories of third-parties and affiliates with whom such information is shared or sold.

(ii)       Right to withdraw consent. You have the right to withdraw your consent to our processing your consumer health data.

(iii)     Right to Delete. You have a right to request we delete your consumer health data.

Please contact us at the following email if you have questions or would like to exercise your rights: data-requests@get-carrot.com. We will respond to your request within the period of time required by applicable law. You have the right to appeal any negative decision and we will identify what steps you can take to appeal the applicable decision.


ANNEX 5–NOTICE TO RESIDENTS OF CERTAIN NON-U.S. JURISDICTIONS

European Union, United Kingdom, Switzerland

Pursuant to applicable data protection legislation, you have the following data subject rights:

·  The right to access the personal data that we maintain about you;

·  The right to require us to correct your personal data;

·  The right to the erasure of your personal data;

·  The right to request that we stop processing your personal data;

·  The right to not provide or to withdraw your consent at any time;

·  The right to suspend the processing of your personal data;

·  The right to transfer your personal data to yourself or to a third-party; and

·  The right to not be subject to decisions based solely on automated decision making.

Additional Notice for  U.K. Job Applicants

Carrot collects and processes personal data from job applicants (“Candidates”) for the purposes of managing our recruitment process, including assessing your qualifications with respect to your application and to decide whether to enter into an employment relationship with you. This may include your name, contact details, CV, employment history, educational background, references, and any other information that you provide to us during the recruitment process, or that we receive from a recruitment agency, background check provider (to the extent permitted by applicable law) or other third party. We may also collect sensitive personal data if voluntarily provided by you, such as information relating to ethnic origin or disabilities for equal opportunities monitoring.

The legal basis for this processing is our legitimate interest in hiring qualified individuals and, where applicable, compliance with legal obligations. All Candidate personal data will be stored securely and will only be accessible by authorized personnel involved in the recruitment process. We may share your personal data with third-party service providers who assist us in the recruitment process, subject to appropriate data processing agreements or analogous contractual provisions.

Carrot will retain personal data of Candidates for as long as necessary to comply with our legitimate interests, which may include (among other purposes), reviewing applications that have previously been denied, and for the length of time necessary to comply with applicable law.


You can also file a complaint with the applicable local authority. When you consent to our processing your personal data for a specified purpose, you may withdraw your consent at any time, and we will stop any further processing of your data for that purpose.

Please contact us at the following email if you would like to exercise your rights: data-requests@get-carrot.com. PLEASE NOTE: ALL REQUESTS ARE SUBJECT TO VERIFICATION OF YOUR IDENTITY. WE WILL RESPOND TO REQUESTS WITHIN THE TIME PERIOD REQUIRED BY APPLICABLE LAW.

Canada 

Residents of Canada have the following rights:

  • The right to correct your personal information;
  • The right to delete your personal information that is no longer needed to provide you with Services;
  • The right to obtain a copy of the personal information we have processed; and
  • The right to confirm what personal information we have about you.

Opting Out of Third-Party Advertising

You may be able to take advantage of the tool developed by the Digital Advertising Alliance of Canada to opt out of third-party advertising. Where available, this tool provides a list of parties that may target advertisements based on your online web-browsing activities and the ability to opt-out of their use of your information for that purpose. Please click the following link to access the tool: https://youradchoices.ca/.

Please contact us at the following email if you have questions or would like to exercise your rights: data-requests@get-carrot.com. PLEASE NOTE: ALL REQUESTS ARE SUBJECT TO VERIFICATION OF YOUR IDENTITY. WE WILL RESPOND TO REQUESTS WITHIN THE TIME PERIOD REQUIRED BY APPLICABLE LAW.

China

The personal information that you provide or that is collected by us is controlled by Carrot Fertility, Inc. This supplemental notice applies to Users located in the People’s Republic of China. We will abide by the following principles with respect to your personal information: legality, legitimacy, necessity, good faith, transparency, responsibility, and reasonableness.

Personal information and sensitive personal information

Personal information refers to various information related to identified or identifiable natural persons recorded electronically or otherwise, excluding anonymized information. Sensitive personal information refers to personal information that, once leaked or illegally used, may easily lead to the infringement of the personal dignity of natural persons or the harm of personal and property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts and personal information of minors under the age of fourteen.

Legal Bases Please see the following for more details related to why we process your information:

Information Category
Example
Rationale
Personal Identifiers
Name, alias, postal address, online identifier, IP address, email address, account name, driver’s license.
To verify that you are eligible to access and use Services.
Sensitive Information
Age, race, color, ancestry, national origin, creed, religion, marital status, gender identity, medical conditions and veteran or military status.
To provide the requested Services and to honor our contractual obligations with your Employer.
Financial information
Records related to how you use Services and transactions made with your Carrot Card®.
To process payments for the requested Services.

 

Retention. The personal information we generate, collect and obtain during our operations within the territory of the People’s Republic of China will be stored overseas. Unless otherwise stipulated by applicable law, we will only store your personal information for the shortest time necessary to achieve the purpose of processing. 

Cross-border transfers of personal information and protection. We transfer personal information overseas in accordance with the requirements set forth in applicable law and as needed to fulfill our legal obligations with your Employer. We use commercially reasonable measures to protect the confidentiality and safety of your personal information.

Your rights. You have the following rights:

·  You have the right to review and copy your personal information, unless otherwise stipulated by laws and administrative regulations;

·  You have the right to correct inaccuracies associated with your personal information;

·  You have the right to change the scope of your consent and/or withdraw consent; 

·  You have the right to portability with respect to your personal information;

·  You have the right to request an interpretation of this Privacy Notice from us; and

·  You have the right to object to the use of automatic decision-making.

(vi)      You have the right to ask us to delete your personal information under the following circumstances:

·  The purpose of processing has been achieved, cannot be achieved, or is no longer necessary to achieve the purpose of processing;

·  We stop providing relevant Services;

·  You withdraw your consent;

·  We process your personal information in violation of laws, administrative regulations, or agreements; and

·  Other circumstances stipulated by laws and administrative regulations.

We do not charge a separate fee for you to exercise your rights. However, for repeated requests that exceed reasonable limits, we reserve the right to charge a separate fee. We have the right to refuse requests that are unreasonably repetitive, require excessive technical means, pose risks to the legitimate rights and interests of others, or are impractical.

Please contact us at the following email if you have questions or would like to exercise your rights: data-requests@get-carrot.com. PLEASE NOTE: ALL REQUESTS ARE SUBJECT TO VERIFICATION OF YOUR IDENTITY. WE WILL RESPOND TO REQUESTS WITHIN THE TIME PERIOD REQUIRED BY APPLICABLE LAW. UNLESS THERE ARE SPECIAL CIRCUMSTANCES, WE WILL ACCEPT AND PROCESS YOUR COMPLAINTS AND REPORTS WITHIN 30 DAYS.

Philippines

With respect to any questions or requests that you have related to personal information provided to Carrot, please contact our Data Protection Officer at legal@get-carrot.com.