Privacy notice.

This Privacy Notice (“Notice”) is designed to help you understand how Advocate Inc., dba Nava Benefits (“Nava”, “we”, “us”, or “our”) collects, uses, and shares your personal information and to help you understand and exercise your privacy rights. This Notice applies to Nava’s processing of personal information including on our website available at www.navabenefits.com (the “Nava Website”), our mobile application (the “Nava App”) and our other online or offline offerings which link to, or are otherwise subject to, this Notice (collective, the “Services”).

Special Note to Participants of Employer-Sponsored Benefits Programs:  If you are a participant in your employer’s benefit offerings (such employer, the “Client”), this Notice does not apply to the processing of protected health information (“PHI”) by the Client as defined by the Health Insurance Portability and Accountability Act of 1996 as amended. This Notice applies only to our collection, use, and disclosure of non-PHI personal information and may be governed by an agreement we have with your Client.  

Disclosure Regarding the California Consumer Privacy Act (Notice at Collection). For information on our processing of personal information that is subject to the California Consumer Privacy Act (“CCPA”), please see Annex A – Supplemental CCPA Privacy Notice.

‍Disclosure Regarding Client Data. This Privacy Notice does not apply to the personal information we process on behalf of our Clients pursuant to a written agreement we have entered into with such Clients (“Client Data”). Our Clients’ respective privacy notices or policies govern their collection and use of Client Data. Our processing of Client Data is governed by the contracts that we have in place with our Clients, not this Privacy Notice. Any questions or requests relating to Client Data should be directed to our Client.

1. UPDATES TO THIS PRIVACY NOTICE

2. PERSONAL INFORMATION WE COLLECT

3. HOW WE USE PERSONAL INFORMATION

4. HOW WE DISCLOSE PERSONAL INFORMATION

5. YOUR PRIVACY CHOICES AND RIGHTS

6. SECURITY OF YOUR INFORMATION

7. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

8. RETENTION OF PERSONAL INFORMATION

9. SUPPLEMENTAL NOTICE FOR NEVADA RESIDENTS

10. CHILDREN’S PERSONAL INFORMATION

11. THIRD-PARTY WEBSITES/APPLICATIONS

12. CONTACT US

ANNEX A — SUPPLEMENTAL U.S. PRIVACY NOTICE

1. Updates to this Privacy Notice

We may update this Privacy Notice from time to time in our sole discretion. If we do, we’ll let you know by posting the updated Privacy Notice on our website and/or we may also send other communications.

2. Personal information we collect

We collect personal information you provide to us, personal information we collect automatically when you use the Services, and personal information from third-party sources, as described below.

A. Information You Provide to Us Directly

We may collect personal information that you provide to us.

• Account Information. We may collect personal information in connection with the creation or administration of your account. This personal information may include, but is not limited to, your name, email address, phone number, username and other information you store with your account.
• Payments. If you are an employer, we may collect personal information and details associated with your payment. Any payments made via our Services are processed by third-party payment processors. 
• Your Communications with Us. We, and our service providers, may keep a record of the information you choose to communicate to us, such as through email, when you reach out to one of our benefits advocates by filling out the “Contact Us” form on the Nava Website, or via our AI-chat messenger available in the Nava App.  
• Surveys. We may contact you to participate in surveys. If you decide to participate, we may collect personal information from you in connection with the survey.
• Interactive Features. We and others who use our Services may collect personal information that you submit or make available through our interactive features (e.g., messaging features, commenting functionalities, forums, blogs, and social media pages).  Any information you provide using the public sharing features of the Services will be considered “public.”
• Sweepstakes or Contests. We may collect personal information you provide for any sweepstakes or contests that we offer. In some jurisdictions, we are required to publicly share information of sweepstakes and contest winners.‍
• Conferences, Trade Shows, and Other Events. We may collect personal information from individuals when we attend or host conferences, trade shows, and other events. 
• Business Development and Strategic Partnerships. We may collect personal information from individuals and third parties to assess and pursue potential business opportunities.‍
• Job Applications. If you apply for a job with us, we will collect any personal information you provide in connection with your application, such as your contact information and CV.

B. Personal Information Collected Automatically

We may collect personal information automatically when you use the Services.

