GoCo.io Data Security, Privacy, Data Retention and eDiscovery Policy

GoCo.io is committed to protecting the privacy and confidentiality of Authorized User Data that is entered into or extracted from the GoCo Platform. This Data Security, Privacy, Data Retention and eDiscovery Policy (the “Policy”) governs the manner in which GoCo.io receives, collects, uses, maintains and discloses information collected from Authorized User’s use the GoCo Platform. This Policy applies to the GoCo Platform including the associated storage and use of any data.

Your acceptance of the GoCo Service Agreement (“GSA”) between you as a Authorized User and GoCo.io indicates that you have read and have accepted this Policy in its entirety. This Policy is part of, and incorporated by reference in whole within, the GSA. Your acceptance of this Policy is required to use the GoCo Platform. Your acceptance of the GSA between you as Authorized User and GoCo.io and your continued use of the GoCo Platform signifies a continued acceptance to the terms of this Policy by you as Authorized User. If you do not accept this Policy in its entirety, please do not use the GoCo Platform. Additional information relating to these protections is provided below.

DEFINITIONS

“Authorized User” means, in the case of an individual accepting these terms on his or her own behalf, such individual, or, in the case of an individual accepting this Agreement on behalf of a Client, an individual who is authorized by such Client to bind such Client to this Agreement to use the Services, in each case, to whom the Company has allowed access associated with Your user identification and password.

“Client Full Access Administrator” – is an Authorized User who has top level access to manage all aspects of the Clients interaction with the GoCo Platform on behalf of the Client.

“Client” means any company or other entity that has a Company Profile on the GoCo Platform that contains data, documents, policy configurations, workflows, and other information relating to the entity and its Authorized Users.

DATA SECURITY

GoCo.io maintains administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Authorized User Data. We apply state-of-the-art data collection, storage, processing and security tools and practices to protect against unauthorized access, disclosure, alteration, and destruction of Authorized User Data, as well as each Authorized User’s (and all other user’s) username, password, transaction information and data stored on our servers associated with the operation of the GoCo Platform. Unfortunately, however, no data transfer or data storage system can offer complete security from intrusion or attack. Accordingly, GoCo.io cannot ensure, and expressly disclaims any warranty relating to, the security of any information that you transfer or extract using the GoCo Platform. Correspondingly, you as Authorized User are hereby on notice that you provide information and extract information via the GoCo Platform at your own risk. You can read more about our security policy here: https://www.goco.io/security/

PRIVACY

GoCo.io adheres to all privacy laws and regulations regarding the collection, storage and use of Authorized User Data, including all personally identifiable information.

GoCo.io, in relation to the GoCo Platform and associated storage systems, collects both personally identifiable information (e.g., name, address, employee number and/or social security number) as well as non-personally identifiable information (e.g., IP address of the accessing system, information relating to the employer network or home network from which access has occurred, date, time and frequency of access). When you as Authorized User access the GoCo Platform, GoCo.io may transfer a “cookie” file that is stored by your computer hard-drive that is subsequently used to remember that it is likely you that is accessing the GoCo Platform from that computer and includes your user preferences used to set up and facilitate your Authorized User experience. You may restrict your internet browser’s use of cookies, however certain features of GoCo may not function fully or as intended if you decide to do so. By default, most internet browsers accept cookies, but this can be changed. For further details, please consult the help menu in your internet browser.

GoCo.io will not sell, lease, rent or trade any Authorized User Data including any personal identification information to any third party other than to a successor-in-interest of all or a portion of the GoCo.io assets that include the GoCo Platform, including by way of an asset, stock or membership-interest sale, a merger or a corporate reorganization. Such successor shall be bound by the terms and conditions of this Privacy Policy (as well as your applicable GSA).

GoCo.io may share your data with authorized third-parties that have a legitimate processing interest. These third parties may include (but are not limited to) insurance brokers, insurance carriers, payroll companies, and consumer directed benefit administrators.

