Carrot Fertility, Inc. (“Carrot,” “we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Notice explains how your Personal Information is collected, used, stored, processed, transferred, and disclosed by Carrot.
This Privacy Notice applies to our website https://get-carrot.com (our "Website") and any other website, mobile application, or online service that links to this Privacy Notice (collectively, our "Service").
The Service may contain links to and from third party websites of our business partners, advertisers, and social media sites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. We may also share a user ID with third-party websites allowing us and the third-party website provider to jointly track specified activities across both websites. We strongly recommend that you read their privacy policies and terms and conditions of use to understand how they collect, use, and share information.We are not responsible for the privacy practices or the content on the websites of third party sites.
Before accessing or using our Service, please ensure that you have read and understood our collection, storage, use, and disclosure of your Personal Information as described in this Privacy Notice.
To the extent that you are subject to United States benefit and taxation laws, and that your employer has established a health reimbursement arrangement plan or HRA (i.e., the “Covered Entity”), Carrot is considered a Business Associate to the Covered Entity under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Please review the Covered Entity’s “Notice of Privacy Practices (NPP)” for an explanation of how that entity will collect, use, disclose, and protect your “Protected Health Information (PHI).”
Carrot is the “Data Controller” responsible for protecting your Personal Information, which means we determine and are responsible for how your Personal Information is handled. Your employer will also initially send us your name and eligibility information ("Employee Eligibility File"). If you have queries regarding the information contained in the Employee Eligibility File, please contact your employer, who is the Data Controller of such information.
"Personal information" encompasses all “Personal Data” as defined in Art. 4 (1) of the General Data Protection Regulation ("GDPR"), meaning any information that relates to an identified or identifiable individual; provided, that in such circumstance(s) that applicable data protection laws require otherwise, “Personal information” has the meaning ascribed to it in such law(s).
If your state of residence has specific privacy requirements that go beyond the general scope of this Privacy Notice, it is listed below:
Please click here to see more detailed information.
If you are a resident of Washington, you can also click here.
If you are resident of Nevada, you can also click here.
Also, please note that we will update this list as necessary to address evolving operations and regulations.
If you are a resident of a state that is not listed above, please contact us at legal@get-carrot.com if you have any questions about this Privacy Notice.
If your country of residence has specific privacy requirements that go beyond the general scope of this Privacy Notice, it is listed below:
Please click here to see more detailed information.
Also, please note that we will update this list as necessary to address evolving operations and regulations.
If you are a resident of a jurisdiction that is not listed above, please contact us at legal@get-carrot.com if you have any questions about this Privacy Notice.
In order to provide services, Carrot will store and process your Personal Information in the United States. To the extent that your local jurisdiction considers this an “international data transfer,” we will comply with that jurisdiction’s requirements for transferring Personal Information to other countries.
For Residents of the EEA, Switzerland, and the United Kingdom
When your employer sends us your name and eligibility information ("Employee Eligibility File"), we will store and process that information in the United States. To comply with applicable regulatory requirements (e.g., the GPDR) on “international data transfers,” we will sign appropriate contractual mechanisms with the “data exporter” (i.e, your employer). For instance, if you are an EEA resident, Carrot and your employer will sign Module 2 of the EU Standard Contractual Clauses (SCCs).
For Residents of the EEA and Switzerland
In addition, we are currently in the process of “self-certifying” to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles, and we will update this page if and when our application is approved to reflect our participation in and commitment to these Principles.
How we collect Personal Information
We collect Personal Information about you when you voluntarily submit information to us when you use our Service. This can include information you provide to us when you register for an account, send us messages, subscribe to our mailing lists, newsletters or other forms of marketing communications related to the Service, participate in a survey, or use some other feature of our Service.
We may also collect information about you from our third party partners, as further described here.
Your Choices and Preferences Regarding How we Collect your Information
For further information on your rights and choices regarding your information, see here.
We will indicate to you where the provision of certain Personal Information is mandatory and where it is optional. If you choose not to provide Personal Information marked as mandatory, we may not be able to provide you with requested products, services, or information.
Categories of Personal Information we Collect
The categories of Personal Information we collect may include, without limitation:
Linking and Combining Personal Information from Different Sources
We also link or combine your activities and information collected from you on our websites with information we collect automatically through tracking technologies. This allows us to provide you with a personalized experience regardless of how you interact with us.
A Note on Children’s Privacy
Carrot does not knowingly collect or solicit any information from anyone under the age of 18 on this Service. In the event that we learn that we have inadvertently collected Personal Information from a child under age 18, we will delete that information as quickly as possible. If you believe that we might have any information from a child under 18, please contact us using the contact details set out at the end of this Privacy Notice. We encourage parents and guardians to spend time online with their children and to participate and monitor the interactive activities of their children.
How we Collect this Information
When you use our Service, read our emails, or otherwise engage with us through a computer or mobile device, we and our third-party partners automatically collect information about how you access and use the Service and information about the device you use to access the Service.
We typically collect this information through a variety of tracking technologies, including cookies, location-identifying technologies, and similar technology (collectively, “tracking technologies”).