• Device Information. We may collect personal information about your device, such as your Internet protocol (IP) address, user settings, cookie identifiers, other unique identifiers, browser or device information, Internet service provider, and location information (including, as applicable, approximate location derived from IP address and precise geo-location information). 
• Usage Information. We may collect personal information about your use of the Services, such as the pages that you visit, items that you search for, the types of content you interact with, information about the links you click, the frequency and duration of your activities, and other information about how you use the Services.
• ‍Cookie Notice (and Other Technologies). We, as well as third parties, may use cookies, pixel tags (also known as web beacons) and other online tracking technologies (“Other Technologies”) on the Nava Website to automatically collect personal information through your use of the Nava Website.

About Cookies and Other Technologies

• Cookies are small data files that are placed on your device (computer, phone, tablet) when you visit a website. Cookies store information about your visit and usage patterns, which can help websites recognize you and improve your browsing experience. 
• A pixel tag (also known as a web beacon) is a piece of code embedded in the Nava Website that collects personal information about use of or engagement with the Nava Website. The use of a pixel tag allows us to record, for example, that a user has visited, a particular web page or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.

Types of Cookies We Use

We use different types of cookies for various purposes. Here's a breakdown:

• Essential Cookies: These cookies are strictly necessary for the Nava Website to function properly. They enable basic features like user login, account management, and shopping carts. These cookies typically don't collect personal information and cannot be opted out of.
• Functional Cookies: These cookies help us remember your preferences and settings (e.g., language, region) and personalize your experience.
• Analytical Cookies: These cookies are shared with our service providers to collect anonymous data on help us understand how users interact with the Nava Website. This information helps us understand, user behavior, and improve website performance.
• Marketing or Advertising Cookies: These cookies track your browsing activity across websites and build a profile of your interests. This information is used to deliver targeted advertising and marketing messages.

Third-Party Cookies and Other Technologies

We may also use third-party cookies and Other Technologies from service providers like analytics companies or advertising partners. These cookies are controlled by the third party and are subject to their own privacy policies.

Your Cookie Preferences

You can manage your cookie preferences through your web browser settings or through our cookie setting tool on the Nava Website . Many browsers allow you to block or delete cookies or Other Technologies altogether, or to receive a notification before a cookie or Other Technology is stored.

The online advertising industry also provides mechanisms that may allow you to opt out of receiving targeted ads from organizations that participate in self-regulatory programs. To learn more, visit the Network Advertising Initiative and the Digital Advertising Alliance.

Please note:

• Disabling certain cookies may affect your website experience and some functionalities may not work as intended.
• Cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of certain tracking on some mobile applications by following the instructions for Android, iOS, and others.
• You must separately opt out in each browser and on each device.

See “Your Privacy Choices and Rights” below to understand your choices regarding cookies and these Other Technologies.

C. Personal Information Collected from Third Parties

We may collect personal information about you from third parties.

• Third-Party Services and Sources. We may obtain information about you from other sources, including through third-party services and organizations. For example, if you access our Services through a third-party application, such as an app store, a third-party login service, or a social networking site, we may collect information about you from that third-party application that you have made available via your privacy settings.  Additionally, we may collect information from publicly available sources, such as publicly available websites or directories.
• Clients or Other Organizations. We may receive your personal information from our Clients or other organizations, such as your employer or healthcare provider, in connection with one or more business purposes, including to make our Services available to you.

3. How we use personal information

We use personal information for a variety of business purposes, including to provide the Services, for administrative purposes, and to market our products and Services, as described below.

A. Provide the Services

We use personal information to fulfill our contract with you and provide the Services, such as:

• Managing your information;
• Providing access to certain areas, functionalities, and features of the Services;
• Answering requests for support; 
• Sending you SMS messages for purposes of authentication;
• Communicating with you;
• Sharing personal information with third parties as needed to provide the Services;
• Processing your financial information and other payment methods for products and Services purchased;
• Processing applications if you apply for a job we post on our Services; and
• Allowing you to register for events.

B. Administrative Purposes

We use personal information for various administrative purposes, such as:

• Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
• Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
• Carrying out analytics; 
• Measuring interest and engagement in the Services; 
• Analyzing, improving, upgrading, and/or enhancing the Services through the use of artificial intelligence and other methods; 
• Developing new products and services;
• Creating de-identified and/or aggregated information. If we create or receive de-identified information, we will not attempt to reidentify such information, unless permitted by, or required to comply with, applicable laws; 
• Ensuring internal quality control and safety;
• Authenticating and verifying individual identities, including requests to exercise your rights under this Privacy Notice;
• Debugging to identify and repair errors with the Services;
• Auditing relating to interactions, transactions, and other compliance activities;
• Enforcing our agreements and policies; and
• Carrying out activities that are required to comply with our legal obligations.

