Privacy Notice
Last Updated: 04/10/2024
This privacy notice describes the privacy practices of Cleo Labs, Inc. (collectively, “Cleo”, “we”, “us”, “our”) in connection with the https://hicleo.com/ website, as well as associated products and services, including, without limitation, mobile applications, and participate in coaching or guidance services developed by the Company (collectively, the “Service”), in connection with our marketing activities, social media pages, our live events, and as otherwise described in this Privacy Notice. In addition, this Privacy Notice describes your rights and choices concerning the personal information we collect. When required under applicable law, we will notify you of any changes to this Notice by posting an update on our Privacy Notice web page or in another appropriate manner. Your continued use of the Services after any changes in this Privacy Notice will constitute your consent to such change(s).
Table of Contents
- Personal Data We Collect
- Use of Personal Data
- Sharing of Personal Data
- Security and Retention
- Children’s Privacy
- Telephone Consumer Protection Act
- Supplemental Terms for California Residents
- Supplemental Information for the EEA
- Contact Information
Personal Data We Collect
Information that you provide to us. Personal information you may provide to us through the Service or otherwise which may include the following categories of information:
- Business and personal contact information, including your full name, email address, mailing address, telephone number, job title, and company name.
- Profile information, such as your username, and password that you may set to establish an account with us.
- Registration information, such as information that may be related to signing up for our service or an event you register for.
- Feedback or correspondence, such as information you provide when you contact us with questions, feedback, or otherwise correspond with us online.
- Usage information, such as family planning and other health information that you share with us when using, signing up for, or requesting more information about the Services, including, but not limited to demographic information, such as gender and birth date
Information we obtain from social media platforms. We may maintain promotional pages and provide our Services via social media platforms, including Slack, Instagram, Twitter, LinkedIn, and other third-party platforms. When you visit or interact with our Company on those platforms, the provider’s Privacy Notice will apply to your interactions and their collection, use, and processing of your personal information. You or the platforms may provide us with information through the platform, and we will treat such information in accordance with this Privacy Notice. Providing health information or other sensitive personal information on these platforms is not recommended and as such we ask that you do not share this with us on social media.
Information We Get From Your Cleo Benefit Sponsor. We may receive information from your Cleo Benefit Sponsor (typically your employer or health plan) to enable us to confirm you, your dependents, or your household member(s)’ eligibility for Cleo, to contact you to inform you of the availability of the Cleo benefit and to help us measure the effectiveness of Cleo. Your Cleo Benefit Sponsor may also partner with third-party leave administrators to manage your personal information to help determine your eligibility for certain employee benefits. We may also receive information from these third-party leave administrators to enable us to confirm you, your dependents, or your household member(s)’ eligibility for Cleo, to contact you to inform you of the availability of the Cleo benefit, and to help us measure the effectiveness of Cleo.
Information we obtain from other third parties. We may get information about you from other sources. We may add this to the information we get from this Site and through our Services. For example, you may also be able to access your Cleo account by signing on through various sites such as Google. Your participation in the services provided on these platforms is voluntary. If you choose to sign on using this service, Cleo will collect certain information from your account that could include your public profile, user name, email address, birthday, stated location, city, contact lists, and other interactions on that platform (such as interests and likes). The information we may have access to will vary by platform and is controlled by privacy settings on that platform and your choices on that platform. Your use of services on third-party platforms is governed by the privacy statement and other terms of use for that third-party platform until such information is shared with us, and such information is also subject to this Policy.
Automatic Data Collection. We, and our service providers may automatically log information about you, your computer or mobile device, and your interaction with the Service, our communications, and other online services such as:
- Device data, such as IP address, operating system type, browser type, browser language, the website you visited before browsing our Site, pages you viewed, how long you spent on a page, access times, and information about your use of and actions on our Site or in the Company’s mobile applications. This type of information is routinely collected to ensure the IT security and the operation of our systems to prevent or detect misuse such as fraud and other malicious actions.
Cookies and other technologies. To enhance your online experience, we use “cookies.” Cookies are small text files placed by the website in your computer’s browser to make a user’s experience more efficient. Cookies, by themselves, do not tell us your e-mail address or other personal information. However, once you choose to furnish the website with information, this information may be linked to the data stored in the cookie. We may use both session Cookies (which expire once you close your web browser) and persistent Cookies (which stay on your computer until you delete them) to provide you with a more personal and interactive experience on our website. Other tools we may use to collect information by automated means include web server logs, web beacons, and pixels.
We use cookies to understand internet usage, enhance the performance of the Site, and activate special web features and security mechanisms. In addition, we may use cookies to offer you the Services.
