Cleo family benefits service privacy policy

Below is the Cleo Privacy Notice dated prior to 04/10/2024. Please visit this page for the most up-to-date privacy notice.

This Privacy Policy is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export, and delete your personal information.


This privacy policy (“Policy”) describes how Cleo Labs, Inc. (“Company”, “Cleo”, “we”, “us”) collects, uses, and shares personal information of consumer users of this website, (the “Site”), as well as associated products and services, including, without limitation, mobile applications, and participate in coaching or guidance services developed by the Company (together, the “Services”), and applies to customer information that we collect through the Site and our Services as well as information you provide to us directly. This Policy also applies to any of our other websites or mobile applications that post this Policy. This Policy does not apply to websites that post different statements, such as third-party websites that may be accessible through hyperlinks on this Site or Services. Please note that by using the Site or the Services, you accept the practices and policies described in this Policy and you consent that we will collect, use, and share your information as described below. If you do not agree to this Policy, please do not use the Site or Services.

This Policy is effective as of March 10, 2022.


We are Cleo Labs, Inc., a Delaware corporation, with a headquarter in California in the United States. Our mailing address is: 548 Market Street, PMB 46800, San Francisco, California 94104-5401

Our Legal Representative in the EU is:
HYAZINTH Consulting for Tech UG (haftungsbeschränkt), Potsdamer Platz 11, 10785 Berlin (Germany)

Our Legal Representative in the UK is:
Clientside Law Limited, 20-21 Jockey’s Fields, London, England, WC1R 4BW

If you believe that Cleo may have violated your privacy rights, you should contact us at the mailing address provided above or via e-mail at [email protected].


We collect information about you in a number of ways.
Information You Give to Us. We collect information that you provide to us, which may include the following categories of information depending on how you use our Services:

  • Information that identifies you, such as your full name, email address, mailing address, telephone number, username, and password
  • Work information such as the identity of your employer or your job title
  • Family planning and other health information that you share with us when using, signing up for, or requesting more information about the Services, including, but not limited to demographic information, such as gender and birth date

If you provide health information or other sensitive personal information to us, you consent to our use of this information as described in this Privacy Policy. If you do not consent to our processing and use of such sensitive personal information, you must not submit such sensitive personal information to us.

By providing us with an email address, you consent to receiving information from us by email to that address.

Information We Get From Your Cleo Benefit Sponsor. We may receive information from your Cleo Benefit Sponsor (typically your employer or health plan) to enable us to confirm you, your dependents, or your household member(s)’ eligibility for Cleo, to contact you in order to inform you of the availability of the Cleo benefit, and to help us measure the effectiveness of Cleo. Your Cleo Benefit Sponsor may also partner with third-party leave administrators to manage your personal information to help determine your eligibility for certain employee benefits. We may also receive information from these third-party leave administrators to enable us to confirm you, your dependents, or your household member(s)’ eligibility for Cleo, to contact you in order to inform you of the availability of the Cleo benefit, and to help us measure the effectiveness of Cleo.

Information We Get From Others. We may get information about you from other sources. We may add this to information we get from this Site and through our Services. For example, you may also be able to access your Cleo account by signing on through various sites such as Google. Your participation with the services provided on these platforms is voluntary. If you choose to sign on using this service, Cleo will collect certain information from your account that could include your public profile, user name, email address, birthday, stated location city, contact lists, and other interactions on that platform (such as interests and likes). The information we may have access to will vary by platform and is controlled by privacy settings on that platform and your choices on that platform. Your use of services on third party platforms are governed by the privacy statement and other terms of use for that third party platform, until such information is shared with us, and then such information is also subject to this Policy.

Information Automatically Collected. We automatically log information about you and your computer, phone, tablet, or other devices you use to access the Site and Services. For example, when visiting our Site or when using the Company’s mobile applications, we log your computer or device identification, IP address, operating system type, browser type, browser language, the website you visited before browsing to our Site, pages you viewed, how long you spent on a page, access times and information about your use of and actions on our Site or in the Company’s mobile applications. This type of information is routinely collected by virtually any web enabled application or website. How much of this information we collect depends on the type and settings of the device you use to access the Site and Services.

