Privacy Notice

1. SCOPE

This Privacy Notice applies to all Buoy users (whether registered or not), to all Buoy platforms and services, including our websites, product features, and other services (collectively, the “Buoy Services” or “Services”), and to our practices for collecting, using, and sharing the Personal Information you provide to us in using the Buoy Services. In this Privacy Notice, the term “you” or “your” refers to the individual who uses the Buoy Services.

By accessing or using the Buoy Services, or providing information to us in connection with them, you agree to the terms and conditions of the most recent version of this Privacy Notice. Your use of the Buoy Services is also subject to our Terms of Use.

When you access our Services through your employer, health plan, health care provider, or another entity or platform that participates in one of Buoy’s enterprise programs (“Enterprise Program”), Buoy may qualify as a “Business Associate” (as defined by 45 C.F.R. 160.103) under the Health Insurance Portability and Accountability Act of 1996 as amended (“HIPAA”). In these cases, the data that the "Covered Entity" (as defined by 45 C.F.R. 160.103) provides to Buoy about you or the data that we collect from you on behalf of the Covered Entity are also subject to specific terms and conditions under a Business Associate Agreement, as required by HIPAA. Buoy considers such terms and conditions to be part of the Supplemental Terms (as defined below) associated with Buoy's relationship with the corresponding Enterprise Program.

2. THE INFORMATION YOU SHARE WITH US

When you choose to share information with us, we collect and use it to operate the Services. We require certain information to provide you with our Services and any relevant content tailored to you. This information is listed below.

In some cases when you use the Buoy Services, we may ask you for Personal Information. “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information may include any of the types of information listed below.

• Identifiers, Contact Information and Demographic Data. When you use the Buoy Services or set up an account, we may ask you for any information that we may use to identify or contact you, such as your name, age, gender, zip code, telephone number, email address, or username. You may use our Services whether or not you register a user account (your registered account, an “Account”). We may combine your Personal Information with other information you submit to provide you with a better experience and to improve the quality of our Services. In some cases, your Health Information, Employment Information, and/or Health Plan Information may be linked to your account for your convenience to prevent repeat entry and allow you to document your usage of the Services. We also may provide the Services to you without collecting or combining such information. We may also contact you regarding updates about our Services, including relevant changes to this Privacy Notice.
  
• Health Information. As you use the Buoy Services, we may collect Health Information that you provide to us. “Health Information” means any information related to your health, such as symptoms you have identified, your past medical history, and medical testing results that you report to us.
  
• Employment Information. When you use the Buoy Services, we may ask you for Employment Information. “Employment Information” means any information that we may use to identify you relative to your employer, such as your occupation, employer’s name, or workplace location.
  
• Health Plan Information. As you use the Buoy Services, we may ask you for Health Plan Information. “Health Plan Information” means any information that we may use to identify you relative to your health plan or pharmacy benefits plan, such as the name of your health plan, the type of health plan coverage you have, or any identification numbers associated with your health benefits coverage.
  
• Household Information. For some of our Services, we may ask you for information about you or the other people in your household (“Household Information”). Household Information may include whether you, or people in your household, use public transportation, are at higher risk for severe illness, or have been exposed to certain communicable diseases, like COVID-19.

Ratings and Feedback. When you rate or submit feedback about your experience with the Buoy Services, we collect all of the information you provide in your ratings and feedback.

User Stories. In some cases, we may ask you to share a recent illness and/or treatment experience (your “User Story”) with us, so that we may share your experience with others via the Services. We ask that you provide us with your name and email address with your User Story. Your User Story will only be published if it meets the requirements included in our Terms of Use. We are not obligated to publish nor are we required to respond to any User Story we receive. If we publish your User Story, we will not display it with any identifiable information, including your name and email address. We collect your name and email address for record-keeping purposes and in case we may need to contact you in the future. Please do not submit any sensitive information to us in your User Story.

Log Data and Cookies. In order to improve the usefulness of the Buoy Services, our servers automatically collect information from when you view our website or otherwise interact with our Services (“Log Data”), including search terms, IP address, browser type, browser language, the date and time of your request, and authentication. In addition, we use third-party analytics service providers to monitor and analyze traffic to our Services. You can find more information about how we use these third-party analytics services in our Cookie Policy.