See here for more detail on the tracking technologies we use.
Third Party Data Collection of User Experience Information
When you use the Service, we may use third party tools to monitor user experience information. These tools automatically collect usage information, including mouse clicks and movements, page scrolling and any text keyed into website forms. The information collected is de-identified and does not include passwords, payment details, or other sensitive Personal Information. We use this information for site analytics, optimization, and to improve website usability.
Linking and Combining Personal Information from Different Sources
Information we collect automatically about you may be combined with other Personal Information we collect directly. For example, we may combine your location based on your IP address that we have collected automatically with your email address that you have provided.
Use of Artificial Intelligence (AI) and Machine Learning (ML)
Additionally, and only with your consent, we may leverage Artificial Intelligence (AI) and Machine Learning (ML) technology to collect Personal Information via automated means. We may then combine this data with Personal Information that you provide us directly. Doing so will allow us to develop personalized guidance and care, which may include (among other activities) matching you with specific providers and suggesting achievable, habit-forming actions that align with your individual goals.
We will not utilize AI or ML-generated input without your consent, which you have the right to opt-out of (i.e., your right to opt-out of automated decision-making) at any time.
For further information on third parties using tracking technologies please see here.
For further information on your choices regarding your information, including choices around tracking technologies, see here.
For further information on how Carrot uses sensitive information, see here.
For further information on your rights, including the right to opt-out of automated decision-making, see here.
This section sets out the categories of Personal Information we collect about you, and explains how and why we use that information. It also lists the legal bases on which we rely to process personal Information. You hereby expressly acknowledge and agree that the collection and processing described in this Privacy Notice are necessary for our performance of our obligations under the Terms & Conditions.
For further information on your rights and choices regarding your information, see here.
This category includes Personal Information we collect--such as your name, phone number, address, date of birth, and e-mail address, and your partner’s name, phone number, address, date of birth, and e-mail address--when you register for our Service, request a Carrot Card or any other product offered through the Service, or otherwise communicate or interact with us.
This category includes sensitive information, such as your and your partner's gender identities, interest in various fertility health and family-forming options, any relevant diagnoses you may have received, Social Determinants of Health, and any related health information.
When you contact us directly, e.g., by email, phone, mail, or by completing an online form or participating in online chat, we will record your comments and opinions. We will also record comments and opinions you express when responding to surveys we run.
This category includes Information such as your Employee ID, your receipts for fertility care and other services, whether you or your partner received the care, the date of your or your partner’s treatments, and your payment information, such as your credit card or bank account details.
This category includes Information about your location. We may approximate your location based on your IP address.
When you interact with our Service through various social media networks, such as when you Like us on Facebook or when you follow Carrot or share Carrot content on Facebook, Twitter, Snapchat, LinkedIn, Instagram or other sites, we may receive information from those social networks including your profile information, picture, user ID associated with your social media account, friends list, and any other information you permit the social network to share with third parties. Records are kept until you delete your social media account.
You may select your preferences for notifications, marketing communications, and site display, as further detailed here. Records of your selections are deleted upon deactivation.
We may receive information from third parties. This information may include sensitive information, such as health care claims history and health information.
When you submit reimbursement requests for processing, we may share the following information with your employer for disbursement, payroll, and tax purposes, or as otherwise required by applicable law:
Your information may also be shared with your employer for:
We will share certain Personal Information with health plans to help make our Service available to you and/or for deductible tracking purposes.
We will share certain Personal Information with third party partners and service providers, as necessary to achieve the purpose for which we have shared it, which may include (but is not limited to) fulfilling your orders for products available through our Service as requested by you, confirming your eligibility for services provided by third party partners and service providers, as described, improving our Service and business, providing mailing services, web hosting, or providing analytic services.
Any such service providers and partners will be given limited access to Personal Information as reasonably necessary to achieve such purpose and will, by appropriate data processing agreements or analogous contractual provisions, be bound to only process Personal Information on our behalf and for specifically enumerated purposes; if you would like to more specifically understand the services our third party partners render, please contact us at legal@get-carrot.com.
We may share your Personal Information with third party providers and advisors where this is necessary to achieve our legitimate interests, such as conducting security audits, consulting tax consultants and lawyers, or engaging payment processors to process payment transactions.
Personal Information may be disclosed to third parties in connection with a Carrot-related transaction, such as a merger, sale of Carrot assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by a third party, or in the event of a bankruptcy or related or similar proceedings.
In the event that we receive a request for Personal Information from law enforcement, we will follow three basic principles to protect your privacy:
We may use third-party payment services to process payments made through the Service. If you wish to make a payment through the Service, for example by using the Carrot Card, your payment information may be collected by a third-party payment service provider, such as Stripe Inc., and not by us, and thus will be subject to the third-party’s privacy notice (Privacy Policy) rather than this Privacy notice.
If you request a self-referral to a care provider, including without limitation fertility clinics, third-party assisted reproduction agencies, or assisted reproduction attorneys, we may share your Personal Information with those care providers, as indicated at the time of your request.
