Privacy Policy and Cookie Notice

1. Information We Collect

Depending on how you use Snug, we may collect the following categories of information:

• Identifiers and contact information: name, email, phone number, address, account identifiers, invite tokens, user IDs, IP address, device identifiers, and similar information.
• Account and authentication information: login credentials, role, employer, organization, session context, cookie data, access logs, and account status.
• Employer and business information: legal name, DBA, EIN, business type, address, company size, admin contacts, benefits setup status, employee classes, plan year, carrier choices, and benefit configuration.
• Employee and dependent information: first and last name, date of birth, address, email, phone, gender, tobacco status, employment type, pay type, pay frequency, start or end dates, income, dependent relationship, dependent age, and related eligibility details.
• Benefits, insurance, and plan information: ICHRA allowances, marketplace plan search inputs, provider names, medication names, health-use preferences, inferred utilization signals, plan selections, voluntary insurance elections, coverage tiers, policy and certificate numbers, premiums, payroll deductions, carrier documents, and certificates of insurance.
• Financial and payroll information: employer and employee contribution amounts, per-paycheck deductions, payroll schedules, reimbursement or deduction files, tax-savings estimates, payment status, invoices, billing details, and transaction metadata.
• Documents, signatures, and audit records: generated plan documents, Section 125 cafeteria plan records, ICHRA documents, acknowledgments, signatures, timestamps, IP addresses, user agents, and audit logs.
• Communications and AI content: emails, calls, texts, chat messages, AI conversations, support requests, call or message metadata, feedback, transcripts where available, and records needed to provide service or comply with law.
• Website, app, and device information: browser type, operating system, URLs, referring pages, pages viewed, timestamps, clicks, preferences, sessionStorage, localStorage, cookies, pixels, web beacons, embedded scripts, and analytics or advertising identifiers.

2. Sources of Information

We collect information directly from you, from employers and organization administrators, from employees or authorized users, from parents or guardians for dependents, and from your interactions with the Services.

We may also receive information from insurance carriers, benefit providers, HealthCare.gov, CMS, state marketplaces, enhanced direct enrollment partners, payroll and HR systems, payment processors, banks, brokers, licensed agents, communications providers, analytics or advertising partners, AI vendors, cloud providers, support tools, compliance vendors, public sources, and other third parties that help us provide the Services.

3. How We Use Information

We use information to:

• Provide, operate, maintain, secure, and improve the Services.
• Register accounts, authenticate sessions, manage roles, and prevent unauthorized access.
• Help employers design, implement, document, and administer ICHRAs and Section 125 cafeteria plans.
• Act as a licensed insurance agency or broker, including quoting, explaining, recommending, applying for, enrolling in, and servicing insurance products.
• Support voluntary and worksite benefits, including accident, critical illness, cancer, hospital indemnity, dental, vision, life/AD&D, short-term disability, and long-term disability products.
• Compare marketplace plans, estimate costs, check provider or medication data, help with plan selection, and support enrollment assistance.
• Generate documents, record signatures, create reports, support payroll deductions, process reimbursement or deduction workflows, and maintain benefit records.
• Communicate by email, phone, voice call, SMS/text, messaging app, in-app message, mail, or other channels about account setup, employee invites, benefits onboarding, enrollment, broker support, carrier follow-up, payroll support, documents, renewals, compliance, troubleshooting, and support.
• Provide AI features, personalize recommendations, summarize information, answer questions, route support, monitor quality, and improve safety.
• Send marketing or promotional communications where permitted, measure campaign effectiveness, and show relevant advertising, subject to your choices and applicable law.
• Comply with legal, regulatory, insurance, tax, audit, accounting, security, and contractual obligations.
• Create aggregated, deidentified, or statistical information.

