Privacy Policy

Last Updated: January 15, 2025

Employee Network Inc. ("eni", "we" or "our") is committed to protecting the privacy of individuals and complying with all applicable laws, regulations, and standards, including those established under the Health Insurance Portability and Accountability Act (HIPAA) in the United States. This Privacy Policy covers all eni products and services that are provided through our platforms, including mobile apps and websites.

Our Privacy Policy aims to safeguard the privacy of consumers, clients, members, and visitors to this website and associated mobile apps throughout our relationship. It outlines the information we collect, how we use it, and how consumers, clients, members, and visitors can verify and update their information. To ensure ongoing protection of your personal information, we will periodically update this Privacy Policy. The date of the most recent changes is indicated by the "Last Updated" date at the top of this document. By using the platform, you agree to the terms of this Privacy Policy and future updates to this Privacy Policy.

What Information Do We Collect?

To access our services and platforms, your employer, organization, school, association, or group must be registered with eni. We may collect information through interactive features such as online surveys, contact and registration forms, and the use of cookies. Information collected includes:

1. Provided by Consumers:
   • Name
   • SSN or last 4 digits of SSN
   • Date of birth
   • Email address
   • Physical/mailing address
   • Telephone number
   • Personal health information or sensitive information
2. Collected via Technology:
   • Browser settings (e.g., web browser software, links clicked, traffic data, Internet domain name, Internet address used to access the platform, location data, and web logs)
3. Sensitive Information:
   • Personal health information, used with explicit consent, where required.
4. AI or LLM-Driven Features: If you choose to use AI-assisted or Large Language Model (LLM)-powered services, your data, including conversation logs, may be processed by our AI or LLM systems. Personally identifiable information is anonymized or de-identified, where permissible by law, before being used for service improvements or model training. By using these features, you consent to this data usage.

How Will Your Personal Information Be Used?

Your employer will not have access to your personal data stored on eni systems. eni limits the collection, use, and retention of personal information to:

• Provide requested services or goods.
• Facilitate eni's internal business operations.
• Comply with legal obligations and applicable law.

Aggregated, anonymized, or de-identified data may be used for statistical analysis and reporting purposes. Specifically, data from AI or LLM-driven features may improve service functionality while maintaining user privacy.

Who Do We Share Your Information With?

We do not generally share personal data with employers. However, if your employer offers an incentive plan tied to eni's programs, we may share necessary information (e.g., your name, employee ID, and program completion details) with your employer upon explicit consent (where required).

We do not sell your email address, identifying information, or non-identifying information to third parties. However, we may share information with our affiliated companies or select third parties to fulfill the objectives outlined in this Privacy Policy. Additionally, information may be disclosed in response to legal processes or to protect the rights, property, or safety of eni or others.

What Are Your Rights?

You have certain rights regarding your personal information collected and maintained by eni. We offer you choices regarding the collection, use, and communication of your personal information:

• You can choose not to provide personal information to eni by refraining from using features and programs that request such information.
• You can opt not to have a unique cookie identification number assigned to your computer.
• You may provide consent to release some or all of your personal information to individuals or organizations. Otherwise, your personal data will not be released unless there is a legal obligation to do so.
• You can withdraw any consents previously provided to eni or, on legitimate grounds, object at any time to the processing of your personal information or specific categories of data that you consider sensitive.
• You have the right to data portability, enabling you to retrieve and reuse your personal information for your own purposes.
• You have the right to request the correction of any errors in your personal information collected and processed by eni.
• You have the right to lodge complaints with supervisory authorities.
• Subject to local law requirements, you may have the right to (1) request access to and receive information about the personal information collected and maintained by eni, (2) update and correct inaccuracies in your personal information, and (3) have your personal information blocked or deleted, as appropriate.
• You have the right to ask eni to no longer collect your personal information for information purposes (e.g., sending information via email or SMS, soliciting opinions on eni products and services) by withdrawing your consent. You can exercise your right to withdrawal at any time by contacting eni.

For AI or LLM-driven features, you have the right to request an explanation of decisions made by AI or LLM systems and to opt out of AI or LLM-based data processing where applicable.

Security of Your Data

Your personal data is protected through appropriate administrative, technical, physical, and organizational safeguard measures to prevent unauthorized access. We utilize industry-standard encryption; however, information transmitted over the Internet is not entirely secure. You are encouraged to use secure devices and methods when accessing eni's services.

AI-driven features may retain anonymized data for extended periods to enhance functionality and improve services.

Data Storage Duration

Your personal data will be retained for the duration of your use of the platform or as required by law. Anonymized data collected from interactions with AI or LLM features may be stored longer for service optimization.

Jurisdiction and Applicable Law

This Privacy Policy is governed by the laws of the State of New York. By using this platform, you consent to the jurisdiction of the courts located in the County of Broome, State of New York, unless local law permits otherwise.

California Consumer Privacy Act (CCPA)

California users (CA Users) have certain rights regarding the collection, use, and dissemination of their personal information under the California Consumer Privacy Act (CCPA). This section augments the preceding sections of this Privacy Policy by detailing CA Users additional rights concerning their personal information and explaining how to exercise such rights. Throughout this Privacy Policy, we discuss, in detail, the specific pieces of personal information we collect from and about users. We collect and use the categories of personal information listed immediately below for the business purposes described in this Privacy Policy:

• Identifiers, including, but not limited to, real name, alias, postal address, Internet Protocol (IP) address, email address, telephone number, or other similar identifiers;
• information contained within customer records as defined in subsection (e) of California Civil Code Section 1798.80, including, but not limited to, credit, debit, or bank account numbers or any other payment and financial information;
• demographic information and characteristics of protected classifications under California or federal law, including, but not limited to, date of birth and age;
• internet or other electronic network activity information, including, but not limited to, browsing history, search history, information on users' interaction with the eni website and/or application, and other eni services and other companies' websites and applications, including, but not limited to, information on usage, preferences, communications, and subscriptions;
• geolocation information; and
• any inferences that may be drawn from the information detailed above.