Information We Get From Social Media. We may maintain promotional pages and provide our Services via social media platforms, such as Slack, Instagram, Twitter, LinkedIn, and other third party platforms. When you visit or interact with our Company on those platforms, the platform provider’s privacy policy will apply to your interactions and their collection, use and processing of your personal information. You or the platforms may provide us with information through the platform, and we will treat such information in accordance with this Privacy Policy.

To enhance your online experience, we use “cookies.” Cookies are small text files placed by the Sites in your computer’s browser to make a user’s experience more efficient. Cookies, by themselves, do not tell us your e-mail address or other personal information. However, once you choose to furnish the Site with information, this information may be linked to the data stored in the cookie. We may use both session Cookies (which expire once you close your web browser) and persistent Cookies (which stay on your computer until you delete them) to provide you with a more personal and interactive experience on our Site. Other similar tools we may use to collect information by automated means include web server logs, web beacons and pixels.

We use cookies to understand internet usage, enhance the performance of the Site, activate special web features and security mechanisms. In addition, we may use cookies to offer you the Services.

You always have the option of setting your browser to warn you when a cookie is being accessed on your computer, to delete cookies that are currently on your computer or to decline cookies altogether. However, to take full advantage of the Site and the Services, your browser will need to accept cookies.

Cleo stores cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. Cleo uses different types of cookies which are listed in the below table. Some cookies are placed by third parties.

We use the following categories on our websites and other web-based online services:

Strictly Necessary Cookies:
These cookies are necessary to enable you to browse around our website and use its features.

Analytics Cookies:
These cookies collect information about how you use our website. This data may be used in helping our teams optimize our websites and make them easier for you to navigate.

Functional Cookies:
These cookies allow our website to remember the choices you make while browsing. They may also be used to keep track of what featured pages or videos have been viewed to avoid repetition.

Advertising Cookies:
These cookies allow us to know if you viewed relevant Cleo content on third party sites and/or if you then visited the Cleo website based on that advertisement. These cookies may also be used to determine how an ad performed or provide us with information about how you interact with our ads

California Do Not Track Disclosure. We currently do not support the Do Not Track browser setting or respond to Do Not Track signals. Do Not Track (or DNT) is a preference you can set in your browser to let the websites you visit know that you do not want them collecting certain information about you. For more details about Do Not Track, including how to enable or disable this preference, visit

If you choose to interact on the Site or through the Services (such as by registering, using our Services, completing questionnaires, surveys, service contacts, or requests for information) Cleo will collect the personal information that you provide. We may collect personal information about you that you provide through telephone, email, or other communications. If you provide us with personal information regarding another individual, we will assume that you have that person’s consent to give us their personal information. Providing personal information about another individual without their consent could be viewed as a data privacy violation and could subject you to sanctions.


Recipients. We have service providers in the United States and other countries. Your personal information may be collected, used and stored in the United States or other locations outside of your home country. Data protection laws in the locations where we handle your personal information may not be as protective as the data protection laws in your home country.

At times, we may work with a contracted third party to support delivery of our Services or to deliver Services to you directly.

Please keep in mind that certain features on the Services may give you an opportunity to interact with us and others. These may include forums, message boards, chats, creating community profiles, and rating, tagging and commenting on articles. When you use these features, you should be aware that any information you submit, including your name, location, health issues, and email address, may be publicly available to others. We do not protect the privacy of and are not responsible for your disclosure of any information through these interactive features, including, but not limited to information that you might post related to a minor.

Whenever you voluntarily disclose anyone’s personal information on publicly viewable web pages, that information can be collected and used by others. For example, if you post your email address, you may receive unsolicited messages. We cannot control who reads your post or what other users may do with the information that you voluntarily post, so we encourage you to exercise discretion and caution with respect to information you choose to disclose through these interactive features. When an individual chooses to post information that will be publicly disclosed, he or she is responsible for all legal consequences. We are not responsible under any data protection laws for information that you voluntarily post on a site that can be accessed by others including non-Cleo personnel.