Communicating with Us. When you send email or other communications to Buoy, such as user support inquiries, we may retain those communications in order to process your inquiries, respond, and improve our services. We may use your email address to communicate with you about our services.

3. INFORMATION WE COLLECT FROM THIRD PARTIES

Third parties may provide us with information needed to provide you with the Buoy Services. This information is listed below.

Location Information. When you use the Buoy Services, we may use a third party to collect location information about you by sharing your IP address with that third party. “Location Information” may include your location at the time you access the Buoy Services.

On Behalf of Someone Else. If you use our Services on behalf of someone else, such as a friend or family member, we may collect information about you and that someone else, including the name, age, and gender of you and that someone else.

Other Users and Sources. Other users or public or third-party sources such as law enforcement may provide us with information about you, such as part of an investigation into an incident or to provide you support.

Enterprise Programs. If you use our Services through one of Buoy’s Enterprise Programs, Buoy may collect information about you from the entity that sponsors the Enterprise Program (the “Sponsoring Entity”), including your name and contact information. The information we collect from you may be subject to additional terms and conditions set forth between Buoy and your Sponsoring Entity (the “Supplemental Terms”), and any applicable Supplemental Terms are hereby incorporated by reference. For more information about the Supplemental Terms that may govern your use of our Services through an Enterprise Program, please contact your Sponsoring Entity.

4. HOW WE PROTECT THE INFORMATION WE COLLECT

Buoy strives to use reasonable physical, technical, and administrative safeguards (such as firewalls, encryption, identity management, and intrusion prevention and detection) to protect the information you share with us, but no data transmission over the Internet or data storage system is guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your Buoy account might have been compromised), please contact us immediately in accordance with the “Contact Us” section in this Privacy Notice.

We retain your Personal Information for as long as necessary to provide you with the Buoy Services, and as otherwise required by law. This means that we keep your information for as long as you maintain an Account or until we process a request by you to delete your Personal Information (see the “Deleting Your Account” section below), whichever is sooner. In those cases where you have not created an Account, we keep your information for as long as necessary to provide you with the Buoy Services. We may retain Non-Personal Information for as long as we choose to do so.

We retain transactional information, such as contracts related to our enterprise programs, payments, and user support emails, for at least six years to ensure that we can perform legitimate business functions, such as accounting for tax obligations or audits for security purposes.

5. HOW WE USE YOUR INFORMATION

We use your Personal Information to:

• Provide the Buoy Services;
• Maintain the safety and security of the Buoy Services;
• Provide customer support;
• Improve the Buoy Services; and
• Respond to legal obligations.

We may also de-identify and/or aggregate your Personal Information such that it no longer constitutes Personal Information. See the “Non-Personal Information” section of this Privacy Notice for more information.

Providing the Buoy Services. We use your Personal Information to provide a unique experience to you with our Services. To do this, we may use your Personal Information to:

• Verify your identity and maintain your Account, settings, and preferences;
• Connect you to more relevant Buoy Services;
• Communicate with you about the Buoy Services and your experience;
• Collect feedback regarding your experience; and
• Connect you to additional services and programs provided by third parties, such as health care providers and other services, to the extent permitted by law and this Privacy Notice.

Maintaining the Safety and Security of the Buoy Services. Providing you the Buoy Services safely and securely is important to us. To do this, we may use your Personal Information to:

• Authenticate users;
• Investigate and resolve incidents;
• Respond to user support requests;
• Detect, address, and prevent fraud or security or technical issues; and
• Block and remove unsafe or fraudulent users from the Buoy Services.

Providing Customer Support. We want to provide you with the best experience possible, including support and information when you need it. To do this, we may use your Personal Information to:

• Provide you support or respond to you;
• Personalize and provide content, experiences, and communications to inform you about our Services; and
• Investigate and assist you in resolving questions or issues you have regarding the Buoy Services.

Improving the Buoy Services. We are always working to improve your experience and provide you with new and helpful features. To do this, we may use your Personal Information to:

• Perform research, testing, and analysis;
• Prevent, find, and address software bugs and issues; and
• Monitor and improve our operations and processes, including security practices, algorithms, and other models.