4. Calls, Emails, Texts, and Service Communications

By providing contact information or using the Services, you authorize Snug and its service providers to contact you by email, phone, voice call, SMS/text, messaging apps, in-app messages, and similar channels for service-related purposes. These communications may include account setup, identity or session support, employer onboarding, employee invites, enrollment help, plan comparison, broker support, carrier or application follow-up, payroll or deduction support, document reminders, compliance notices, renewal reminders, troubleshooting, and support.

Service communications may be automated or prerecorded where permitted. Message and data rates may apply, and message frequency varies. You may opt out of promotional texts by replying STOP. Opting out of certain calls, texts, or emails may limit our ability to provide parts of the Services, and we may still send transactional, account, legal, or service communications where permitted by law.

5. How We Share Information

We share or transmit information when needed to provide, support, secure, improve, market, or comply with the Services. This may include sharing personal information, sensitive information, and benefits data with:

• Employers and plan sponsors for benefit administration, eligibility, payroll, plan setup, reporting, enrollment, and support.
• Insurance carriers and benefit providers such as Aflac, Colonial Life, MetLife, Unum, Allstate Benefits, Guardian, Voya, and similar partners for quotes, applications, underwriting, enrollment, policy servicing, premiums, certificates, and claims-related support.
• Marketplaces and health plan partners including HealthCare.gov, CMS, state marketplaces, enhanced direct enrollment partners, plan-data providers, and carriers.
• Payroll, HR, accounting, banking, and payment providers for roster sync, deductions, reimbursements, premium processing, billing, reporting, and payment operations.
• Communications vendors for email, SMS/text, phone, voice, messaging apps, call recording, support, deliverability, and opt-out management.
• Technology and service providers including cloud hosting, database, security, monitoring, logging, analytics, AI, data-processing, customer support, and document vendors.
• Licensed agents, broker partners, and compliance vendors that help provide insurance, benefits, enrollment, and regulatory support.
• Professional advisers, regulators, law enforcement, courts, auditors, and transaction parties where required, permitted, or reasonably necessary.

We require service providers to use information only for authorized purposes and under appropriate confidentiality, privacy, and security obligations. Third-party services may also process information under their own terms and privacy policies.

6. AI and Automated Processing

Snug may use AI and automated systems to explain benefits, compare plans, rank options, generate recommendations, classify or summarize information, render user interface elements, draft documents or summaries, route support, and monitor quality and safety.

AI features may process account information, employer data, employee profile details, plan data, provider or medication names, health-adjacent preferences, conversation content, page context, and technical metadata. Snug's AI Policy Terms provide additional detail and are incorporated into this Policy.

7. Cookies and Tracking Technologies

We and our partners may use cookies, pixels, web beacons, embedded scripts, SDKs, localStorage, sessionStorage, device identifiers, and similar technologies.

• Essential cookies and storage: used for login, authentication, fraud prevention, security, routing, load balancing, and remembering session state. For example, Snug uses an httpOnly `snug_session` cookie for account sessions.
• Functional storage: used to remember preferences or temporary workflow progress, such as employee onboarding or plan-search state stored in sessionStorage.
• Analytics cookies: used to understand website and app usage, measure performance, diagnose issues, and improve the Services.
• Advertising and retargeting cookies: used to measure marketing, understand campaign performance, and show relevant ads where permitted.

You can control cookies through browser or device settings. Some browsers support Global Privacy Control or similar signals, which we will honor where legally required and technically feasible. You may also use industry opt-out tools such as the Network Advertising Initiative, Digital Advertising Alliance, and browser-level controls. Blocking essential cookies may prevent parts of the Services from working.

8. Targeted Advertising, Sale, and Sharing

Snug does not sell personal information for money. We may share website or device identifiers with analytics or advertising partners for targeted advertising, cross-context behavioral advertising, or campaign measurement where permitted by law and subject to your privacy choices.

We do not use health, medication, plan-selection, payroll, benefits-election, claims-adjacent, or similarly sensitive benefits data for targeted advertising. We may use aggregated or deidentified information and general website interaction data for marketing, measurement, and product improvement.

