Privacy Policy

Last Updated: May 8, 2026

Employee Network Inc. ("eni," "we," or "our") is committed to protecting the privacy of individuals and complying with all applicable laws, regulations, and standards, including those established under the Health Insurance Portability and Accountability Act (HIPAA) in the United States. This Privacy Policy covers all eni products and services that are provided through our platforms, including mobile apps and websites.

Our Privacy Policy aims to safeguard the privacy of consumers, clients, members, and visitors to this website and associated mobile apps throughout our relationship. It outlines the information we collect, how we use it, with whom we share it, and how consumers, clients, members, and visitors can verify and update their information. To ensure ongoing protection of your personal information, we will periodically update this Privacy Policy. The date of the most recent changes is indicated by the "Last Updated" date at the top of this document. By using the platform, you agree to the terms of this Privacy Policy and future updates to this Privacy Policy.

What Information Do We Collect?

To access our services and platforms, your employer, organization, school, association, or group must be registered with eni. We may collect information through interactive features such as online surveys, contact and registration forms, and the use of cookies. Information collected includes:

1. Provided by Consumers

• Name
• SSN or last 4 digits of SSN
• Date of birth
• Email address
• Physical/mailing address
• Telephone number
• Personal health information or sensitive information

2. Collected via Technology

• Browser settings, including web browser software, links clicked, traffic data, Internet domain name, Internet address used to access the platform, location data, and web logs

3. Sensitive Information

• Personal health information, used with explicit consent where required

4. AI or LLM-Driven Features

Bree Health uses a third-party artificial intelligence service, OpenAI, to power the AI-assisted and Large Language Model (LLM) features of the platform. When you choose to use these features, the following categories of information are transmitted to OpenAI for processing:

• The messages, questions, and content you type into the AI chat
• Limited account context that helps the AI respond appropriately, such as your first name, age range, language preference, and any mood, wellness, or assessment inputs you choose to share in the conversation
• Conversation history within an active session, so the AI can maintain context

We do not transmit your full legal name, Social Security number (or last 4 digits of SSN), email address, telephone number, postal address, payment or financial information, precise geolocation, government identifiers, or your health records to OpenAI.

OpenAI processes this information on our behalf under a written data-processing agreement that requires it to protect your information using safeguards equivalent to those described in this Privacy Policy. OpenAI is contractually prohibited from using your conversations to train its own general-purpose AI models and from using your data for any purpose other than providing the service to us.

Before you use AI or LLM-driven features for the first time, the Bree Health app will ask for your explicit, in-app permission to share the data described above with OpenAI. If you do not grant permission, the AI features will be unavailable to you, but the rest of the Bree Health platform will continue to function. You may withdraw your permission at any time from within the app, which will disable the AI features.

Where permitted by law, personally identifiable information may be anonymized or de-identified by eni before being used internally for service improvements, analytics, or model evaluation.

How Will Your Personal Information Be Used?

Your employer will not have access to your personal data stored on eni systems. eni limits the collection, use, and retention of personal information to:

• Provide requested services or goods.
• Facilitate eni's internal business operations.
• Process your conversations through our third-party AI service provider (OpenAI) to generate responses, where you have granted in-app permission to do so.
• Support safety and well-being efforts, including reviewing conversations in limited circumstances where permitted by law.
• Comply with legal obligations and applicable law.

Aggregated, anonymized, or de-identified data may be used for statistical analysis and reporting purposes. Specifically, data from AI or LLM-driven features may improve service functionality while maintaining user privacy.

Who Do We Share Your Information With?

We do not generally share personal data with employers. However, if your employer offers an incentive plan tied to eni's programs, we may share necessary information, such as your name, employee ID, and program completion details, with your employer upon explicit consent where required.

We do not sell your email address, identifying information, or non-identifying information to third parties. We share information with the following categories of recipients:

• Third-party AI service provider (OpenAI) — to generate responses in our AI and LLM-driven features, as described in the "AI or LLM-Driven Features" section above. OpenAI receives only the data categories listed in that section and only after you have granted in-app permission.
• Service providers and affiliated companies — including hosting, analytics, customer support, and security vendors that help us operate, maintain, support, protect, or improve the platform.
• Legal and safety recipients — when required by law, in response to legal process, or when needed to help protect the rights, property, or safety of eni, our users, or others.

