BenefitsInteractive Privacy Policy

1. Introduction

BenefitsInteractive ("BenefitsInteractive", "we", "us", or "our") provides an employee benefits education platform, including web and mobile interfaces, chat-based guidance, and related tools (the "Services"). This Privacy Policy explains how we collect, use, disclose, and protect information about users of the Services.

By using the Services, you agree that we may process your information as described in this Privacy Policy and in our Terms of Use. If you do not agree, you should not use the Services.

2. Scope and Roles

We provide the Services to employers and benefits brokers to help their employees understand their benefits. In many cases, we act as a service provider or processor on behalf of those organizations, which remain responsible for their own privacy and HR practices.

Two different relationships may apply. When you use a BenefitsInteractive account that your employer or broker set up (for example, an employee group portal or broker workbench), we typically process your information as a service provider to that customer, according to our agreement with them and any instructions they provide. When you interact with us directly as a visitor—for example, you request a demo, download a resource from our website, submit a contact form, or sign up for marketing communications before you are a user of a customer deployment—we generally act as an independent business responsible for that contact information under this Privacy Policy, even if we later introduce you to a broker or employer. Your rights for that information are described here and you may contact us using the "Contact us" section below.

This Privacy Policy applies to all individual users of the Services in the United States, including employees, employer administrators, and broker users, and to individuals in the United States who provide information to us through our public website, marketing forms, or similar entry points.

3. Information We Collect

3.1 Information You Provide to Us

When you use the Services, we collect information you choose to provide, such as:

• Name
• Email address
• Phone number
• Employer name or organization
• Any other information you submit through forms, surveys, or support requests

When you interact with our chatbot or learning tools, we collect and process:

• Questions you ask in chat
• Your interactions with learning modules and content
• Feedback you provide about responses or content

3.2 Information We Receive from Your Employer or Broker

Your employer or benefits broker may provide us with information so we can create and manage accounts and configure the Services. This may include:

• Your name and work contact details
• Your role or employment status
• Plan documents and related benefits materials that are used to power the Services

Plan documents and similar materials are ingested into our systems so that our chatbot and learning tools can reference them when answering questions and displaying information.

3.3 Information Collected Automatically

When you use the Services, we automatically collect certain technical and usage information, such as:

• IP address
• Browser type and settings
• Device identifiers and operating system
• Session data, log data, and pages or features you view
• Timestamps and other interaction details

We use cookies and similar technologies to support login, security, preferences, and usage analytics. You can adjust your browser settings to refuse cookies, but this may impact some features of the Services.

3.4 SMS and Communications Data

If you provide a mobile number, we may send SMS messages for purposes such as account verification, sign-in confirmation, and reminders related to your use of the Services. In connection with these messages, we and our SMS provider (currently Twilio) collect information such as your phone number, message content, delivery status, and related metadata.

3.5 Website Leads and Marketing Inquiries

If you are not yet using the Services under an employer or broker deployment, you may still give us information through our public website or campaigns—for example, your name, work email, company, and how you heard about us. We use this information to respond to your request, send follow-up messages about BenefitsInteractive, and, where appropriate, connect you with our team or a partner broker. This processing is described in this Privacy Policy and is not governed solely by your employer's privacy notice, because your employer did not direct that specific submission to us.

If we later qualify you as a sales prospect and store your information in our systems (for example, in a marketing leads database or similar tool), we retain it as described in the Data Retention section and use it for the purposes stated here until you opt out or we delete it consistent with applicable law.

4. How We Use Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Services, including creating and managing user accounts and profiles.
• To deliver chat-based and other educational responses about benefits using our AI tools.
• To send transactional communications, such as verification codes, security alerts, and reminders related to your use of the Services.
• To maintain and improve the Services, including training, testing, and tuning our chatbot and learning tools using de-identified or aggregated chat and usage data where possible.
• To help your employer and their benefits advisors understand how employees use and understand benefit offerings, including by providing aggregated insights that can inform future benefits design and communications.
• In limited cases and where permitted by our agreements, to share examples or themes from employee questions (which may include excerpts of chat content) with your employer or broker to help them evaluate and improve their benefits strategy and materials.
• To monitor and analyze usage, performance, and trends so we can maintain, protect, and improve the Services.
• To detect, investigate, and prevent security incidents, abuse, or violations of our terms.
• To comply with legal obligations and respond to lawful requests.
• To communicate with individuals who contact us through our website or marketing channels about our products, events, and resources, including follow-up email, until they opt out or we no longer have a legitimate need to retain that contact record.