If your employer has chosen to participate in a channel partner rewards program, we may send information about specific activities or “events” (e.g., account activation, content review, benefit guide review, intake completion) that you take on Carrot’s platform to channel partners to enable your participation in these rewards programs.
You may grant account access to your partner. If you do so, your partner will be able to see your sensitive health information, including detailed information related to your Carrot Plan.
We will share your information with export screening providers to ensure compliance with applicable laws and regulations. This process helps us verify that our services are not being used in violation of export control laws.
We will share personal information, which may include (among other data fields) Medicare ID, with the Centers for Medicare & Medicaid Services (CMS) for Section 111 reporting purposes. This reporting is mandatory to ensure compliance with CMS regulations.
You may update your profile information, such as your name, address, or bank account information.
Carrot Fertility does not currently honor the Do Not Track (DNT) browser signal.
If you are a resident of California, see here for more information about your rights.
To the extent provided in applicable data protection laws, we will only send you promotional and marketing emails, or contact you for promotional or marketing purposes by phone or SMS, if you have given us your explicit consent. For US-based members, we will only contact you for promotional or marketing purposes by phone or SMS if you have given us your explicit consent. You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications. You may opt-out of receiving promotional calls, SMS/texts and direct mail communications from Carrot at any time with future effect as set forth in our Terms of Service. You may not opt out of service-related communications (e.g., account verification, transactional communications, changes/updates to features of the Service, technical and security notices).
When you visit any website, it may store or retrieve information on your browser in the form of cookies, pixels, and other tracking technologies. This may include information about you, your preferences, or your device. You can choose not to allow some types of cookies, but blocking some types of cookies may impact your experience of the site and the services we are able to offer.
Most browsers allow you to adjust your browser settings to: (i) notify you when you receive a cookie, which lets you choose whether or not to accept it; (ii) disable existing cookies; or (iii) set your browser to automatically reject cookies. Blocking or deleting cookies may negatively impact your experience using the Service, as some features and services may not work properly.
You may set your email options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you viewed or engaged with our emails.
Deleting cookies does not delete Local Storage Objects (LSOs) such as Flash objects and HTML5. To manage Flash cookie settings and preferences, you must use the settings manager on Adobe’s website or by clicking here. If you choose to delete Flash objects from our Service, then you may not be able to access and use all or part of the Service or benefit from the information and services offered.
Some of these opt-outs may not be effective unless your browser is set to accept cookies. If you delete cookies, change your browser settings, switch browsers or computers, or use another operating system, you will need to opt-out again.
In addition to the ways in which you can manage the use of your information as outlined in the previous section (“Your Choices and Control Over Your Information”), you may also exercise the rights granted to you under applicable data protection laws.
At a minimum, you have and may exercise the rights listed below.
If you are a resident of a state or country listed in this section, please see State Addenda to Privacy Notice and Country Addenda to Privacy Notice, respectively, to learn more about your jurisdiction-specific rights.
If you wish to exercise one of these rights, contact us at data-requests@get-carrot.com.
In addition to the rights listed above, you may have the right to lodge a complaint with the applicable data protection authority in your jurisdiction, if you consider that a processing of your Personal Information infringes the applicable data protection laws. If you are an EU resident, further information about how to contact your local data protection authority is available at JUSTICE AND CONSUMERS ARTICLE 29 - National Data Protection Authorities. However, we encourage you to first reach out to us by using the contact details available here so that we have an opportunity to address your concerns directly and find a solution together before you lodge a complaint.
Your information collected through the Service will be stored and processed in the United States and may be processed in any other country in which Carrot or its affiliates or service providers maintain or have access to facilities. Please note that these internal and external international transfers of your Personal Information are made pursuant to appropriate safeguards, as further discussed here.
If you wish to inquire further about these appropriate safeguards, please contact us at legal@get-carrot.com.
We care about the security of your information and employ physical, administrative, and technological safeguards designed to preserve the integrity and security of all information collected through our Service. When you enter sensitive information (such as a credit card number) on our order forms or login credentials (such as username and password) on our platform login, we encrypt the transmission of that information. However, no security system is impenetrable, and we cannot guarantee the security of our systems 100%. In the event that any information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and, where appropriate, notify those individuals whose information may have been compromised and take other steps, in accordance with any applicable laws and regulations.
Unless applicable law requires a longer retention period, we will retain your information only as long as necessary for the purposes outlined in this Privacy Notice and for a commercially reasonable time thereafter for backup, archival, fraud prevention or detection, or audit purposes.
To determine the appropriate retention period for Personal Information, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information, and applicable legal requirements.
If you have any questions about this Privacy Notice or the website, please contact us at legal@get-carrot.com.
As a general practice, we plan to update this Privacy Notice once every six months. We may, however, update it more or less frequently, depending on operational and regulatory circumstances. Either way, if we have your email address, we will notify you of any material changes. We will update the “Effective Date” at the bottom of this page when we post changes to this Privacy Notice. If you object to any changes, you may close your account. Continuing to use our Service after we publish changes to this Privacy Notice means that you have read and understood the changes.
Effective Date: March 1, 2024