Responding to Legal Obligations. In some cases, laws, government entities, or other regulatory bodies may impose obligations on us with respect to the services we seek to provide you. In these cases, we may use your Personal Information as reasonably required to respond to those obligations.

6. HOW WE SHARE THE INFORMATION WE COLLECT

We do not sell your Personal Information or share your Personal Information without your consent if such consent is required under the law. To operate the Buoy Services, we may need to share your Personal Information with other users and third parties, for legal reasons, in connection with a sale or merger, or upon your further direction. This section explains when and why we share your information.

Other Users. We only share your information with other users of the Buoy Services when you permit us to do so, such as when you submit a User Story or if you refer someone to the Buoy Services. When you refer someone to the Buoy Services, we may let them know that you generated the referral. If another user referred you, we may share information about your use of the Buoy Services with that user, where permitted by law. For example, we may notify them when you create an Account.

Third Parties. You may share certain Personal Information with third parties to access the Third-Party Services (as defined in our Terms of Use). In that case, Buoy is not involved in the collection, storage, or maintenance of your Personal Information. In some instances, we may share the following categories of your Personal Information to third parties to provide you with the Third-Party Services (as defined below), our Services, or to support our business operations:

• Identifiers, contact information and demographic data, including name, age, gender, zip code, telephone number, or email address;
• Health Information, including symptoms you have identified and your past medical history;
• Employment Information, including your employer’s name, the name of your health plan, or the type of health plan coverage you have; and
• IP address.

We only share this information with third parties to:

• Maintain and service your Account;
• Provide you with user support;
• Enable you to receive Third-Party Services you choose to access;
• Verify your identity;
• Detect, address, and prevent fraud or security or technical issues;
• Provide analytics services to Buoy;
• Promote workplace health and safety, and document clearance to return to a workplace during the COVID-19 pandemic if the third-party is your employer;
• Evaluate the Services; and
• Provide support and assist with care coordination, if to your health plan or pharmacy benefits plan.

With appropriate consent when required, we may connect you to certain third parties whose healthcare or wellness services you choose to access. When we do so, we may share with those third parties your relevant Personal Information, including your identifiers, contact information, demographic data, Health Information, Employment Information, and IP address.

Buoy cannot guarantee that any third party will protect the privacy of your Personal Information under any circumstance. Your Personal Information provided to third parties will be governed by their privacy policies. Buoy will protect the privacy of your Personal Information in Buoy’s possession in accordance with this Privacy Notice.

For Legal Reasons. We may share your Personal Information in response to a legal obligation or demand, or if we have determined that sharing your Personal Information is reasonably necessary or appropriate to:

• Satisfy any applicable law, regulation, legal process, or enforceable government request;
• Enforce our Terms of Use, including investigation of any potential violations thereof; and
• Exercise or defend legal claims or protect against harm to the rights, property, or safety of Buoy, its users, or the public as required or permitted by law.

In Connection with a Sale or Merger. We may share your Personal Information in relation to a change of corporate control, such as a restructuring, merger, transfer, or sale of our assets.

Upon Your Further Direction. Upon your direction, we may share your Personal Information in other instances. Unless you permit us to do so, or unless the Service is an essential component to evaluating whether it is safe for you to return to your workplace during the COVID-19 pandemic, we do not share your Health Information with your Sponsoring Entity (or your spouse’s or parent’s Sponsoring Entity if you receive access to the Buoy Services through them).

7. YOUR RIGHTS REGARDING YOUR INFORMATION

Buoy enables you to access, control, and delete your Personal Information. This section explains the ways you may exercise these rights.

A. All Users in the United States

The information below applies to all users of the Buoy Services in the United States:

Email Subscriptions. You can always unsubscribe from our commercial or promotional emails by clicking the “unsubscribe” button in those messages. We may continue to send you emails about your use of the Buoy Services.