We may aggregate or de-identify information so that it can no longer reasonably be linked to an identified or identifiable individual, and use such data for analytics, research, and product improvement.

5. Legal Bases (Where Applicable)

We currently serve only users in the United States, but we design our practices to be generally consistent with common data protection principles. Where data protection laws require a legal basis for processing, we typically rely on:

• Performance of a contract (providing the Services to you or your employer).
• Our legitimate interests (for example, securing and improving the Services, understanding usage).
• Compliance with legal obligations.
• Your consent, where we expressly request it.

6. How We Share Information

We do not sell personal information. We may share information as described below.

6.1 Service Providers

We use third-party service providers to host, store, and process data and to support communications and analytics. These providers may access personal information solely to perform services on our behalf and are contractually required to protect it.

In particular, we use:

• Supabase to provide data storage, authentication, and related infrastructure.
• Vercel to host our application and run scheduled server-side jobs; Vercel may receive and retain technical and diagnostic logs from our computing environment under its agreements. Those logs could include information such as IP addresses, timestamps, identifiers needed to troubleshoot performance or errors, or other data our application prints when diagnosing failures—we aim to minimize such content and add dedicated error-monitoring subprocessors here if we formally adopt them in production.
• Bunny.net (streaming and CDN) to deliver embedded video and related media assigned in the Services. Playback uses your device's connection to Bunny's network; Bunny may collect technical data required for streaming, security, and its own analytics in line with Bunny's terms and privacy notices. We may also record related engagement signals (such as playback milestones tied to assigned resources) so employers and brokers can administer required education workflows; those records are handled through our hosting environment and your organization's account as described elsewhere in this Privacy Policy.
• Gemini 3.1 Flash-Lite (and related Google AI services) to process chatbot interactions and generate responses.
• Twilio (or a similar provider) to send and receive SMS messages to and from users.
• Resend (or a similar provider) to send transactional email, including verification and sign-in links, account and invitation messages, ERISA-related reminders where applicable, and operational summaries to authorized HR and broker users. Delivery metadata may be retained by the email provider in accordance with their terms and retention practices.

A technical inventory of current outbound email flows is maintained for internal diligence in docs/TRANSACTIONAL_EMAILS.md (engineering reference; not incorporated by reference unless your contract says otherwise).

6.2 Employers and Brokers

Because the Services are provided to employers and benefits brokers, certain information may be available to authorized administrators at those organizations. Depending on how your employer configures the Service, this may include:

• Basic account information (such as name, email, and employer).
• Usage and engagement metrics (such as whether you have accessed certain learning resources or completed required steps).
• In some cases, content you submit, consistent with your employer's internal policies and our agreement with them.

If you have questions about how your employer or broker uses or accesses your information, you should review their privacy policies and internal communications, which we do not control.

We may also provide your employer or broker with aggregated reports and, in some cases, representative chat examples to help them evaluate and improve benefit designs and communications.

6.3 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of all or part of our business, personal information may be transferred as part of that transaction, subject to applicable law.

6.4 Legal and Safety

We may disclose information if we believe in good faith that it is reasonably necessary to:

• Comply with any applicable law, regulation, legal process, or governmental request.
• Protect the rights, property, or safety of BenefitsInteractive, our users, or the public.
• Enforce our agreements and policies.

7. AI, Chatbot, and Plan Document Processing

When you ask questions in our chatbot, we process your inputs together with relevant portions of plan documents provided by your employer to generate responses and educational content. We use AI services (such as Gemini 3.1 Flash-Lite) to perform this processing.

We may analyze chat interactions to:

• Improve the accuracy, clarity, and coverage of our chatbot and learning experiences.
• Identify common issues, questions, and trends across users.
• Provide your employer and their benefits advisors with insights about how employees are engaging with benefits materials and which topics may need clearer communication or changes in plan design.

Where feasible, we use aggregated or de-identified information for these purposes so that it does not identify individual users. In some cases, authorized employer or broker administrators may see specific examples or excerpts of chats, consistent with our agreements with them and their internal policies.

If you have concerns about sharing sensitive personal details, you should avoid including information beyond what is needed to ask your benefits-related question.

8. SMS Communications and Consent

By providing your phone number, you consent to receive SMS messages related to your use of the Services, which may include one-time codes, sign-in confirmations, and reminders. Message and data rates may apply, and message frequency may vary.

You can opt out of non-essential SMS communications at any time by following the instructions in the message (for example, replying STOP) or by contacting us using the information in the "Contact us" section below. We may still send you important transactional or security-related messages where allowed by law.