You always have the option of setting your browser to warn you when a cookie is being accessed on your computer, to delete cookies currently on your computer, or to decline cookies altogether. However, to take full advantage of the Site and the Services, your browser will need to accept cookies.
Cleo stores cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission. Cleo uses different types of cookies which are listed below. Some cookies are placed by third parties.
We use the following categories on our websites and other web-based online services:
- Strictly Necessary Cookies: These cookies are necessary to enable you to browse around our website and use its features.
- Analytics Cookies: These cookies collect information about how you use our website. This data may be used to help our teams optimize our websites and make them easier for you to navigate.
- Functional Cookies: These cookies allow our website to remember the choices you make while browsing. They may also be used to keep track of what featured pages or videos have been viewed to avoid repetition.
- Targeting Cookies: These cookies allow us to know if you viewed relevant Cleo content on third-party sites and/or if you then visited the Cleo website based on that advertisement. These cookies may also be used to determine how an ad performed or provide us with information about how you interact with our ads
California Do Not Track Disclosure. We currently do not support the Do Not Track browser setting or respond to Do Not Track signals. Do Not Track (or DNT) is a preference you can set in your browser to let the websites you visit know that you do not want them collecting certain information about you. For more details about Do Not Track, including how to enable or disable this preference, visit http://www.allaboutdnt.com.
If you choose to interact on the Site or through the Services (such as by registering, using our Services, completing questionnaires, surveys, service contacts, or requests for information) Cleo will collect the personal information that you provide. We may collect personal information about you that you provide through telephone, email, or other communications. If you provide us with personal information regarding another individual, we will assume that you have that person’s consent to give us their personal information. Providing personal information about another individual without their consent could be viewed as a data privacy violation and could subject you to sanctions.
Use of Personal Data
Recipients. Cleo is a US company and has service providers in the United States and other countries. Your personal information may be collected, used, and stored in the United States or other locations outside of your home country. Data protection laws in the locations where we handle your personal information may not be as protective as the data protection laws in your home country. When our partners or service providers process personal data, they do so only based on binding agreements in which they agree to comply with strict contractual obligations to protect your data (including, but not limited to, compliance with this Privacy Notice.
At times, we may work with a contracted third party to support the delivery of our Services or to deliver Services to you directly.
Please keep in mind that certain features on the Services may allow you to interact with us and others. These may include forums, message boards, chats, creating community profiles, rating, tagging, and commenting on articles. When you use these features, you should be aware that any information you submit, including your name, location, health issues, and email address, may be available to others.
Whenever you voluntarily disclose anyone’s personal information on publicly viewable web pages, that information can be collected and used by others. For example, if you post your email address, you may receive unsolicited messages. We cannot control who reads your post or what other users may do with the information that you voluntarily post, so we encourage you to exercise discretion and caution concerning the information you disclose through these interactive features. When an individual chooses to post information that will be publicly disclosed, he or she is responsible for all legal consequences. We are not responsible under any data protection laws for information that you voluntarily post on a site that can be accessed by others, including non-Cleo personnel.
Use of Information Collected. Subject to this Privacy Notice, the Terms of Use, and applicable terms and conditions of third-party applications, all data transmitted through the Services is controlled by Cleo with the exception of personal health data which you retain ownership of and those rights you may have as a resident of the European Union and/or United Kingdom. However, unless you explicitly agree to our Terms of Service and opt-in during the registration process, you may not transmit any data to Cleo. Generally, we may use information in the following ways and as otherwise described in this Privacy Notice:
- To provide the Services and personalize your experience. We use information about you to provide the Services to you, including to:
- help establish and verify the identity and eligibility of users, including verifying your eligibility through your Cleo Benefit Sponsor (usually your employer);
- for the purposes for which you specifically provided it including, without limitation, to enable us to process and fulfill your Account, provide the Services or other requests;
- enable communication with experts (Cleo Specialists);
- to send you information about your relationship or transactions with us;
- to otherwise contact you with information that we believe will be of interest to you, including marketing and promotional communications;
- to enhance or develop features, products, and Services;
- to allow us to personalize the content that you and others see on the Services;
- to create aggregated and other anonymous data by removing information that makes the data personally identifiable, which we may provide to advertisers and other third parties or use for other lawful business purposes; and/or
- to allow other select companies to send you promotional materials about their products and services.