C. Marketing and Advertising Our Products and Services

We may use personal information to tailor and provide you with marketing and other content. We may provide you with these materials as permitted by applicable law. 

Some of the ways we may market to you include email campaigns, text messages, custom audiences advertising, and “interest-based” or “personalized advertising,” including through cross-device tracking.  Some of our marketing activities may be considered a “sale” or “targeted advertising” under applicable privacy laws.

If you have any questions about our marketing practices, you may contact us at any time as set forth in “Contact Us” below.

D. With Your Consent or Direction

We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information, with your consent, or as otherwise directed by you.

4. How we disclose personal information

We disclose personal information to third parties for a variety of business purposes, including to provide the Services, to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer, as described below.

A. Disclosures to Provide the Services

We may disclose any of the personal information we collect to the categories of third parties described below.

• Service Providers. We may disclose personal information to third-party service providers who use that information to help us provide our Services. This includes, but is not limited to, service providers that provide us with IT support, hosting, payment processing, customer service, quotes and other information for insurance and other services where we act as a broker, banking and legal services, insurance, analytics, marketing services, and related services.  In addition, personal information and chat communications may be disclosed to service providers that help provide our chat features within our Nava App.

Some of the service providers we may use include:

• OpenAI. The chat functionality in the Nava App is provided using OpenAI’s application programming interface. As such, OpenAI will receive your de-identified chat prompt information when you use the chat functionality. We ask that you do not share any specific health information, including specific diagnoses or conditions, via the chat channel. OpenAI may only use your chat prompts to provide Nava with the contracted services in accordance with the Terms of Use we have entered into with OpenAI. Neither Nava nor OpenAI will use your prompt chat data to train, develop or improve OpenAI’s services. Nava may use your chat prompt data for quality assurance purposes.
• Google Analytics. For more information, please visit Google Analytics’ Privacy Policy. To learn more about how to opt-out of Google Analytics’ use of your information, please click here.
• LinkedIn Analytics. For more information, please visit LinkedIn Analytics’ Privacy Policy. To learn more about how to opt-out of LinkedIn’s use of your information, please click here.
• HubSpot.  For more information, please visit HubSpot’s Privacy Policy.  To learn more about how to opt-out of HubSpot’s use of your information, please click here.
• Crazy Egg (Session Replay Provider). We use Crazy Egg for session replay analytics, which allows us to record and replay an individual’s interaction with the Services. This helps us understand our user’s experience and how we can improve our Services. For more information about Crazy Egg, please visit: Crazy Egg | Privacy Policy. To learn more about how to opt-out of Crazy Egg’s use of your information, please click here.
• FullStory (Session Replay Provider). We use FullStory for session replay analytics, which allows us to record and replay an individual’s interaction with the Services. This helps us understand our user’s experience and how we can improve our Services. For more information about FullStory, please visit: FullStory Privacy Policy | FullStory. To learn more about how to opt-out of FullStory’s use of your information, please click here.
• Third-Party Services With Whom You Share or Interact. The Services may link to or allow you to interface, interact, share information with, direct us to share information with, access and/or use third-party websites, applications, services, products, and technology (each a “Third-Party Service”).
  
  Any personal information shared with a Third-Party Service will be subject to the Third- Party Service’s privacy policy. We are not responsible for the processing of personal information by Third-Party Services.
• Our Clients (Authorized Users Only). In cases where you use our Services as an authorized user of our Client, that Client may access information associated with your use of the Services including usage data and the contents of the communications and files associated with your account. Your personal information may also be subject to the Client’s privacy policy. We are not responsible for the Client’s processing of your personal information.
• Users of Our Services. If you are a listed vendor in our directory services, we may provide your name, contact information, as well as other business information for users to get in touch with you.
• Business Partners. We may share your personal information with business partners to provide you with a product or service you have requested. We may also share your personal information with business partners with whom we jointly offer products or services. 
  
  Once your personal information is shared with our business partner, it will also be subject to our business partner’s privacy policy. We are not responsible for the processing of personal information by our business partners. 
• Affiliates. We may share your personal information with our corporate affiliates.
• Advertising Partners. We may share your personal information with third-party advertising partners. These third-party advertising partners may set Technologies and other tracking tools on our Services to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising”, “personalized advertising”, or “targeted advertising.”