9. Cookies and Similar Technologies

We use cookies and similar technologies to operate and secure BenefitsInteractive, remember your preferences, and understand how users engage with our features. These technologies help us keep you signed in, protect your account, and analyze usage so we can maintain and improve the platform. We do not use cookies for third-party advertising or cross-site tracking. You can control cookies through your browser settings, but if you disable them some parts of the Service may not function properly.

10. Data Retention

We retain personal information for as long as reasonably necessary to provide the Services to your employer or broker, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. In general, we apply the following guidelines:

• Account, chat, and usage information: We keep personal information associated with your use of the Services for the duration of your employer's or broker's contract with us, unless we are required or permitted by law to keep it longer (for example, to comply with legal, tax, or accounting obligations).
• SMS logs: We retain SMS logs and related metadata for as long as necessary to support the Services for your employer or broker and to comply with legal and operational requirements.
• Transactional email: Our email providers (currently Resend) may retain message payloads and delivery records for their own retention periods. Those periods are governed by the provider's policies and configuration in addition to ours.

After the contract ends, we will delete or de-identify personal information within a reasonable period, subject to any legal obligations to retain certain records. We may keep aggregated or de-identified data for longer periods where it cannot reasonably be used to identify you.

We maintain category-level retention targets in internal policy—for example regarding website leads and marketing inquiries, SMS and transactional email artifacts, utilization and audit logs, and AI-related telemetry—so operations stay aligned with contractual and legal obligations. When we materially update this Notice, we reconcile it with those targets after counsel review.

11. Data Security

We use reasonable technical and organizational measures designed to protect personal information from unauthorized access, use, alteration, and disclosure. These measures include the use of secure hosting providers, encryption for data in transit, and access controls.

However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

12. Your Rights and Choices

Depending on applicable law and our relationship with your employer or broker, you may have the right to:

• Access certain personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of information, subject to our legal and contractual obligations.
• Object to or request restriction of certain processing activities.

You can exercise these rights by contacting us using the details in the "Contact us" section below. In some cases, we may need to direct you to your employer or broker, who controls your information in their role as our customer. If your information relates only to an inquiry you submitted through our website lead or marketing channels, we typically handle requests for that category of information ourselves rather than routing you to an employer who did not collect it.

Your information may be processed through multiple technical systems (such as sign-in services, application databases, file storage for uploads, AI or messaging providers, streaming networks for assigned videos, and diagnostic logs from hosting partners). Fulfilling access or deletion requests therefore may require coordinated steps and reasonable time after we verify your request. We maintain an internal operational checklist for staff to work through these systems consistently; it is summarized for engineering in docs/DSAR_AND_DELETION.md and is not incorporated into this Privacy Policy unless your contract expressly refers to it.

You can also:

• Update some profile information directly within the Services, where this feature is available.
• Manage cookie preferences in your browser.
• Opt out of non-essential SMS or email communications as described above.

13. State-Specific Privacy Rights

Certain U.S. states, including California, Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Montana, Delaware, Indiana, Iowa, Tennessee, and others, have enacted comprehensive consumer privacy laws that may give their residents additional rights regarding personal information. These rights can include the right to know what personal information we collect, use, and disclose, the right to access and obtain a copy of certain information, the right to request correction or deletion, and the right to opt out of certain types of processing such as targeted advertising, the "sale" or "sharing" of personal information, or certain forms of profiling.

At this time, we do not "sell" personal information or use personal information for cross-context behavioral advertising as those terms are defined in California and similar state laws. If you are a resident of a state with such a law and you wish to exercise any rights available to you, you can contact us using the information in the "Contact us" section below, and we will handle your request in accordance with applicable state law and our role as a service provider to your employer or broker.

14. Children's Privacy

The Services are not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16 without appropriate authorization, we will take steps to delete it.

15. International Data Transfers

The Services are currently intended for users in the United States, and we primarily store and process information in the United States. If we later offer the Services in other regions, we will update this Privacy Policy and implement appropriate safeguards for international data transfers.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the "Last updated" date and, where appropriate, by providing additional notice through the Services or by email. Your continued use of the Services after changes become effective means you accept the revised Privacy Policy.

17. Contact Us

If you have questions about this Privacy Policy or our privacy practices, you can contact us at:

• Email: admin@benefitsinteractive.app
• Postal address: 3415 Maple Ridge Dr., Wood River, IL 62095

We will review and respond to your request in accordance with applicable laws and our agreements with your employer or broker.