We may collect this personal information from the categories of sources described in this Privacy Policy. We may disclose the categories of personal information mentioned above for our business purposes to the extent permitted by applicable laws with the categories of parties described above in this Privacy Policy.

Depending on our marketing and advertising practices, we may share these categories of personal information: online identifiers (including, but not limited to, IP addresses, advertising identifiers, and cookie identifiers), email addresses, names, and general demographics. We may disclose these categories of personal information to the categories of parties described above in this Privacy Policy, including vendors, partners, sponsors, and advertisers.

Processing of Sensitive Personal Information: We, our service providers, or both may process these categories of sensitive personal information as necessary to provide the Services and for permitted business purposes:

• Credit or debit card numbers, financial account numbers, precise geolocation, username, and password.

Right to Know and Access Personal Information Collected, Used, Shared, or Sold: As described in this section, CA Users have the right to request access to the personal information we collect about them. CA Users can find additional details on requests they can make in the CCPA. CA Users have the right to request that we disclose the following information for the period covering at least 12 months preceding their request:

• The categories of personal information we collected about you;
• The categories of sources from which we collected personal information about you;
• The categories of personal information that we have disclosed about you for our business purposes and the categories of suppliers to whom the information was disclosed;
• The categories of personal information that we sold to third parties and the categories of third parties to whom the personal information was sold, if any;
• The business or commercial purpose(s) for which personal information about you was collected, shared, or sold; and
• The specific pieces of personal information we collected about you.

Right to Correct Inaccurate Personal Information: CA Users have the right to request that we correct inaccurate personal information we maintain about them, detailed above in this Privacy Policy.

Right to Request Deletion of Personal Information: CA Users have the right to request that we delete the personal information we maintain about them, subject to certain exceptions, detailed above in this Privacy Policy.

Right to Opt Out of the Sale or Sharing of Personal Information: CA Users have the right to opt out of a business's sale or sharing of their personal information. CA Users can find details above explaining how to submit a request to opt out of the sale or sharing of their personal information. We do not knowingly sell or share the personal information of persons under 18 without express written or otherwise verifiable consent, nor do we knowingly sell or share the personal information of persons under 13.

Right of No Retaliation for Exercising Privacy Rights: eni will not retaliate or discriminate against CA Users for exercising their rights under the CCPA or other applicable privacy laws. We will not engage in any of the following based on a CA User's exercise of their rights under the CCPA:

• Deny the CA User goods or services;
• Charge the CA User different prices or rates for goods or services, including through discounts or other benefits or imposing penalties;
• Provide the CA User with a different level or quality of goods or services;
• Suggest the CA User may receive a different price or rate for goods or services or a different level or quality of goods or services; or
• Retaliate against an employee, applicant, or independent contractor who exercises their rights under the CCPA.

How to Request Access, Deletion, or Correction:
CA Users may submit a request to access, delete, or correct their personal information by emailing us at DPO@eniweb.com. Please reference above for more details.

Designating an Authorized Agent to Submit Privacy Requests:
CA Users have the right to appoint an authorized agent to submit requests to access, delete, or correct their personal information. If you decide to submit a privacy request through an authorized agent, we may require that you provide the agent with written permission to do so and that the agent verify their own identity with us. If an agent submits your privacy request without proof that they have been authorized by you to act on your behalf, we may deny the request.

"Shine the Light" Law:
Under California Civil Code Section 1798.83, CA Users have the right to request a business to provide them with a list of certain categories of personal information that the business has disclosed to third parties for the direct marketing purposes of the third parties during the preceding calendar year and a list of the identity of those third parties.

However, the law does not require a business to provide the lists mentioned above if the business adopts and discloses to the public, in its privacy policy, a policy of not disclosing CA User's personal information to third parties for direct marketing purposes unless the business provides users a mechanism to opt out of having their personal information disclosed to third parties for direct marketing purposes. As such, a business may comply with California law by notifying CA Users of their right to prevent disclosure of personal information and providing a cost-free means to exercise the right.

By providing CA Users with such a mechanism, we are not required to maintain or disclose a list of third parties that received your personal information for direct marketing purposes. If you wish to opt out of sharing your personal information with third parties for direct marketing purposes, please email us at DPO@eniweb.com with "Opt Out" in your request's subject line or body.

Data collected from AI or LLM-driven features will comply with applicable CCPA regulations, ensuring transparency and user rights are maintained.

Important Notice About AI or LLM Usage

Using AI or LLM-driven features indicates your understanding and acceptance of the following:

• AI or LLM systems may occasionally produce incorrect or incomplete information ("hallucinations").
• For critical or health-related decisions, consult a qualified professional and do not rely solely on AI or LLM-generated feedback.

By continuing to use our services, you agree to the terms of this Privacy Policy, including provisions specific to AI or LLM-driven features and data usage.

For questions or concerns, contact:

Employee Network Inc.
1040 Vestal Parkway East
Vestal, NY 13850
Attn: DPO
Phone: 1-800-327-2255
Email: DPO@eniweb.com