- For research and development: We are always looking for ways to make our Services smarter, secure, integrated, and useful to you. We use collective learnings about how people use our Services and feedback provided to us to troubleshoot and to identify trends, usage, activity patterns, and areas for integration and improvement of the Services; to analyze and improve our Site and/or Services (including developing new products and services); improving safety; managing our communications; analyzing our products; performing market research; for peer-reviewed and non-peer-reviewed clinical research; and performing data analytics. For example, we use information collected about how users engage with our micro-sites to design a better, more user-friendly user experience. In some cases, we may apply these learnings across all our Services to improve and develop similar features or to better integrate the Services you use. We also test and analyze certain new products, workflows, and user experiences with some users before rolling them out to all users.
- To communicate with you about the Services:
- We use your contact information to send transactional communications via email, SMS text messages, and within the Services, including sending you reminders, responding to your comments, questions, and requests, providing customer support, soliciting outcomes and feedback, and sending you technical notices, updates, security alerts, and administrative messages.
- Depending on your settings, we may send you email notifications when you or others interact on the Services, for example, when you are sent a message from your Cleo Guide through our Services.
- We may also provide tailored communications based on your activity and interactions with us. For example, certain actions you take in the Services may automatically trigger a feature or third-party app suggestion within the Services. These communications are part of the Services and in most cases, you cannot opt out of them as they are an integral part of our Services. If an opt-out is available, you will find that option within the communication itself or in your account settings.
- To market, promote, and drive engagement with the Services:
- We may use your contact information and information about how you use the Services to send promotional communications that may be of specific interest to you, including by email. These communications are aimed at driving engagement and maximizing what you get out of the Services, including information about new features, products and services offered by us or our selected partners, survey and beta testing requests, and articles we think may be of interest to you. You can control whether you receive these communications within the communication itself or in your account settings.
- For customer support: We use your information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Services.
- To coordinate with a Cleo Expert/Specialist: Where you permit us to do so, we share your information with a Cleo Specialist to respond to support-related requests.
- To comply with law. We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal processes, such as to respond to subpoenas, investigations, or requests from government authorities and to defend and enforce legal claims as may be necessary.
- For compliance, fraud prevention, and safety. We may use your personal information and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to (a) protect our, your or others’ rights, privacy, safety, or property (including by making and defending legal claims); (b) audit our internal processes for compliance with legal and contractual requirements or our internal policies; (c) enforce the terms and conditions that govern the Service; and (d) protect, identify, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
- With your consent: We use information about you where you have given us consent to do so for a specific purpose not listed above.
Sharing of Personal Data
We may share your personal information with the following third parties and as otherwise described in this Privacy Notice, in other applicable notices, or at the time of collection:
Affiliates. We may share your personal information with affiliated companies and businesses for purposes consistent with this Privacy Notice.
Service Providers. We may use other companies to perform services including, without limitation, facilitating some aspects of our Services such as sending emails, text messages, and push notifications, providing scheduling functionality and updates, and fulfilling data reporting and/or requests. These other companies may be supplied with or have access to your personal information solely to provide these services to you on our behalf. Such service providers shall be bound by appropriate confidentiality and security obligations, which may include, as applicable, business associate contract obligations.
Business Partners. When you make purchases or engage in promotions offered through our Services, we may share personal information with the businesses with which we partner to offer you those products, services, and promotions. When you accept a particular business partner’s offer, you authorize us to provide your information to that business partner;
With your Cleo Family Benefit Sponsor (employer or health plan): We may share your enrollment status as a user of the Services, including your name, employee ID, and enrollment date, with your Cleo Family Benefit Sponsor to administer our contractual obligations and/or your Sponsor’s tax or other administrative reporting purposes;
Cleo Specialists. Subject to receipt of your express consent, we may share your personal information with Cleo’s Specialists and coaches enlisted to provide the Services..
Security and Retention
We maintain appropriate security procedures and technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, disclosure, alteration, or use. We have put in place procedures to deal with any suspected Information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Your personal data will be generally retained as long as necessary to fulfill the purposes for which we collected the personal data. Once you and/or your company have terminated the contractual relationship with us or otherwise ended your relationship with us, we may retain your personal data in our systems and records to ensure adequate fulfillment of surviving provisions in terminated contracts or for other legitimate business purposes, such as to evidence our business practices and contractual obligations, to provide you with information about our products and services, or to comply with applicable legal, tax, or accounting requirements. When we have no ongoing legitimate business need nor lawful legal ground to process your personal data, we will delete, anonymize, or aggregate it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible. If you want to know more about retention periods applicable to your particular circumstance, please contact us using the details provided in the Contact Information section below.
Children’s Privacy
Our Sites and Services are not directed to children under the age of 18 and we do not knowingly enroll or collect information directly from children. If you seek Services for a minor, you will be responsible for providing information related to the minor and for paying for Services requested for the minor. If you are a parent or guardian of a minor child and believe that the child has disclosed online personal data to us, please contact us using the details provided in the Contact Information section below.