9. HIPAA and Sensitive Information

Some benefits or health plan workflows may involve information that is sensitive or regulated. HIPAA, business associate, and protected health information obligations apply only where legally required or expressly agreed in a signed business associate agreement or similar written agreement. Information that is not governed by HIPAA may still be protected by this Policy, other privacy laws, contracts, and Snug's security practices.

You should not submit Social Security numbers, full bank account numbers, payment card numbers, government IDs, passwords, or other unnecessary sensitive identifiers unless Snug specifically requests them through a secure workflow.

10. California and U.S. State Privacy Rights

Depending on where you live, you may have rights under California law and other U.S. state privacy laws. These rights may include the right to know or access personal information, receive a portable copy, correct inaccurate information, delete information, opt out of sale, sharing, targeted advertising, or certain profiling, limit certain uses of sensitive personal information, appeal a rights decision, and use an authorized agent.

We will not discriminate against you for exercising applicable privacy rights. To make a privacy request, contact Snug through the support channels available in the Services. We may need to verify your identity and authority before fulfilling a request. Certain information may be exempt from deletion or access because of insurance, benefits, legal, security, fraud-prevention, accounting, audit, or operational obligations.

California Notice at Collection

In the last 12 months, Snug may have collected the categories listed in Section 1 and disclosed them to the categories of recipients listed in Section 5 for the purposes listed in Section 3. Sensitive personal information may include account login information, precise benefits-related health-adjacent inputs, income, dependent information, payroll details, medication names, provider names, plan selections, and benefit elections, depending on how you use the Services.

We retain each category of information for as long as reasonably necessary for the purposes described in this Policy, including service delivery, insurance and benefits records, legal and compliance obligations, audit, security, dispute resolution, accounting, and legitimate business purposes.

11. Employer and Employee Data

Employers may provide employee information to Snug so we can invite employees, determine eligibility, support benefits setup, process elections, administer payroll or deduction workflows, and provide support. Employees may provide additional profile, household, plan-selection, provider, medication, dependent, and benefits information directly.

Employers may receive information needed to sponsor, administer, fund, audit, and report on benefits, such as enrollment status, plan elections, payroll deductions, contribution amounts, document status, and aggregate participation. Snug does not intend to disclose unnecessary health-adjacent details to employers unless needed for the Services, required by law, authorized by the user, or permitted by an applicable plan or agreement.

12. Children and Dependents

The Services are not directed to children under 18. We may process dependent information when provided by an employer, parent, guardian, employee, or authorized user for benefits, eligibility, enrollment, plan comparison, or insurance purposes.

13. Security

We use administrative, technical, and organizational safeguards designed to protect information, including access controls, tenant scoping, secure session cookies, origin checks, logging safeguards, PII scrubbing where appropriate, vendor controls, and monitoring. No system is perfectly secure, and we cannot guarantee absolute security.

14. Retention

We retain information for as long as reasonably necessary to provide the Services, maintain insurance and benefits records, comply with legal and regulatory obligations, resolve disputes, enforce agreements, prevent fraud or misuse, maintain security, support audits, satisfy tax/accounting requirements, improve the Services, and pursue legitimate business purposes.

When information is no longer needed, we may delete it, deidentify it, aggregate it, or retain it as required or permitted by law and applicable agreements.

15. Deidentified and Aggregated Information

We may create deidentified, aggregated, statistical, or anonymized information and use or disclose it for analytics, benchmarking, product improvement, research, reporting, and business purposes. We do not try to reidentify deidentified information except as permitted by law, such as to test whether deidentification works.

16. Changes to This Policy

We may update this Policy from time to time. The updated Policy will be effective when posted unless a later effective date is stated. If we make material changes, we may provide notice through the Services, email, account notice, or another reasonable method.

17. Contact

For questions about this Policy or to exercise privacy rights, contact Snug through the support channels available in the Services.