Your data can be used for several reasons that include but are not limited to:

• Processing enrollment, disenrollments, and changes with insurance carriers and/or consumer directed benefit administrators

• Processing changes in payroll

• Providing and managing your access to the site

• Authorized recordkeeping for your employer

• Communicating key employment and/or insurance related issues to you

With specific regard to personal information, GoCo.io takes commercially reasonable steps to maintain the storage and security of the personally identifiable information that is collected, including controlling the number of people who have electronic access to our database servers, as well as physical access including the installation of security systems that guard against unauthorized access.

When a Authorized User gains access to and uses the GoCo Platform, the Authorized User’s identity and related information remains confidential to the outside world. Such data, in its raw form, may only be accessed by employees or contractors with a need to know solely to ensure continued access, consistent use, or to provide repairs or updates, to the GoCo Platform. Once in a while, such data in aggregated (combined with a larger population of Authorized Users) and anonymized (compiled such that no individual Authorized User can be identified or a Authorized User’s data can be isolated) form may be used to improve the GoCo Platform, benchmark or market the GoCo Platform or other products of GoCo.io, or provide necessary information to investors or regulatory bodies. Such data in aggregated or anonymized form may be provided to third parties in order to assist such third parties in providing us information. It is expected that, on a very infrequent basis (if at all), such data in either raw or aggregated and anonymized form may be subject to an order of a court or tribunal that mandates disclosure but GoCo.io will use its best efforts to effect related protective orders that include a requirement of strict confidentiality and best e-Discovery practices that use commercially reasonable means to protect the confidentiality of such data.

DATA RETENTION

All Authorized User Data will be maintained in the GoCo Platform and associated storage systems during the Term associated with the applicable GSA between you as Authorized User and GoCo.io. At the termination of such GSA, your access will be terminated (unless picked up through a different employer or you personally) and GoCo.io will neither have an obligation to continue retaining such Authorized User Data (except as otherwise required under the law or any applicable regulations) nor to erase such Authorized User Data. However, while such Authorized User Data is in the possession of GoCo.io, it will continue to protect the confidentiality of such Authorized User Data, subject to the terms and conditions of this Policy and the applicable GSA.

Upon an explicit written request from the Client Full Access Administrator, GoCo will make every reasonable effort to delete all Client data from the GoCo platform within 30 days. If more than 30 days are required, GoCo will communicate the expected timeline and the reason for the delay to the Client Full Access Administrator.

In the absence of a request from a Client Full Access Administrator, data of Authorized Users will be retained indefinitely. Records are retained indefinitely because GoCo is used as the primary system of record by Clients and stores what may be the only copies of employment contracts, employment verification documents, performance assessments, time off usage, payroll information, insurance benefits, and other areas where legitimate processing interests exist.

EXPORT / IMPORT OF AUTHORIZED USER DATA

The GoCo Platform is operated from, and Authorized User Data is currently stored within, servers located in the United States. In situations in which you access and use the GoCo Platform from locations outside the United States, GoCo.io needs or desires to operate a portion or all of the GoCo Platform and/or its associated storage systems outside the United States, or GoCo.io expands the scope of GoCo.io’s operations overseas, your Authorized User Data including personally identifiable information may be stored outside of the United States. By accessing and using the GoCo Platform, you as Authorized User consent to the transfer of your Authorized User Data including personally identifiable information into and out of the United States.

This Policy may be updated by GoCo.io at any time, and the associated date of last update is provided below. Please check this Policy often to ensure that you as Authorized User are aware of its modifications and are correspondingly apprised of its applicable terms and conditions. If you have any questions about this Policy, please contact us at https://www.goco.io/about/contact-us/

INFORMATION ABOUT US

Goco.io is owned and operated by GoCo.io, Inc.
We are a C-Corp registered at:
4747 Research Forest Dre, Ste 180 #246
The Woodlands, TX 77381
If you need to contact us, please go to www.goco.io/about/contact-us/.

YOU ARE REQUIRED TO PERIODICALLY REVIEW THIS PRIVACY POLICY, INCLUDING IN SUCH CASES THAT YOU ASSUME A DIFFERENT ROLE WITHIN YOUR COMPANY.

This document was last updated on May 24, 2018.

A previous version of this document is available at https://www.goco.io/legal-stuff/privacy-policy/privacy-policy-modified-6-22-2015/