Text Messages. If you opt-in through our website to receive text messages, the Buoy Services may include sending you text messages with regard to your health and symptoms. You can opt out of receiving text messages from Buoy by texting the word STOP to us at any time from the mobile device receiving the messages. To re-enable text messages you can text the word UNSTOP to us in response to an unsubscribe confirmation text message.

User Profile. You can add, remove, and edit certain information you have added to your user profile. To do this, log in to your Account, then navigate to your account settings.

Location Information. You can enable and prevent your device from sharing your Location Information through your device’s system settings. By doing this, you may impact our ability to provide you with our full range of features and services.

Cookies. You can modify your cookie settings in your web browser. By deleting or rejecting our cookies, you may miss out on certain features of the Buoy Services. You can read more information about cookies in our Cookie Policy.

Enterprise Programs. If you use our Services through an Enterprise Program, access, control, or deletion of your Personal Information may be subject to Supplemental Terms, including the discretion of your Sponsoring Entity. In some cases, Buoy may not be able to respond to your access, control, or deletion request unless permitted to do so by your Sponsoring Entity. For more information, please contact the entity that sponsors your access to the Buoy Services.

Deleting Your Account. If you would like to delete your Buoy Account, please contact privacy@buoyhealth.com. In your email, please provide your full name, email address, the name of your Sponsoring Entity if applicable (such as your employer's name), and the reason you are contacting us, so that we can verify your identity and process your request in an efficient manner. Without the aforementioned information, we will not be able to verify your identity and process your request. In some cases, we will be unable to delete your Account, such as if there is an issue with your Account related to trust, safety, or fraud. If you use our Services through an Enterprise Program, access, control, or deletion of your Personal Information may be subject to Supplemental Terms, including the discretion of your Sponsoring Entity to ultimately instruct us to process or deny your request. When we delete your Account, we may retain certain information for legitimate business purposes or to comply with legal or regulatory obligations. For example, we may be obligated to retain your information as part of an open legal claim. When we retain such information, we do so in ways designed to prevent its use for other purposes and in compliance with applicable law.

B. Rights in Certain Jurisdictions

You may have certain rights with respect to Personal Information that we have collected and used if you reside in certain states. :In cases where Buoy provides Services as part of an Enterprise Program, Buoy shall be deemed a “Service Provider” or “Processor” under the applicable state laws, and, as a result, Buoy will work with your Sponsoring Entity to respond to a request made under this section. In cases where the Services are subject to a Business Associate Agreement under HIPAA, the state laws shall not apply.

Right to Know. If you reside in California and Virginia, you have the right to know and see what Personal Information we have collected about you, including:

• The categories of Personal Information we have collected about you;
• The categories of sources from which the Personal Information is collected;
• The business or commercial purpose for collecting your Personal Information;
• The categories of third parties with whom we have shared your Personal Information; and
• The specific pieces of Personal Information we have collected about you.

Right to Access and Receive your Personal Information.  If you reside in California and Virginia, you have the right to request that we provide a portable copy of your Personal Information we collect, use, and disclose. You can request a listing of the types and sources of Personal Information we have collected about you and how we use the information (e.g., our business or commercial purposes for collecting or selling personal information), other individuals and businesses with whom we share Personal Information.

Right to Correct Personal Information.  If you reside in California and Virginia, you have the right to request a correction of any inaccurate Personal Information, and we will use commercially reasonable efforts to correct this information, taking into account the nature of the Personal Information and the purposes of the processing of the Personal Information.

Right to Delete. You have the right to request that we delete the Personal Information we have collected from you (and direct our service providers to do the same). There are a number of exceptions, however, that include, but are not limited to, if we cannot verify your identity, or when the information is necessary for us or a third party to do any of the following:

• Complete your transaction;
• Provide you with the Services;
• Perform a contract between us and you;
• Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and prosecute those responsible for such activities;
• Fix our system in the case of a bug;
• Protect the free speech rights, including such rights belonging to you or other users, or exercise another right provided by law;
• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et seq.);
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interests that adheres to all other applicable ethics and privacy laws;
• Comply with a legal obligation; or
• Make other internal and lawful uses of the information that are compatible with the context in which you provided it.