All third parties that receive your personal information are required by contract to protect your information using safeguards equivalent to those described in this Privacy Policy and to use your information only for the purposes we authorize.

What Are Your Rights?

You have certain rights regarding your personal information collected and maintained by eni. We offer you choices regarding the collection, use, and communication of your personal information:

• You can choose not to provide personal information to eni by refraining from using features and programs that request such information.
• You can opt not to have a unique cookie identification number assigned to your computer.
• You may provide consent to release some or all of your personal information to individuals or organizations. Otherwise, your personal data will not be released unless there is a legal obligation to do so.
• You can withdraw any consents previously provided to eni or, on legitimate grounds, object at any time to the processing of your personal information or specific categories of data that you consider sensitive.
• You have the right to data portability, enabling you to retrieve and reuse your personal information for your own purposes.
• You have the right to request the correction of any errors in your personal information collected and processed by eni.
• You have the right to lodge complaints with supervisory authorities.
• Subject to local law requirements, you may have the right to request access to and receive information about the personal information collected and maintained by eni, update and correct inaccuracies in your personal information, and have your personal information blocked or deleted, as appropriate.
• You have the right to ask eni to no longer collect your personal information for information purposes, such as sending information via email or SMS and soliciting opinions on eni products and services, by withdrawing your consent. You can exercise your right to withdrawal at any time by contacting eni.

For AI or LLM-driven features, you have the right to request an explanation of decisions made by AI or LLM systems and to opt out of AI or LLM-based data processing where applicable. You may also withdraw your permission to share data with OpenAI at any time through the AI privacy settings within the Bree Health app, which will immediately disable the AI features.

Security of Your Data

Your personal data is protected through appropriate administrative, technical, physical, and organizational safeguard measures designed to prevent unauthorized access. We utilize industry-standard encryption, including protections for data in transit and at rest; however, information transmitted over the Internet is not entirely secure. You are encouraged to use secure devices and methods when accessing eni's services.

Identifiable conversation content shared with OpenAI is governed by OpenAI's contractual data-handling obligations to us and is not retained or used by OpenAI for purposes other than providing the AI features to you. AI-driven features may retain anonymized or de-identified data for extended periods to enhance functionality and improve services.

Data Storage Duration

Your personal data will be retained for the duration of your use of the platform or as required by law. Anonymized or de-identified data collected from interactions with AI or LLM features may be stored longer for service optimization.

Jurisdiction and Applicable Law

This Privacy Policy is governed by the laws of the State of New York. By using this platform, you consent to the jurisdiction of the courts located in the County of Broome, State of New York, unless local law permits otherwise.

California Consumer Privacy Act (CCPA)

California users (CA Users) have certain rights regarding the collection, use, and dissemination of their personal information under the California Consumer Privacy Act (CCPA). This section augments the preceding sections of this Privacy Policy by detailing CA Users' additional rights concerning their personal information and explaining how to exercise such rights.

We collect and use the following categories of personal information for the business purposes described in this Privacy Policy:

• Identifiers, including real name, alias, postal address, IP address, email address, telephone number, or other similar identifiers
• Information contained within customer records as defined in California Civil Code Section 1798.80, including payment and financial information
• Demographic information and characteristics of protected classifications under California or federal law, including date of birth and age
• Internet or other electronic network activity information, including browsing history, search history, and information on users' interaction with eni services and third-party sites and applications
• Geolocation information
• Inferences drawn from the information detailed above
• Conversation content and limited account context that you choose to share in AI or LLM-driven features

We may collect this personal information from the categories of sources described in this Privacy Policy. We may disclose the categories of personal information mentioned above for our business purposes to the extent permitted by applicable laws with the categories of parties described above in this Privacy Policy, including our third-party AI service provider (OpenAI) where you have granted in-app permission to use AI features.

Depending on our marketing and advertising practices, we may share these categories of personal information: online identifiers, including IP addresses, advertising identifiers, and cookie identifiers, email addresses, names, and general demographics. We may disclose these categories of personal information to the categories of parties described above in this Privacy Policy, including vendors, partners, sponsors, and advertisers.