Telephone Consumer Protection Act
We may provide you with notices, including those related to your enrollment or use of the Services, by SMS, MMS, text message, or other reasonable means now known or hereinafter developed. We will provide notice and request consent to receiving text messages at the point of collection for mobile phone numbers. By providing Cleo with your telephone number, you consent to Cleo sending you text messages regarding your requested Services, such as a reminder about an upcoming appointment or for other non-telemarketing purposes, made by an automatic SMS, MMS, text message management system.
You understand that your cellular or mobile phone provider may not guarantee encryption of SMS messages that are stored on your behalf. By using the Services you accept the risk that some PHI could be intercepted by someone else targeting your SMS communications or seen by individuals who have access to your mobile device.
By providing the telephone number(s) you provide, you represent to Cleo that such telephone number(s) is your contact number and you are permitted to receive communications to that telephone number. You understand that providing a phone number that is not your own may be a violation of law and may expose you to legal penalties.
You understand that you may be subject to charges from your cellular or mobile phone service provider to receive SMS, MMS, and text messages from us, and all such charges will be solely your responsibility. You may opt out of receiving text messages from us at any time by texting “STOP” to an automated text you have received from us; however, you may receive future texts from us for account and identity verification purposes.
Supplemental Terms for California Residents
This privacy notice describes the personal information we collect or process about California residents in connection with the Site or the Services, how we use, share, and protect that personal information, and what your rights are concerning personal information that we collect or process.
In this section, “personal information” has the same meaning as under the California Consumer Privacy Act (CCPA), California Civil Code Section 1798.83: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information does not include information that has been de-identified or aggregated or information that is considered “PHI” under HIPAA or medical information protected under California’s Medical Information Act.
Personal Information We Collect and Share, and For What Purpose: In the past 12 months, we have collected and shared personal information from visitors in the following circumstances when they interact with the Site or the Services, as described in detail above:
- Information You Give to Us
- Information We Get From Your Cleo Benefit Sponsor
- Information We Get From Others
- Information Automatically Collected
- Cookies
As described in detail above, we use your personal information for a variety of purposes to operate, assess activity on, and improve the performance of the Site, including the following:
- To provide the Services and personalize your experience
- For research and development
- To communicate with you about the Services
- To market, promote, and drive engagement with the Services
- For Customer support
- For safety and security
- To protect our legitimate business interests and legal rights
Except as described in detail above, we will not share with third parties information about you without your consent.
We do not share your personal information with third parties for third party marketing purposes.
Your Rights as a California Resident: Under California law, users who are California residents have specific rights regarding their personal information. These rights are subject to certain exceptions described below. When required, we will respond to most requests within 45 days unless it is reasonably necessary to extend the response time.
Right to Disclosure of Information: You have the right to request that we disclose certain information regarding our practices with respect to personal information. If you submit a valid and verifiable request and we confirm your identity and/or authority to make the request, we will disclose to you any of the following at your direction:
- The categories of personal information we have collected about you in the last 12 months.
- The categories of sources for the personal information we have collected about you in the last 12 months.
- Our business or commercial purpose for collecting that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you.
- If we disclosed your personal information to a third party for a business purpose, a list of the personal information types that each category of recipient received.
Right to Delete Personal Information: You have the right to request that we delete any of your personal information collected from you and retained, subject to certain exceptions. Upon receiving a verified request to delete your personal information, we will do so unless otherwise authorized by law.
How to Exercise these Rights: You may submit a verifiable consumer request to us for disclosure or deletion of personal information by emailing us. We will respond to verifiable requests for disclosure or deletion of personal information free of charge, within 10 days of receipt.
In order to protect your privacy and the security of your information, we verify consumer requests by matching personal information that you provide with information in our possession, in order to confirm your identity. Any additional information you provide will be used only to verify your identity and not for any other purpose.
You may designate an authorized agent to make requests on your behalf. You must provide an authorized agent written permission to submit a request on your behalf, and we may require that you verify your identity directly with us. Alternatively, an authorized agent that has been provided power of attorney under Probate Code sections 4000-4465 may submit a request on your behalf.
Right to Opt Out of Sale of Your Personal Information: We do not sell your personal information.
Right to Non-Discrimination: You have the right not to be discriminated against for the exercise of your California privacy rights described above.
Supplemental Information for the EEA
The information provided in this Notice applies only to individuals in the European Economic Area, and the United Kingdom (collectively, “Europe”).