Use of Information Collected. Subject to this Privacy Policy, the Terms of Use, and applicable terms and conditions of third-party applications, all data transmitted through the Services is owned by Cleo with exception of personal health data which you retain ownership of and those rights you may have as a resident of the European Union and/or United Kingdom. However, unless you accept this Privacy Policy and our Terms of Use by opting in during the registration process, you may not transmit any data to Cleo. To the extent Cleo is precluded from owning data transmitted through the Services, you grant Cleo a perpetual, worldwide, royalty-free license to use such data to the extent necessary to enable the use of the Services that we provide to you. Generally, we may use information in the following ways and as otherwise described in this Privacy Policy:

  • To provide the Services and personalize your experience. We use information about you to provide the Services to you, including to:
    • help establish and verify the identity and eligibility of users, including verifying your eligibility through your Cleo Benefit Sponsor (usually your employer);
    • for the purposes for which you specifically provided it including, without limitation, to enable us to process and fulfill your Account, provide the Services or other requests;
    • to communicate with experts (Cleo Specialists);
    • to send you information about your relationship or transactions with us;
    • to otherwise contact you with information that we believe will be of interest to you, including marketing and promotional communications;
    • to enhance or develop features, products, and Services;
    • to allow us to personalize the content that you and others see on the Services;
    • to create aggregated and other anonymous data by removing information that makes the data personally identifiable, which we may provide to advertisers and other third parties or use for other lawful business purposes; and/or
    • to allow other select companies to send you promotional materials about their products and services.
  • For research and development: We are always looking for ways to make our Services smarter, secure, integrated and useful to you. We use collective learnings about how people use our Services and feedback provided to us to troubleshoot and to identify trends, usage, activity patterns and areas for integration and improvement of the Services; to analyze and improve our Site and/or Services (including developing new products and services); improving safety; managing our communications; analyzing our products; performing market research; for peer-reviewed and non-peer-reviewed clinical research; and performing data analytics. For example, we use information collected about how users engage with our micro-sites to design a better, more user-friendly user experience. In some cases, we may apply these learnings across all our Services to improve and develop similar features or to better integrate the Services you use. We also test and analyze certain new products, workflows, and user experiences with some users before rolling them out to all users.
  • To communicate with you about the Services:
    • We use your contact information to send transactional communications via email, SMS text messages, and within the Services, including sending you reminders, responding to your comments, questions and requests, providing customer support, soliciting outcomes and feedback, and sending you technical notices, updates, security alerts, and administrative messages.
    • Depending on your settings, we may send you email notifications when you or others interact on the Services, for example, when you are sent a message from your Cleo Guide through our Services.
    • We may also provide tailored communications based on your activity and interactions with us. For example, certain actions you take in the Services may automatically trigger a feature or third-party app suggestion within the Services. These communications are part of the Services and in most cases you cannot opt out of them as they are an integral part of our Services. If an opt out is available, you will find that option within the communication itself or in your account settings.
  • To market, promote, and drive engagement with the Services: We may use your contact information and information about how you use the Services to send promotional communications that may be of specific interest to you, including by email. These communications are aimed at driving engagement and maximizing what you get out of the Services, including information about new features, products and services offered by us or our selected partners, survey and beta testing requests, and articles we think may be of interest to you. You can control whether you receive these communications within the communication itself or in your account settings.
  • For customer support: We use your information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Services.
  • To coordinate with a Cleo Expert/Specialist: Where you give us permission to do so, we share your information with a Cleo Specialist for the purpose of responding to support-related requests.
  • For safety and security: We use information about you and your Service use to verify accounts and activity, to monitor suspicious or fraudulent activity, identify violations of Service policies, authenticate, protect against, investigate, and deter fraudulent, unauthorized, or illegal activity.
  • To protect our legitimate business interests and legal rights: Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, accounting, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
  • With your consent: We use information about you where you have given us consent to do so for a specific purpose not listed above.


We may combine all of the information that we collect with data obtained from third parties or through our products and Services. We may also collect and store information locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.