Processing of Sensitive Personal Information

We, our service providers, or both may process these categories of sensitive personal information as necessary to provide the Services and for permitted business purposes:

• Credit or debit card numbers
• Financial account numbers
• Precise geolocation
• Username
• Password

Right to Know and Access Personal Information Collected, Used, Shared, or Sold

CA Users have the right to request access to the personal information we collect about them for the period covering at least 12 months preceding their request. CA Users may request disclosure of:

• The categories of personal information we collected about you
• The categories of sources from which we collected personal information about you
• The categories of personal information that we have disclosed about you for business purposes and the categories of suppliers to whom the information was disclosed
• The categories of personal information that we sold to third parties and the categories of third parties to whom the personal information was sold, if any
• The business or commercial purposes for which personal information about you was collected, shared, or sold
• The specific pieces of personal information we collected about you

Right to Correct Inaccurate Personal Information

CA Users have the right to request that we correct inaccurate personal information we maintain about them.

Right to Request Deletion of Personal Information

CA Users have the right to request that we delete the personal information we maintain about them, subject to certain exceptions.

Right to Opt Out of the Sale or Sharing of Personal Information

CA Users have the right to opt out of a business's sale or sharing of their personal information.

We do not knowingly sell or share the personal information of persons under 18 without express written or otherwise verifiable consent, nor do we knowingly sell or share the personal information of persons under 13.

Right of No Retaliation for Exercising Privacy Rights

eni will not retaliate or discriminate against CA Users for exercising their rights under the CCPA or other applicable privacy laws. We will not do any of the following based on a CA User's exercise of their rights under the CCPA:

• Deny the CA User goods or services
• Charge the CA User different prices or rates for goods or services, including through discounts or other benefits or imposing penalties
• Provide the CA User with a different level or quality of goods or services
• Suggest the CA User may receive a different price or rate for goods or services or a different level or quality of goods or services
• Retaliate against an employee, applicant, or independent contractor who exercises their rights under the CCPA

How to Request Access, Deletion, or Correction

CA Users may submit a request to access, delete, or correct their personal information by emailing DPO@eniweb.com.

Designating an Authorized Agent to Submit Privacy Requests

CA Users have the right to appoint an authorized agent to submit requests to access, delete, or correct their personal information. If you decide to submit a privacy request through an authorized agent, we may require that you provide the agent with written permission to do so and that the agent verify their own identity with us. If an agent submits your privacy request without proof that they have been authorized by you to act on your behalf, we may deny the request.

"Shine the Light" Law

Under California Civil Code Section 1798.83, CA Users have the right to request a business to provide them with a list of certain categories of personal information that the business has disclosed to third parties for the direct marketing purposes of the third parties during the preceding calendar year and a list of the identity of those third parties.

However, the law does not require a business to provide the lists mentioned above if the business adopts and discloses to the public, in its privacy policy, a policy of not disclosing CA Users' personal information to third parties for direct marketing purposes unless the business provides users a mechanism to opt out of having their personal information disclosed to third parties for direct marketing purposes. As such, a business may comply with California law by notifying CA Users of their right to prevent disclosure of personal information and providing a cost-free means to exercise the right.

By providing CA Users with such a mechanism, we are not required to maintain or disclose a list of third parties that received your personal information for direct marketing purposes. If you wish to opt out of sharing your personal information with third parties for direct marketing purposes, please email DPO@eniweb.com with Opt Out in your request's subject line or body.

Data collected from AI or LLM-driven features will comply with applicable CCPA regulations, ensuring transparency and user rights are maintained.

Important Notice About AI or LLM Usage

The Bree Health platform offers AI or LLM-driven features powered by our third-party AI service provider, OpenAI. Before you use these features for the first time, the app will ask for your explicit, in-app permission to share your conversations and the data described in the "AI or LLM-Driven Features" section above with OpenAI. The AI features will not be available unless and until you grant this permission, and you may withdraw your permission at any time from within the app, which will disable the AI features.

Your use of AI or LLM-driven features is also subject to the following acknowledgements:

• AI or LLM systems may occasionally produce incorrect or incomplete information ("hallucinations").
• For critical or health-related decisions, consult a qualified professional and do not rely solely on AI or LLM-generated feedback.
• Bree Health is not a substitute for professional medical, mental-health, or emergency care.

By continuing to use our services, you agree to the terms of this Privacy Policy. AI or LLM-driven features additionally require your separate, explicit in-app permission as described above.

Contact