Right to Opt-Out of Cross-Context Behavioral Advertising of Personal Information. California residents have a right to direct businesses not to sell or share their Personal Information. Virginia residents have the right to direct businesses not to process their personal data for purposes of (i) targeted advertising, (ii) sale, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

We do not sell your Personal Information. However, when you visit our websites, we may share information about your use of our website with our advertising and analytics partners. You can opt out of sharing or using your Personal Information for the purposes of targeted advertising, by interacting with the cookie banner that appears at the bottom of our website the first time you come to the website or the “Cookies” link that appears in the footer of our websites. You can also opt back into these cookies through the same link.

Right to Limit the Use or Disclosure of Sensitive Personal Information. California Residents have a right to limit the use or disclosure of sensitive Personal Information, including one’s precise geolocation, by us.

Right to Appeal. We may deny your request if we cannot verify your identity or due to other unusual circumstances, which will be explained in our rejection notice. If you reside in Virginia, you have a right to appeal if your privacy rights-related request is denied in whole or in part.

Right to Non-Discrimination for the Exercise of Your Privacy Rights. We will not discriminate against any consumer for exercising their rights under the California Privacy Rights Act.

Virginia Consumer Data Protection Act De-identified Data Disclosure. We may use de-identified data in some instances. We either maintain such data without attempting to re-identify it or treat such data as personal data subject to applicable law.

Exercising these Rights. To exercise your data privacy rights as set forth above, please contact privacy@buoyhealth.com. In your email, please provide your full name, email address, the name of your Sponsoring Entity if applicable (such as your employer’s name), and the reason you are contacting us, so that we can verify your identity and process your request in an efficient manner. Without the aforementioned information, we will not be able to verify your identity and process your request. Certain state residents may designate an authorized agent to make a request on your behalf. To verify that an authorized agent has authority to act for you, we may require a copy of a power of attorney or require that you provide the authorized agent with written permission and verify your own identity with us.

In some cases, we will be unable to delete your Account, such as if there is an issue with your Account related to trust, safety, or fraud. If you use our Services through an Enterprise Program, access, control, or deletion of your Personal Information may be subject to Supplemental Terms, including the discretion of your Sponsoring Entity to ultimately instruct us to process or deny your request. When we delete your Account, we may retain certain information for legitimate business purposes or to comply with legal or regulatory obligations. For example, we may be obligated to retain your information as part of an open legal claim. When we retain such information, we do so in ways designed to prevent its use for other purposes and in compliance with applicable law.

Response Time. We aim to respond to a request for access or deletion within 45 days of receiving a verifiable request. If we require more time, we will inform you of the reason and extension period in writing.

Do Not Track. Your web browser may offer you a “Do Not Track” option, which allows you to signal to website operators and web applications and services that you do not want them to track your online activities. The Buoy Services do not support Do Not Track requests at this time.

8. CHILDREN UNDER AGE 13

Our Services are not directed to children, and we do not knowingly collect Personal Information from children under age 13. If we discover that a child under age 13 has given us Personal Information without parental consent, we will take steps to delete that information. Where deletion is not possible, we will take steps to de-identify that information. If you believe that a child under age 13 has given us Personal Information, please contact us in accordance with the “Contact Us” section in this Privacy Notice.

9. NON-PERSONAL INFORMATION

We may de-identify and/or aggregate your Personal Information such that it no longer may be associated with you or identify you individually, consistent with applicable law (this de-identified and/or aggregated information, “Non-Personal Information”). We may use this Non-Personal Information for our business purposes, including but not limited to service improvements, product development and analytics, machine learning, predictive analytics, business operations, and auditing purposes. We also may share this Non-Personal Information with third parties. For example, we may share the total number of times people engaged with the Buoy Services in a particular month or the most common symptoms that are experienced by users who reside in a particular city.

10. JURISDICTION

Buoy is controlled and offered by us from the United States; accordingly, this Privacy Notice, and our collection, use and disclosure of your Personal Information, is governed by U.S. law, and not by the laws of any country, territory or jurisdiction other than the United States. We do not represent or warrant that the Buoy Services or any functionality or feature thereof is appropriate or available for use in any particular jurisdiction. If you choose to access or use the Buoy Services, you do so on your own initiative and at your own risk, and you are responsible for complying with all applicable laws, rules and regulations.