Data Controller. Cleo Labs is the controller of your personal information covered by this Privacy Notice for purposes of European data protection legislation.
a. Legal Basis for Processing: We are legally obligated to provide certain information to criminal prosecution or tax authorities in individual cases upon request. In these cases, the legal basis for the processing is either legal requirements or reasons of public interest in accordance with Article 6 of the GDPR.
b. Your Data Protection Rights: Under applicable data protection laws, you may exercise certain rights regarding your personal data.
- Right to withdraw your consent: You have the right to withdraw your consent at any time for no reason. Such withdrawal is only valid for the future. Any processing that took place before the withdrawal remains unaffected.
- Right to access. You have the right to request Our Company for copies of your personal data, in particular, you can request more detailed information about the purposes of processing your personal data, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the retention period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details.
- Right to rectification. You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to correct or complete information you believe is incorrect or incomplete.
- Right to erasure. You have the right to request that our Company erase your personal data, under certain conditions, e.g. if the processing of your personal data is not (any longer) required by us to prove compliance with a legal or contractual obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims.
- Right to restrict processing. You have the right to request that our Company restrict the processing of your personal data, under certain conditions. You may request that your data be blocked, e.g. because you believe the data is inaccurate or the processing is unlawful, but you object to its erasure because you need it to assert, exercise or defend legal claims or you have objected to the processing.
- Right to lodge a complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint if you believe that processing of your personal data is unlawful, with the data protection authority in the country of your habitual residence, place of work, or the place where you think a violation of data protection laws has occurred.
- Right to object processing. You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of legitimate interests. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the purpose of establishment, exercise or defense of legal claims. You also have the right to object at any time to the processing of your Personal Data for the purpose of direct marketing, including any subscription to our newsletters or personalized ads; this also applies to Profiling, insofar as it is associated with such direct marketing. If you object, we will no longer process your Personal Data in the future, informally by sending an email to: [email protected] or by using the unsubscribe link in our commercial communication.
- Right to data portability. You have the right to request that Our Company transfer the data that we have collected to another organization, or directly to you, under certain conditions. If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us using the details in the Contact Information section below
c. International Transfers of Personal Data:
-
- Processing Data outside the EEA. Cleo is a US company with servers in the US and other countries that are considered “Third Countries” under the GDPR, which do not offer the same level of protection to your personal data as in the EU. When personal data is processed in the U.S., there is a particular risk that U.S. authorities may gain access to your personal data and you may not be granted effective legal protection against any such access in the U.S. Cleo Labs complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce. Cleo Labs has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov
- Dispute Resolution: Cleo may also share your personal data with our employees, partners, contractors, experts or coaches who may be based outside of the EEA, and so their processing of your personal data will involve a transfer of data outside the EEA, and such transfers are not requested directly by you for the services, but initiated by us, we will rely on adequacy determinations and/or be based on the European Commission’s approved Standard Contractual Clauses.
- As required under the EU-U.S. DPF, if we receive personal data subject to our certification and then transfer it to a third party service provider that performs services on Cleo’s behalf, we have certain liability under the EU-U.S. DPF if both (i) the service provider processes the personal data in a manner inconsistent with the DPF and (ii) we are responsible for the event giving rise to the damage. In compliance with the EU-U.S. DPF, Cleo commits to resolve complaints about our collection or use of your personal information. If you are a resident of a European country participating in the EU-U.S. DPF with inquiries or complaints regarding our EU-U.S. DPF practices, you should first contact Cleo by email at [email protected], or by mail at the address listed below in the How to Contact Us section, and we will work with you to resolve your issue.
- If you have an inquiry or complaint that we have not addressed to your satisfaction, you may seek further assistance, at no cost to you, from the American Arbitration Association (AAA) and the International Centre for Dispute Resolution (ICDR). These services are provided at no cost to you. A binding arbitration option may also be available to you in order to address residual complaints not resolved by any other means. The Federal Trade Commission has jurisdiction over Cleo’s compliance with the EU-US Data Privacy Framework (EU-U.S. DPF). In compliance with the EU-U.S. DPF, Cleo Labs commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF in the context of the employment relationship.
Contact Information
For questions relating to this Privacy Notice, please write to [email protected] or to:
Cleo Labs, Inc.
Attn: Legal Department
548 Market Street
PMB 46800
San Francisco, California 94104-5401
EU Legal Representative:
HYAZINTH PartmbB
Potsdamer Platz 11
10785 Berlin (Germany)
EU DPO:
HYAZINTH Consulting for Tech UG (haftungsbeschränkt)
Potsdamer Platz 11
10785 Berlin (Germany)
https://hdrcontrol.de/
UK Legal Representative:
Clientside Law Limited
20-21 Jockey’s Fields
London, England, WC1R 4BW