B. Disclosures to Protect Us or Others

We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

C. Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, purchase or sale of assets, transition of service to another provider, or other similar corporate transaction, your personal information may be disclosed, sold, or transferred as part of such a transaction as permitted by law and/or contract.

5. Your privacy choices and rights

Your Privacy Choices. The privacy choices you may have about your personal information are described below.

• Email Communications. If you receive an unwanted email from us, you can use the unsubscribe functionality found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails. We may also send you certain non-promotional communications regarding us and the Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to this Privacy Notice).
• Text Messages. If you receive an unwanted promotional text message from us, you can reply “STOP” to opt out of receiving future promotional texts. Note that you will continue to receive transaction-related text messages. We may also send you certain non-promotional communications regarding us and the Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to this Privacy Notice).
• Mobile Devices. We may send you push notifications through our mobile application. You may opt out from receiving these push notifications by changing the settings on your mobile device. With your consent, we may also collect precise location-based information via our mobile application. You may opt out of this collection by changing the settings on your mobile device. To request deletion of your account, please contact us using the information set forth in “Contact Us” below.
• Do Not Track signals and Global Privacy Control. Certain web browsers and other programs may transmit “do-not-track” “opt-out” signals, also called a Global Privacy Control (or “GPC”) signal (we refer to these as “GPC Signals”), to websites with which the browser communicates.  In most cases you will need to change your web browser’s settings or add an application to your web browser to enable your browser to send a GPC Signal. Our websites will recognize GPC Signals for website users differently, based on the location of the user when they access our websites.  For users that access our websites from U.S. states that have laws requiring recognition of GPC Signals, we will recognize and apply the GPC Signal to inactivate all the cookies for that website, except for cookies that are necessary for the website to operate.  Additionally, if you are accessing our websites from one of these states, you can determine if your browser GPC Signal has been recognized by clicking on the “Do Not Sell or Share My Personal Information” link in the footer of the website and checking that appropriate cookies have been turned off.  For users from states not currently requiring recognition of the GPC Signal, our website servers may recognize and apply the GPC Signal for only advertising and social media cookies but will not apply the GPC Signal to functional or performance cookies. You can always check and adjust your cookie settings via our cookie setting tool on the Nava Website.
  
  Some web browsers incorporate other "do-not-track" (“DNT”) or similar features that signals to websites with which the browser communicates that a visitor does not want to have their online activity tracked. As of the Effective Date, not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, we along with many other digital service operators do not respond to all DNT signals. We recognize GPC signals as required under certain state privacy laws, but we do not currently recognize other DNT signals. For more information about the Global Privacy Control, please visit https://globalprivacycontrol.org.
• Cookies. You may stop or restrict the placement of cookies and Other Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, the Nava Website may not work properly. 
  
  Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of certain tracking on some mobile applications by following the instructions for Android, iOS, and others.
  
  The online advertising industry also provides mechanisms that may allow you to opt out of receiving targeted ads from organizations that participate in self-regulatory programs. To learn more, visit the Network Advertising Initiative, the Digital Advertising Alliance, and the European Digital Advertising Alliance. 
  
  Please note you must separately opt out in each browser and on each device.

Your Privacy Rights. To the extent provided by applicable law and subject to permitted exceptions (such as compliance with our legal obligations), you may have the right to:

• Request to Know What Personal Information Is Being Collected; 
• Request Access to Your Personal Information;
• Request Correction of Your Personal Information;
• Request Deletion of Your Personal Information;
• Request to Opt-Out of Certain Processing Activities including, as applicable, if we process your personal information for “targeted advertising” (as “targeted advertising” is defined by applicable privacy laws),  if we “sell” your personal information (as “sell” is defined by applicable privacy laws), or if we engage in “profiling” in furtherance of certain “decisions that produce legal or similarly significant effects” concerning you (as such terms are defined by applicable privacy laws).

If you would like to exercise any of these rights, please contact us as set forth in “Contact Us” below. We will process such requests in accordance with applicable laws.

Only you, or someone legally authorized to act on your behalf in certain jurisdictions, may make a request to exercise the rights listed above regarding your personal information. If your personal information is subject to a law that allows an authorized agent to act on your behalf in exercising your privacy rights and you wish to designate an authorized agent, please provide written authorization signed by you and your designated agent using the information found in “Contact Us” below and ask us for additional instructions.

To protect your privacy, we will take steps to verify your identity before fulfilling requests submitted under applicable privacy laws. These steps may involve asking you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. Examples of our verification process may include asking you to confirm the email address we have associated with you.