11. LINKS TO THIRD PARTY CONTENT AND WEBSITES

The Buoy Services may contain third-party content, materials, information, or links to services or websites (collectively, the “Third-Party Services” or, individually, the “Third-Party Service”) in accordance with our Terms of Use. For information about how we may share your information to facilitate your access to these Third-Party Services, please see the “How We Share the Information We Collect” section.

12. CHANGES TO THIS PRIVACY NOTICE

We may change this Privacy Notice from time to time to accurately reflect our Services and policies. When changes are made, we will make the new Privacy Notice available on the Buoy website and update the date upon which the related terms and conditions are effective (the “Effective Date”). If we make material changes to this Privacy Notice, as determined in our sole discretion, we may notify you of these changes (for example, through our Services or via email if you have provided your email address to us). If you do not agree to the changes after receiving notice of such changes, you should stop using our Services. Otherwise, your continued usage of the Services will mean you accept those changes. Please regularly check the Buoy website to review the latest version of the Privacy Notice.

13. CONTACT US

If you have any questions about this Privacy Notice, please visit the Buoy Help Center. There you will find answers to frequently asked questions and a way to chat with our user support team directly. Please note that email or text communications are not always secure. When communicating with us, please do not include health information or other sensitive information.

14. JOB APPLICANTS

Are you interested in joining the Buoy crew? If so, visit our Careers page for our current job openings.

When you apply for a job at Buoy, we will ask you to provide us with certain information about yourself so we can evaluate your qualifications for the job (“Application Information”) or other purposes, as described below. In this section, a “Candidate” means any individual who applies for a job at Buoy, and “Application” means any of the materials a Candidate submits to us related to a job opening. Candidates choose how much Application Information to provide Buoy. All Application Information provided is on a voluntary basis.

Types of Application Information. We may collect any of the Application Information below. Candidates may provide us with additional information that we have not specifically requested (such as information about hobbies or other interests).

• Contact details, such as the Candidate’s name, address, email address, and other contact information provided on a resume or CV;
• Background information, such as work history and education history;
• Previous work materials, such as a writing sample; and
• Additional information, as described below.

We may collect additional information from the Candidate depending on the job, such as the Candidate’s response to a prompt or other materials used to evaluate skills relevant to the job. Later in the recruitment process we may request additional information from the Candidate, for example to contact references or perform a background check.

From time to time, we may obtain information about a Candidate from public sources or third parties. For example, we may collect public information about a Candidate from social media sites, such as LinkedIn.

How We Use Application Information. We use Application Information for the following purposes:

• Recruitment and evaluation for the job that the Candidate has applied for or other employment opportunities at Buoy (unless the Candidate has told us they do not want to be considered for other employment opportunities at Buoy);
• Communications with the Candidate about their application status;
• Application analysis, such as a background check or reference check;
• General HR administration and management, if the Candidate is hired;
• Verification, such as a reference check conducted by Buoy or background check conducted by a third party; and
• Compliance with corporate governance and legal requirements.

Buoy does not use any automated decision making systems in connection with the Applications that we receive.

How Long We Retain Application Information. Buoy retains all Application Information in our system indefinitely, unless the Candidate tells us not to or applicable law prevents us from doing so. If you want us to remove your Application Information from our system, please contact privacy@buoyhealth.com. In your email, please provide your full name, email address, and the job to which you applied so that we can verify your identity and process your request in an efficient manner. Without the aforementioned information, we will not be able to verify your identity and process your request.

How We Share Application Information. We may share Application Information with third parties to help us collect, store, and manage Application Information as part of our recruitment process or to conduct background checks on our behalf. In addition, we may share Application Information as necessary to comply with our legal obligations (such as responding to a lawful government request), to establish, exercise or defend our legal rights, or where we have otherwise obtained your consent. We will always seek to ensure that any third parties who handle your Application Information will do so in a manner consistent with this Privacy Notice and applicable law.

In addition to this section, the “Jurisdiction,” “Changes to this Privacy Notice,” and “Contact Us” sections elsewhere in this Privacy Notice apply to Candidates.