Cleo will take reasonable precautions to protect your information from loss, misuse or alteration. Please be aware, however, that any text, email or other transmission you send in an unencrypted manner cannot be completely protected against unauthorized interception. In particular, we want to make you aware that personal email may not be secure, and Cleo is not responsible for any unauthorized access to information when information is sent to your personal email. You are not required to authorize the use of email for this purpose, a decision not to consent or to opt out of receiving these emails will not restrict your ability to access the Services, and you can continue to receive other emails from Cleo, using our secure electronic communication system instead of your personal email.

We may also use aggregated or anonymous information (for example, statistics regarding use and metrics) for research purposes, for marketing and promotional purposes, and to develop new learning tools and solutions and we may share such information with third parties, including researchers and/or advertisers. We may also use IP addresses to analyze trends, administer the Services, track a Site visitor’s movement, and gather demographic information which we may combine with other aggregated or anonymous data for the uses described above.

You acknowledge that unless you request in writing otherwise, Cleo, in its sole discretion, has the right but not the obligation to store any information, whether it is Personal Identifiable Information or otherwise, perpetually, to the extent permitted by law. If you wish for any information about you to be removed from our database, please contact us through the contact information provided below in the “How to Contact Us” section of this Privacy Policy. We will not use your health-related information for any purpose other than to provide you with the Services and/or customer support services you request from us.


Personally Identifiable Information: We will not rent or sell your personally identifiable information to others without your consent, although we may share it with business partners for the purposes described above under “Use of Personal Information”, such as the provision and personalization of Services.

With your consent, we may share your information as follows:

  • With Affiliates: We may share your personal information with affiliated companies and businesses;
  • With Service Providers: We may use other companies to perform services including, without limitation, facilitating some aspects of our Services such as sending emails, text messages, and push notifications, providing scheduling functionality and updates, and fulfilling data reporting and/or requests. These other companies may be supplied with or have access to your personal information solely for the purpose of providing these services to you on our behalf. Such service providers shall be bound by appropriate confidentiality and security obligations, which may include, as applicable, business associate contract obligations;
  • With Business Partners: When you make purchases or engage in promotions offered through our Services, we may share personal information with the businesses with which we partner to offer you those products, services, and promotions. When you accept a particular business partner’s offer, you authorize us to provide your information to that business partner;
  • With your Cleo Family Benefit Sponsor (employer or health plan): We may share your enrollment status as a user of the Services, including your name, employee ID, and enrollment date, with your Cleo Family Benefit Sponsor for the purposes of administering our contractual obligations and/or your Sponsor’s tax or other administrative reporting purposes;
  • With Cleo’s Specialists: Subject to receipt of your express consent, we may share your personal information with Cleo’s Specialists and coaches enlisted to provide the Services.
  • Special Circumstances: We also may disclose your Personal Information:
    • In response to a subpoena or similar investigative demand, a court order, or other request from a law enforcement or government agency where required by applicable law;
    • When disclosure is required or allowed by law in connection with efforts to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing; to protect and defend the rights, property or safety of our company, our users, our employees, or others; to comply with applicable law or cooperate with law enforcement; or to enforce our Terms or other agreements or policies;

Any personally identifiable information you elect to make publicly available on our Sites or through the Services will be available to others. If you remove information that you have made public on our Sites or through the Services, copies may remain viewable in cached and archived pages of our Sites or through the Services, or if other users have copied or saved that information.

Non-Personally Identifiable Information: We may share non-personally identifiable information (such as anonymous usage data, referring/exit pages and URLs, platform types, number of clicks, etc.) with interested third parties to help us understand the usage patterns for certain Services and those of our partners. Non-personally identifiable information may be stored indefinitely.

Instances Where We Are Required To Share Your Information: Cleo will disclose your information where required to do so by law, if subject to subpoena or other legal proceeding or if we reasonably believe that such action is necessary to (a) comply with the law and the reasonable requests of law enforcement; (b) to protect the rights to enforce our Terms of Service or to protect the security or integrity of our Service; or (c) to exercise or protect the rights, property, or personal safety of Cleo, our users or others, including enforcing Cleo’s agreements, policies and terms of use or sharing information in an emergency.

What Happens In The Event Of A Change Of Control: We may buy, in whole or in part, another company or sell/divest/transfer/reorganize the Company (including any shares in the Company), or any combination of its products, services, assets and/or businesses. Your information such as names and email addresses, and other User information related to the Service may be among the items sold or otherwise transferred in these types of transactions. We may also sell, assign or otherwise transfer such information in the course of corporate divestitures, mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of Cleo, but only if the recipient of personally identifiable data commits to a Privacy Policy that has terms substantially consistent with this Privacy Policy. You will be notified via email or a prominent notice on our Site of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.


Your information is stored in databases maintained by the Company or third parties that are located within North America.

You should be aware that when you are on the Site or using our Services, you can be directed to other websites that are beyond our control, and we are not responsible for the privacy practices of third parties or the content of linked websites.


We are committed to protecting your privacy and data. We encrypt sensitive information (e.g. your login credentials, PII) during transmission and storage using industry standards. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you, other involved parties, and any applicable regulator(s) of a breach as soon as reasonably possible, in accordance with applicable laws.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security. If you have any questions about the security of our Services, you can contact us at [email protected].

In some circumstances, our customers (usually your employer) who sponsor the services offered by Cleo have requested further limitations on our use and disclosure of your personal information than those scenarios described in this Privacy Policy. To the extent there are any inconsistencies between this Privacy Policy and the terms of any agreements we have entered into with our customers, the terms of the customer documents will control.

What are your data protection rights?

Our Company would like to make sure you are fully aware of all your data protection rights. Every user is entitled to the following:

The right to access. You have the right to request Our Company for copies of your personal data. We may charge you a small fee for this service if there is more than one request per year.

The right to rectification. You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to complete information you believe is incomplete.

The right to erasure. You have the right to request that our Company erase your personal data, under certain conditions.

The right to restrict processing. You have the right to request that our Company restrict the processing of your personal data, under certain conditions.


The right to data portability. You have the right to request that Our Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email: [email protected] or write to us at Cleo Labs, Inc., 548 Market Street, PMB 46800, San Francisco, California 94104-5401.

If you are a citizen of the European Economic Area, you may also choose to contact our European Union Representative, as per Article 27 of the GDPR:

HYAZINTH Consulting for Tech UG (haftungsbeschränkt), Potsdamer Platz 11, 10785 Berlin (Germany)

If you are a citizen of the United Kingdom, you may also choose to contact our UK Representative, as per Article 27 of the UK GDPR:

Clientside Law Limited, 20-21 Jockey’s Fields, London, England, WC1R 4BW


Our emails may have an option to “opt-out.” If you choose to do so, you will not receive future promotional emails unless you open a new account or sign up to receive newsletters or emails. If you opt out, we may still send you non-marketing emails. Non-marketing emails include emails about your accounts and our business dealings with you.

You may send requests about personal information to our Contact Information below or to [email protected]. You can request to change contact choices, opt out of our sharing with others, and update your personal information.

Privacy Shield Notice

Cleo is committed to comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA and the United Kingdom to the United States (the “Privacy Shield”). Cleo has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit

As required under the Principles, if we receive personal data subject to our certification under the Privacy Shield and then transfer it to a third party service provider that performs services on Cleo’s behalf, we have certain liability under the Privacy Shield if both (i) the service provider processes the personal data in a manner inconsistent with the Privacy Shield and (ii) we are responsible for the event giving rise to the damage.

In compliance with the Privacy Shield Principles, Cleo commits to resolve complaints about our collection or use of your personal information. If you are a resident of a European country participating in the Privacy Shield with inquiries or complaints regarding our Privacy Shield practices, you should first contact Cleo by email at [email protected], or by mail at the address listed below in the How to Contact Us section, and we will work with you to resolve your issue.

If you are a resident of a European country participating in the Privacy Shield and have an inquiry or complaint that we have not addressed to your satisfaction, you may seek further assistance, at no cost to you, from the American Arbitration Association (AAA) and the International Centre for Dispute Resolution (ICDR).

In addition to the steps described in Your Choices, above, some residents of European countries participating in the Privacy Shield may have certain legal rights to access or limit the use or disclosure of their personal information. To exercise those rights, these users may contact us at [email protected].

The services of the American Arbitration Association are provided at no cost to you. Under certain limited conditions, individuals may invoke binding arbitration as a last resort before the Privacy Shield Panel.

Cleo’s commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Cleo commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human and non-human resources data transferred from the EU.


WE DO NOT KNOWINGLY ENROLL OR COLLECT INFORMATION DIRECTLY FROM CHILDREN UNDER THE AGE OF EIGHTEEN. Children under the age of 18 may not use the Services. We support and comply with the Children’s Online Privacy Protection Act (COPPA) and we do not knowingly collect information from children under the age of 18, nor do we share such information with third parties. This Service and Website is not intended for persons under the age of 18. Cleo does not target its Service or Website to children. Cleo does not knowingly collect personally identifiable information or personal health information from children under the age of 18. If you seek Services for a minor, you will be responsible for providing information related to the minor and for paying for Services requested for the minor.


We may provide you with notices, including those related to your enrollment or use of the Services, by SMS, MMS, text message, or other reasonable means now known or hereinafter developed. We will provide notice and request consent to receiving text messages at the point of collection for mobile phone numbers. By providing Cleo with your telephone number, you consent to Cleo sending you text messages regarding your requested Services, such as a reminder about an upcoming appointment or for other non-telemarketing purposes, made by an automatic SMS, MMS, text message management system.

You understand that your cellular or mobile phone provider may not guarantee encryption of SMS messages that are stored on your behalf. By using the Services you accept the risk that some PHI could be intercepted by someone else targeting your SMS communications or seen by individuals who have access to your mobile device.

By providing the telephone number(s) you provide, you represent to Cleo that such telephone number(s) is your contact number and you are permitted to receive communications to that telephone number. You understand that providing a phone number that is not your own may be a violation of law and may expose you to legal penalties.

You understand that you may be subject to charges from your cellular or mobile phone service provider to receive SMS, MMS, and text messages from us, and all such charges will be solely your responsibility. You may opt out of receiving text messages from us at any time by texting “STOP” to an automated text you have received from us; however, you may receive future texts from us for account and identity verification purposes.


We may change this privacy policy from time to time and encourage you to frequently check this page in order to be up to date on the changes. If we make any changes, we will change the Last Updated date above, and in cases of material changes, we will provide additional notice (such as adding a statement to our homepage or sending you a notification through e-mail). Your continued use of the Services after any changes in this Privacy Policy will constitute your consent to such change(s).


If you have any questions, comments or concerns about our Privacy Policy, you may contact us at [email protected] or by writing to Cleo Labs, Inc., 548 Market Street, PMB 46800, San Francisco, California 94104-5401.


This privacy notice describes the personal information we collect or process about California residents in connection with the Site or the Services, how we use, share, and protect that personal information, and what your rights are concerning personal information that we collect or process.

In this section, “personal information” has the same meaning as under the California Consumer Privacy Act (CCPA), California Civil Code Section 1798.83: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information does not include information that has been de-identified or aggregated or information that is considered “PHI” under HIPAA or medical information protected under California’s Medical Information Act.

Personal Information We Collect and Share, and For What Purpose: In the past 12 months, we have collected and shared personal information from visitors in the following circumstances when they interact with the Site or the Services, as described in detail above:

  • Information You Give to Us
  • Information We Get From Your Cleo Benefit Sponsor
  • Information We Get From Others
  • Information Automatically Collected
  • Cookies

As described in detail above, we use your personal information for a variety of purposes to operate, assess activity on, and improve the performance of the Site, including the following:

  • To provide the Services and personalize your experience
  • For research and development
  • To communicate with you about the Services
  • To market, promote, and drive engagement with the Services
  • For Customer support
  • For safety and security
  • To protect our legitimate business interests and legal rights

Except as described in detail above, we will not share with third parties information about you without your consent.

We do not share your personal information with third parties for third party marketing purposes.

Your Rights as a California Resident: Under California law, users who are California residents have specific rights regarding their personal information. These rights are subject to certain exceptions described below. When required, we will respond to most requests within 45 days unless it is reasonably necessary to extend the response time.

Right to Disclosure of Information: You have the right to request that we disclose certain information regarding our practices with respect to personal information. If you submit a valid and verifiable request and we confirm your identity and/or authority to make the request, we will disclose to you any of the following at your direction:

  • The categories of personal information we have collected about you in the last 12 months.
  • The categories of sources for the personal information we have collected about you in the last 12 months.
  • Our business or commercial purpose for collecting that personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you.
  • If we disclosed your personal information to a third party for a business purpose, a list of the personal information types that each category of recipient received.

Right to Delete Personal Information: You have the right to request that we delete any of your personal information collected from you and retained, subject to certain exceptions. Upon receiving a verified request to delete your personal information, we will do so unless otherwise authorized by law.

How to Exercise these Rights: You may submit a verifiable consumer request to us for disclosure or deletion of personal information by emailing us. We will respond to verifiable requests for disclosure or deletion of personal information free of charge, within 10 days of receipt.

In order to protect your privacy and the security of your information, we verify consumer requests by matching personal information that you provide with information in our possession, in order to confirm your identity. Any additional information you provide will be used only to verify your identity and not for any other purpose.

You may designate an authorized agent to make requests on your behalf. You must provide an authorized agent written permission to submit a request on your behalf, and we may require that you verify your identity directly with us. Alternatively, an authorized agent that has been provided power of attorney under Probate Code sections 4000-4465 may submit a request on your behalf.

Right to Opt Out of Sale of Your Personal Information: We do not sell your personal information.

Right to Non-Discrimination: You have the right not to be discriminated against for the exercise of your California privacy rights described above.


The data controller is Cleo Labs, Inc., 548 Market Street, PMB 46800, San Francisco, California 94104-5401.

Our Legal Representative in the EEA is HYAZINTH Consulting for Tech UG (haftungsbeschränkt), Potsdamer Platz 11, 10785 Berlin, Germany.

Our Legal Representative in the UK is Clientside Law Limited, 20-21 Jockey’s Fields, London, England, WC1R 4BW

Purposes and Legal Basis. When processing your Personal Data, we rely on the EU General Data Protection Regulation in the EEA, and the UK General Data Protection Regulation in the UK (both referred to herein as “GDPR”), a legal framework in the EEA and the UK for the standardization of data protection. Cleo primarily processes data as a controller, for the purposes of providing our Services to you, or to improve our Services and protect our interests as described above in accordance with Article 6 of the GDPR. When we process special categories of personal data, such as data concerning health or sex life or sexual orientation we do so only based on your explicit consent in accordance with Article 9 of the GDPR, and only for the purposes described above. This may include sharing your Personal Data with one of our experts and coaches, upon your request. In addition, we are legally obliged to provide certain information to criminal prosecution or tax authorities in individual cases upon request. In these cases, the legal basis for the processing is either legal requirements or reasons of public interest in accordance with Article 6 of the GDPR.

We are handling certain data on behalf of our customers (your employer or health plan), as described above. In this case Cleo is a data processor and relies on the legal basis of your employer.

Retention Periods. We generally process and store your personal data to the extent necessary to fulfill our legitimate interests, contractual or legal obligations. Therefore, we store the data for the duration of the contractual relationship with you and after termination only to the extent and for as long as legally required. If data is no longer required to fulfill legal obligations (e.g. under tax or commercial laws), it will be deleted unless further processing is necessary to preserve evidence or defend against legal claims against us. If the processing is based on your explicit consent, we process your personal data to the extent necessary or until you have withdrawn your consent.

Processing Data outside the UK and the EEA. Cleo is a US company with servers in the US and other countries, that are considered “Third Countries” under the GDPR, which do not offer the same level of protection to your personal data as in the EU or the UK. When personal data is transferred outside of the UK or EEA to the US or is processed in the U.S., there is a particular risk that U.S. authorities may gain access to your personal data and you may not be granted effective legal protection against any such access in the U.S.. Cleo may also share your personal data with our employees, partners, contractors, experts or coaches who may be based outside of the UK and/or the EEA, and so their processing of your personal data will involve a transfer of data outside the UK and/or the EEA, and such transfers will rely on adequacy determinations and/or be based on the UK or European Commission’s approved Standard Contractual Clauses.