Some laws may allow you to appeal our decision if we decline to process your request. If applicable laws grant you an appeal right, and you would like to appeal our decision with respect to your request, you may do so by informing us of this and providing us with information supporting your appeal.

6. Security of your information

We take steps to ensure that your information is treated securely and in accordance with this Notice. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any information you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure.

By using our Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on our Services, by mail or by sending an email to you.

7. International transfers of personal information

All personal information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live.

8. Retention of personal information 

We store the personal information we collect as described in this Privacy Notice for as long as you use the Services, or as necessary to fulfill the purpose(s) for which it was collected, provide the Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.  

To determine the appropriate retention period for personal information, we may consider applicable legal requirements, the amount, nature, and sensitivity of the personal information, certain risk factors, the purposes for which we process your personal information, and whether we can achieve those purposes through other means.

9. Supplemental notice for Nevada residents

If you are a resident of Nevada, you have the right to opt out of the sale of certain personal information to third parties who intend to license or sell that personal information. Please note we do not currently sell personal information as sales are defined in Nevada Revised Statutes Chapter 603A. If you have any questions, please contact us as described in “Contact Us” below.

10. Children’s personal information

The Services are not directed to children under 13 (or other age as required by local law outside the United States), and we do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has uploaded personal information to the Services in violation of applicable law, you may contact us as described in “Contact Us” below. If we become aware that a child has provided us with personal information in violation of applicable law, we will delete any personal information we have collected, unless we have a legal obligation to keep it, and terminate the child’s account if applicable.

11. Third-party websites/applications

The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal information to third-party websites or applications is at your own risk.

12. Contact us

Nava is committed to addressing your concerns promptly and ensuring that your privacy preferences are respected in accordance with applicable laws and our policies. If you have any questions, concerns, or requests regarding your privacy, including opting out of tracking or requesting the removal of your personal information, please contact us:

Advocate Inc., dba Nava Benefits 
228 Park Ave S
PMB 97880
New York, NY 10003-1502

privacy@navabenefits.com

For more information visit http://www.navabenefits.com, or call 1-800-395-4702.

This Supplemental U.S. Privacy Notice supplements our Privacy Notice and only applies to our processing of Personal Information from U.S. consumers residing in a state with a comprehensive privacy law.

Notice at collection

At or before the time of collection, U.S. consumers residing in a state with a comprehensive privacy law have a right to receive notice of our privacy practices. Such consumers can find this information below.

• Personal Information Collected. See the section of this Supplemental U.S. Privacy Notice titled “Overview of Personal Information Collected, Disclosed, Sold and/or Shared” for a list of Personal Information which may be collected. 
• Uses of Personal Information. See the section of this Supplemental U.S. Privacy Notice titled “Uses of Personal Information” for a list of the purposes for which we use Personal Information. 
• Is Personal Information “Sold” or “Shared” for “Cross-Context Behavioral Advertising”? See the section of this Supplemental U.S. Privacy Notice titled “Overview of Personal Information Collected, Disclosed, Sold and/or Shared” for more details. See the section of this Supplemental U.S. Privacy Notice titled “‘Sales’ of Personal Information and/or ‘Sharing’ for ‘Cross-Context Behavioral Advertising” for instructions on how to opt-out of these activities.
• For How Long is Personal Information Retained? To determine the appropriate retention period for Personal Information, we consider applicable legal requirements, the amount, nature, and sensitivity of the Personal Information, certain risk factors, the purposes for which we process your Personal Information, and whether we can achieve those purposes through other means.
• Additional Information. For more information on our privacy practices, please review this Supplemental U.S. Privacy Notice and our Privacy Notice. Importantly, the section of our Privacy Notice titled “Your Privacy Rights” includes important details about how you can exercise some of the rights which you have under the CCPA. 

Categories of sources from which personal information is collected

We collect Personal Information you provide to us, collected automatically when you use the Services, and from third-party sources.

Overview of personal information collected, disclosed, sold, and/or shared

U.S. consumers residing in a state with a comprehensive privacy law are provided with the right to know what categories of Personal Information Nava has collected about them, whether Nava disclosed that Personal Information for a business purpose (e.g., to a service provider), whether Nava “sold” that Personal Information, and whether Nava “shared” that Personal Information for “cross-context behavioral advertising” in the preceding twelve months. U.S. consumers residing in a state with a comprehensive privacy law may find this information below: