LAST UPDATED: Apr 6, 2025

Privacy Notice

This Privacy Notice (“Notice”) is designed to help you understand how StepoAI Inc. (“StepoAI”, “we”, “us”, or “our”) collects, uses, and shares your personal information and help you understand and exercise your privacy rights. This Notice applies to StepoAI’s processing of personal information including on our website available at https://stepo.ai/ and our other online or offline offerings which link to, or are otherwise subject to, this Notice (collective, the “Services”). 

Disclosure Regarding Client Data. This Privacy Notice does not apply to the personal information we process on behalf of our clients pursuant to a written agreement we have entered into with such clients (“Client Data”). Our clients’ respective privacy notices or policies govern their collection and use of Client Data. Our processing of Client Data is governed by the contracts that we have in place with our clients, not this Privacy Notice. Any questions or requests relating to Client Data should be directed to our client.

Disclosure Regarding International Data Processing. StepoAI is a global company headquartered in the United States. Many of our IT and other functions are administered centrally in the United States and any information you provide or we collect may be transmitted to a country other than your country of residence for processing or storage, and it may also be communicated to third parties hired by us to provide services such as website hosting, database management, or analytics. By using our Services, you voluntarily consent to the collection, control, creation, use, storage, and processing of your personal information in any country to which we may transfer your personal information in the course of our business operations including the United States. For more information, please see International Transfers of Personal Information. For information on our processing of personal information subject to applicable jurisdictional requirements (including the European Union or United Kingdom laws), please see Annex A – Supplemental Country/Regional Notices.

1. UPDATES TO THIS PRIVACY NOTICE

2. PERSONAL INFORMATION WE COLLECT

3. HOW WE USE PERSONAL INFORMATION

4. HOW WE DISCLOSE PERSONAL INFORMATION

5. YOUR PRIVACY CHOICES AND RIGHTS

6. SECURITY OF YOUR INFORMATION

7. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

8. RETENTION OF PERSONAL INFORMATION

9. SUPPLEMENTAL NOTICE FOR NEVADA RESIDENTS

10. CHILDREN’S PERSONAL INFORMATION

11. THIRD-PARTY WEBSITES/APPLICATIONS

12. LANGUAGES OTHER THAN ENGLISH

13. CONTACT US

ANNEX A:  SUPPLEMENTAL COUNTRY/REGIONAL NOTICES

ANNEX B:  SUPPLEMENTAL CONSUMER HEALTH DATA PRIVACY STATEMENT

1. UPDATES TO THIS PRIVACY NOTICE

We may update this Privacy Notice from time to time in our sole discretion. If we do, we’ll let you know by posting the updated Privacy Notice on our website and/or we may also send other communications.

2. PERSONAL INFORMATION WE COLLECT

We collect personal information you provide to us, personal information we collect automatically when you use the Services, and personal information from third-party sources, as described below.

1. Personal Information You Provide to Us Directly

We may collect personal information that you provide to us.

• Account Information. We may collect personal information in connection with the creation or administration of your account. This personal information may include, but is not limited to, your name, email address, phone number, username and other information you store with your account.

• Purchases. We may collect personal information and details associated with your purchases, including payment information. Any payments made via our Services are processed by third-party payment processors. We do not directly collect or store any payment card information entered through our Services, but we may receive information associated with your payment card information (e.g., your billing details).

• Your Communications with Us. We, and our service providers, may collect and/or record the information, conversations, and other communications you share with us, such as on a telephone call or through email, our web chat/chat bot tool, or voicemail.  

• Surveys. We may contact you to participate in surveys. If you decide to participate, we may collect personal information from you in connection with the survey.

• Interactive Features. We and others who use our Services may collect personal information that you submit or make available through our interactive features (e.g., messaging features, commenting functionalities, forums, blogs, and social media pages).  Any information you provide using the public sharing features of the Services will be considered “public.”

• Sweepstakes or Contests. We may collect personal information you provide for any sweepstakes or contests that we offer. In some jurisdictions, we are required to publicly share information of sweepstakes and contest winners.

• Conferences, Trade Shows, and Other Events. We may collect personal information from individuals when we attend or host conferences, trade shows, and other events. 
• Business Development and Strategic Partnerships. We may collect personal information from individuals and third parties to assess and pursue potential business opportunities. 
• Job Applications. If you apply for a job with us, we will collect any personal information you provide in connection with your application, such as your contact information and CV.

2. Personal Information Collected Automatically

We may collect personal information automatically when you use the Services.

• Device Information. We may collect personal information about your device, such as your Internet protocol (IP) address, user settings, cookie identifiers, other unique identifiers, browser or device information, Internet service provider, and location information (including, as applicable, approximate location derived from IP address and precise geo-location information).

• Usage Information. We may collect personal information about your use of the Services, such as the pages that you visit, items that you search for, the types of content you interact with, information about the links you click, the frequency and duration of your activities, and other information about how you use the Services.

• Cookie Notice (and Other Technologies). We, as well as third parties, may use cookies, pixel tags, and other technologies (“Technologies”) to automatically collect personal information through your use of the Services.

• Cookies. Cookies are small text files stored in device browsers.
• Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects personal information about use of or engagement with the Services. The use of a pixel tag allows us to record, for example, that a user has visited, a particular web page or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.

Our uses of these Technologies fall into the following general categories: 

• Operationally Necessary. This includes Technologies that allow you access to our Services, applications, and tools that are required to identify irregular website behavior, prevent fraudulent activity and improve security or that allow you to make use of our functionality;
• Performance-Related. We may use Technologies to assess the performance of our Services, including as part of our analytic practices to help us understand how individuals use our Services;
• Functionality-Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services or keeping track of your specified preferences, interests, or past items viewed;
• Advertising- or Targeting-Related. We may use first party or third-party Technologies to deliver content, including ads relevant to your interests, on our Services or on third-party websites.

See “Your Privacy Choices and Rights” below to understand your choices regarding these Technologies.

3. Personal Information Collected from Third Parties

We may collect personal information about you from third parties.  

• Third-Party Services and Sources. We may obtain information about you from other sources, including through third-party services and organizations. For example, if you access our Services through a third-party application, such as an app store, a third-party login service, or a social networking site, we may collect information about you from that third-party application that you have made available via your privacy settings.  In addition, users of the Services may upload or otherwise provide personal information about others.Additionally, we may collect information from publicly available sources, such as publicly available websites or directories. 
• Clients or Other Organizations. We may receive your personal information from our clients or other organizations, such as your employer or healthcare provider, in connection with one or more business purposes, including to make our Services available to you.

3. HOW WE USE PERSONAL INFORMATION

We use personal information for a variety of business purposes, including to provide the Services, for administrative purposes, and to market our products and Services, as described below.

1. Provide the Services

We use personal information to fulfill our contract with you and provide the Services, such as:

• Managing your information;
• Processing your requests;
• Providing access to certain areas, functionalities, and features of the Services;
• Answering requests for support;
• Sending you SMS messages for purposes of authentication;
• Communicating with you;

• Sharing personal information with third parties as needed to provide the Services;

• Processing your financial information and other payment methods for products and Services purchased; and
• Allowing you to register for events.

2. Administrative Purposes

We use personal information for various administrative purposes, such as:

• Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
• Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
• Carrying out analytics;
• Measuring interest and engagement in the Services;
• Analyzing, improving, upgrading, and/or enhancing the Services through the use of artificial intelligence and other methods;
• Developing new products and services;
• Creating de-identified and/or aggregated information. If we create or receive de-identified information, we will not attempt to reidentify such information, unless permitted by, or required to comply with, applicable laws;
• Ensuring internal quality control and safety;

• Authenticating and verifying individual identities, including requests to exercise your rights under this Privacy Notice;
• Debugging to identify and repair errors with the Services;
• Auditing relating to interactions, transactions, and other compliance activities;
• Enforcing our agreements and policies; and
• Carrying out activities that are required to comply with our legal obligations.

3. Marketing and Advertising Our Products and Services

We may use personal information to tailor and provide you with marketing and other content. We may provide you with these materials as permitted by applicable law and such materials will include opt out instructions.

California Shine the Light:  If you are a California resident, you may annually submit a request to us to find out whether we have shared your personal information with third parties for the third parties’ direct marketing purposes. If you would like to submit such a request, please “Contact Us.”

If you have any questions about our marketing practices or would like to modify your marketing preferences, please contact us at any time as set forth in “Contact Us” below.

4. With Your Consent or Direction

We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information, with your consent, or as otherwise directed by you.

5. Automated Decision Making

We may engage in automated decision making, including profiling. StepoAI’s processing of your personal information will not result in a decision based solely on automated processing that has a legal or other similarly significant effect on you unless such a decision is necessary as part of a contract we have with you, we have your consent, or we are permitted by law to engage in such automated decision making.

If you have questions about our automated decision making, you may contact us as set forth in “Contact Us” below.

4. HOW WE DISCLOSE PERSONAL INFORMATION

We disclose personal information to third parties for a variety of business purposes, including to provide the Services, to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer, as described below.

1. Disclosures to Provide the Services

We may disclose any of the personal information we collect to the categories of third parties described below.

• Service Providers. We may disclose personal information to third-party service providers who use that information to help us provide our Services. This includes, but is not limited to, service providers that provide us with IT support, hosting, payment processing, customer service, quotes and other information for insurance and other services where we act as a broker, banking and legal services, insurance, analytics, marketing services, and related services.  In addition, personal information and chat communications may be disclosed to service providers that help provide our chat features.

Some of the service providers we may use include:

• Google Analytics. For more information, please visit Google Analytics’ Privacy Policy. To learn more about how to opt-out of Google Analytics’ use of your information, please click here.
• LinkedIn Analytics. For more information, please visit LinkedIn Analytics’ Privacy Policy. To learn more about how to opt-out of LinkedIn’s use of your information, please click here.
• FullStory (Session Replay Provider). We use FullStory for session replay analytics, which allows us to record and replay an individual’s interaction with the Services. This helps us understand our user’s experience and how we can improve our Services. For more information about FullStory, please visit: FullStory Privacy Policy | FullStory. To learn more about how to opt-out of FullStory’s use of your information, please click here. 

• Other Users You Share or Interact With. The Services may allow StepoAI users to share personal information or interact with other users of the Services.

• Third-Party Services With Whom You Share or Interact. The Services may link to or allow you to interface, interact, share information with, direct us to share information with, access and/or use third-party websites, applications, services, products, and technology (each a “Third-Party Service”).

Any personal information shared with a Third-Party Service will be subject to the Third- Party Service’s privacy policy. We are not responsible for the processing of personal information by Third-Party Services.

• Our Clients (Authorized Users Only). In cases where you use our Services as an authorized user of our client, that client may access information associated with your use of the Services including usage data and the contents of the communications and files associated with your account. Your personal information may also be subject to the client’s privacy policy. We are not responsible for the client’s processing of your personal information. 
• Users of Our Services. If you are a listed vendor in our directory services, we may provide your name, contact information, as well as other business information for users to get in touch with you. 

• Business Partners. We may share your personal information with business partners to provide you with a product or service you have requested. We may also share your personal information with business partners with whom we jointly offer products or services.

Once your personal information is shared with our business partner, it will also be subject to our business partner’s privacy policy. We are not responsible for the processing of personal information by our business partners.

• Affiliates. We may share your personal information with our corporate affiliates.

• Advertising Partners. We may share your personal information with third-party advertising partners. These third-party advertising partners may set Technologies and other tracking tools on our Services to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising”, “personalized advertising”, or “targeted advertising.” Advertising partners we may engage include:

• Meta Connect. For more information about Meta’s use of your personal information, please visit Meta’s Data Policy. To learn more about how to opt-out of Facebook’s use of your information, please click here while logged in to your Facebook account.
• HubSpot. For information about how HubSpot uses your personal information, please review the HubSpot Privacy Policy.  To submit a request to opt-out of HubSpot’s use of your personal information, please submit your written request to privacy@hubspot.com.
• LinkedIn. For more information about how LinkedIn uses your personal information, please visit LinkedIn’s Privacy Policy. To learn more about how to opt-out of LinkedIn’s use of your information, please click here.

2. Disclosures to Protect Us or Others

We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

3. Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, purchase or sale of assets, transition of service to another provider, or other similar corporate transaction, your personal information may be disclosed, sold, or transferred as part of such a transaction as permitted by law and/or contract.

5. YOUR PRIVACY CHOICES AND RIGHTS

Your Privacy Choices. The privacy choices you may have about your personal information are described below and ​​in the Annex A – Supplemental Country/Regional Notice, where relevant.

• Email Communications. If you receive an unwanted promotional email from us, you can use the unsubscribe functionality found at the bottom of the email to opt out of receiving future promotional emails. Note that you will continue to receive transaction-related emails. We may also send you certain non-promotional communications regarding us and the Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to this Privacy Notice).

• Text Messages. If you receive an unwanted promotional text message from us, you can reply “STOP” to opt out of receiving future promotional texts. Note that you will continue to receive transaction-related text messages. We may also send you certain non-promotional communications regarding us and the Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to this Privacy Notice).

• Mobile Devices. We may send you push notifications through our mobile application. You may opt out from receiving these push notifications by changing the settings on your mobile device. With your consent, we may also collect precise location-based information via our mobile application. You may opt out of this collection by changing the settings on your mobile device. To request deletion of your account, please use the standard deletion functionality available via the Services, or contact us using the information set forth in “Contact Us” below.

• Do Not Track signals and Global Privacy Control. Some web browsers incorporate "do-not-track" (“DNT”) or similar features signaling to websites with which the browser communicates that a visitor does not want to have their online activity tracked. As of the Effective Date, not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, we along with many other digital service operators do not respond to all DNT signals. We recognize GPC signals as required under certain state privacy laws, but we do not currently recognize other DNT signals. For more information about the Global Privacy Control, please visit https://globalprivacycontrol.org.

• Cookies. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, the Services may not work properly.

Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of certain tracking on some mobile applications by following the instructions for Android, iOS, and others.

The online advertising industry also provides mechanisms that may allow you to opt out of receiving targeted ads from organizations that participate in self-regulatory programs. To learn more, visit the Network Advertising Initiative, the Digital Advertising Alliance, and the European Digital Advertising Alliance.

Please note you must separately opt out in each browser and on each device.

Your Privacy Rights. In accordance with applicable law, you may have the right to:

• Confirm Whether We Are Processing Your Personal Information;

• Request Access to or Portability of Your Personal Information;

• Request Correction of Your Personal Information;

• Request Deletion of Your Personal Information;

• Request Restriction of or Object to our Processing of Your Personal Information;

• Request to Opt-Out of Certain Processing Activities including, as applicable, if we process your personal information for “targeted advertising” (as “targeted advertising” is defined by applicable privacy laws),  if we “sell” your personal information (as “sell” is defined by applicable privacy laws), or if we engage in “profiling” in furtherance of certain “decisions producing legal or similarly significant effects” concerning you (as such terms are defined by applicable privacy laws); and

• Withdraw Your Consent to our Processing of Your Personal Information. Please note that your withdrawal will only take effect for future processing, and will not affect the lawfulness of processing before the withdrawal.

If you would like to exercise any of these rights, please contact us as set forth in “Contact Us” below. We will process such requests in accordance with applicable laws. You may be entitled to additional rights depending on where you live. If you live in a country offering comprehensive privacy rights, please review Annex A – Supplemental Country/Regional Notice below.

Only you, or someone legally authorized to act on your behalf in certain jurisdictions, may make a request to exercise the rights listed above regarding your personal information. If your personal information is subject to a law that allows an authorized agent to act on your behalf in exercising your privacy rights and you wish to designate an authorized agent, please provide written authorization signed by you and your designated agent using the information found in “Contact Us” below and ask us for additional instructions.

To protect your privacy, we will take steps to verify your identity before fulfilling requests submitted under applicable privacy laws. These steps may involve asking you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. Examples of our verification process may include asking you to confirm the email address we have associated with you.

Some laws may allow you to appeal our decision if we decline to process your request. If applicable laws grant you an appeal right, and you would like to appeal our decision with respect to your request, you may do so by informing us of this and providing us with information supporting your appeal.

6. SECURITY OF YOUR INFORMATION

We employ reasonable physical, technical, and administrative safeguards designed to keep personal information secure; however, no system is 100% secure, and we cannot ensure or warrant the security of any information you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure.

It is your responsibility to protect against unauthorized access to your password, phone, tablet, and computer by, among other things, signing off after using a shared device, choosing a robust password nobody else knows or can easily guess, and keeping log-in information and passwords private. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity. Where required by applicable law, you may request access to information about our security policies and procedures by contacting us as described in “Contact Us” below.

By using our Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on our Services, by mail or by sending an email to you.

7. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

All personal information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live. We comply with laws governing the international transfer of personal information typically through the execution of legally required data protection agreements incorporating, where applicable, standard contractual clauses approved for use by the European Union or regulators of other jurisdictions, or other instructions that may be specified, updated, amended, replaced, or superseded from time to time by the applicable regulatory authority. Where required by applicable law, you may request access to information about the transfer safeguards we use by contacting us as described in “Contact Us” below.

8. RETENTION OF PERSONAL INFORMATION

We store the personal information we collect as described in this Privacy Notice for as long as you use the Services, or as necessary to fulfill the purpose(s) for which it was collected, provide the Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.  

To determine the appropriate retention period for personal information, we may consider applicable legal requirements, the amount, nature, and sensitivity of the personal information, certain risk factors, the purposes for which we process your personal information, and whether we can achieve those purposes through other means.

9. SUPPLEMENTAL NOTICE FOR NEVADA RESIDENTS

If you are a resident of Nevada, you have the right to opt out of the sale of certain personal information to third parties who intend to license or sell that personal information.  Please note we do not currently sell personal information as sales are defined in Nevada Revised Statutes Chapter 603A.  If you have any questions, please contact us as described in “Contact Us” below.

10. CHILDREN’S PERSONAL INFORMATION

The Services are not directed to children under 18 and we do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has uploaded personal information to the Services in violation of applicable law, you may contact us as described in “Contact Us” below.  If we become aware that a child has provided us with personal information in violation of applicable law, we will delete any personal information we have collected, unless we have a legal obligation to keep it, and terminate the child’s account if applicable.

11. THIRD-PARTY WEBSITES/APPLICATIONS

The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal information to third-party websites or applications is at your own risk.

12. LANGUAGES OTHER THAN ENGLISH

If the Privacy Notice and Annex A – Supplemental Country/Regional Notice are translated into or appear in a language other than English (as may be required by applicable law), the English language version shall control.

13. CONTACT US 

StepAI is the controller of the personal information we process under this Privacy Notice. If you have any questions about our privacy practices or this Privacy Notice, or to exercise your rights as detailed in this Privacy Notice, please contact us at:

StepoAI Inc.

12819 SE 38th St, 314,

Bellevue, WA 98006

privacy@stepo.ai

ANNEX A – SUPPLEMENTAL COUNTRY/REGIONAL PRIVACY NOTICES

This Supplemental Notice only applies to our processing of personal information subject to the European Union General Data Protection Regulation (“GDPR”) and the United Kingdom Data Protection Act (“DPA”).

A.        LEGAL BASES

In some cases, providing personal information may be a requirement under applicable law, a contractual requirement, or a requirement necessary to enter a contract. If you choose not to provide personal information in cases where it is required, we will inform you of the consequences at the time of your refusal to provide the personal information.

If we process personal information considered a “special” or “sensitive” category of personal information, then our processing of such personal information may be supported by one or more of the following conditions:

1. Explicit Consent: You may have provided your explicit consent for our processing of your personal information.
2. Necessary for Employment, Social Security, or Social Protection Law Purposes: Our processing of your personal information may be necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment, social security, and/or social protection law.
3. Necessary to Protect Vital Interests: Our processing of your personal information may be necessary to protect the vital interests of you if you are physically or legally incapable of giving consent.
4. Publicly Available Personal Information: Our processing of your personal information may relate to personal information which has been manifestly made public by you.
5. Necessary for the Establishment, Exercise or Defense of Legal Claims: Our processing of your personal information may be necessary for the establishment, exercise or defense of legal claims.
6. Necessary for Substantial Public Interest: Our processing of your personal information may be necessary for reasons of substantial public interest.
7. Necessary for Medical Purposes: Our processing of your personal information may be necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, or pursuant to contract with a health professional.
8. Necessary for Substantial Interest in the Area of Public Health: Our processing of your personal information may be necessary for reasons of public interest and/or public health.

If your personal information is subject to the applicable data protection laws of the European Union or the United Kingdom, you have the right to lodge a complaint with the competent supervisory authority if you believe our processing of your personal information violates applicable law.

If you are located within the European Union, you may find the contact details of the competent authorities in the following link: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

If you are located within the United Kingdom, you may lodge a complaint with the Information Commissioner’s Office (ICO) by clicking here: https://ico.org.uk/make-a-complaint/.

B.        CONTACT US

StepoAI is the controller of the personal information we process under this Privacy Notice. If you have any questions about our privacy practices or this Privacy Notice, or to exercise your rights as detailed in this Privacy Notice, please contact our Privacy and Data Protection Team at:

StepoAI Inc.

12819 SE 38th St, 314,

Bellevue, WA 98006

privacy@stepo.ai

If you wish to receive a response by email, please be sure to include your name, postal address, and email address. If we do not receive an email address, we will respond by postal mail.

ANNEX B – SUPPLEMENTAL CONSUMER HEALTH DATA PRIVACY STATEMENT

This Supplemental Consumer Health Data Privacy Statement (“Consumer Health Data Privacy Statement”) supplements StepoAI’s Privacy Notice.

This Supplemental Consumer Health Data Privacy Statement only applies to personal information that we process that is “consumer health data” subject to the Washington My Health My Data Act (“MHMDA”) or Nevada’s Consumer Health Data Privacy Law (“NVCHDPL”) (as applicable).

Terms used in this Supplemental Consumer Health Data Privacy Statement that are defined in MHMDA or NVCHDPL will have the meaning set forth in those laws to the extent such laws are applicable.

CONSUMER HEALTH DATA WE COLLECT

Under the MHMDA, “consumer health data” is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.”

Under NVCHDPL, “consumer health data” is defined as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.”

Because consumer health data is defined very broadly, many of the categories of personal information that we collect under our Privacy Notice may also be considered consumer health data.

Examples of consumer health data that you may provide to us, or that we may otherwise collect, may include:

• Information that could identify your attempt to seek health care services or information, including services that allow you to assess, measure, improve, or learn about your or another person’s health. For example, we collect your search queries on the Site, which may include queries or other information concerning nutrition, wellness, fitness, medical conditions, or other health-related topics.
• Information about your health-related conditions, symptoms, status, diagnoses, disease, testing, or treatments.
• Information about social, psychological, behavioral, and medical interventions.
• Information about use or purchase of prescribed medication.
• Information about measurements of bodily functions, vital signs, symptoms, or characteristics.
• Information about diagnoses or diagnostic testing, treatment, or medication.
• Information about surgeries or other health-related procedures.
• Reproductive or sexual health information.
• Information about gender-affirming care.
• Biometric information.
• Genetic data.
• Information about your access to healthcare, including precise location information that could reasonably indicate an attempt to acquire or receive health services or supplies; or
• Information processed to associate or identify an individual with the data listed above that is derived or extrapolated from non-health information.
• Information related to the precise (geo)location information of a consumer used to indicate an attempt by a consumer to receive health care services or products.
• Other information that may be used to infer or derive data related to the above or other consumer health data.

SOURCES OF CONSUMER HEALTH DATA

We collect consumer health data that you provide to us, consumer health data we collect automatically when you use the Site, and consumer health data from third-party sources, as described in our Privacy Notice and below.

WHY WE COLLECT AND USE CONSUMER HEALTH DATA

We collect and use consumer health data for the purposes and in the manner described in the “How We Use Personal Information” section of our Privacy Notice.

Primarily, we collect and use consumer health data as reasonably necessary to provide you with the products or Site you have requested or authorized. This may include delivering and operating the products or Site and their features, personalization of certain product or Site features, ensuring the secure and reliable operation of the products or Site and the systems that support them, troubleshooting and improving the products and Site, and other essential business operations that support the provision of the products and Site (such as analyzing our performance and meeting our legal obligations).

We may also use consumer health data for other purposes for which we give you choices and/or obtain your consent as required by law.

SHARING OF CONSUMER HEALTH DATA

We may share each of the categories of consumer health data described above for the purposes described above and in the “How We Use Personal Information” section of our Privacy Notice.

We only share or disclose your Consumer Health Data as needed to provide you with the products or services that you request, or with your explicit consent. We may share or disclose any or all the above categories of Consumer Health Data to the following entities, who shall use the data only as permitted for the purposes set forth above, and within the bounds of our contracts with them:

These general categories of third parties:

• Business Collaborators
• Product co-promotion partners
• Product co-development partners
• Marketing and Advertising Agencies
• Social Media Companies and Platforms
• Service Providers (including those hosting or analyzing data on our behalf, those assisting with fraud prevention, those assisting in program administration, those assisting in incident management and reporting, those administering our call center and websites, and those who assist with our information technology and security programs)
• Emergency Personnel
• Authorized/legal representatives, family members, and caregivers
• Third parties (including those with whom StepoAI has joint marketing and similar arrangements, those who provide marketing and data analytics services, those who provide program enrollment or product fulfillment, payment, and authorization, other third parties as necessary to complete transactions and provide products/services, or where required by law)
• StepoAI  lawyers, auditors, and consultants
• Legal and regulatory bodies.

In addition, we may share or disclose Consumer Health Data as permitted or required by law, such as (i) to an acquiring organization if we are involved in a sale or a transfer of our business, (ii) as needed to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, (iii) in situations that may involve violations of our terms of use or other rules, (iv) to protect our rights and the rights and safety of others, (v) as needed to support external auditing, compliance and corporate governance functions, (vi) as needed to preserve the integrity or security of our systems, or (vii) to investigate, report, or prosecute those responsible for any action that is illegal under applicable state or Federal law.

HOW TO EXERCISE YOUR RIGHTS

MHMDA and NVCHDPL provide consumers with certain rights with respect to consumer health data.

Under MHMDA, consumers have the right to: (i) confirm whether StepoAI is collecting, sharing, or selling consumer health data and to access such data; (ii) withdraw consent from StepoAI’s collection and sharing of consumer health data; and (iii) request that StepoAI delete consumer health data.

Under NVCHDPL, consumers have the right to: (i) confirm whether StepoAI is collecting, sharing or selling consumer health data; (ii) have StepoAI provide the consumer with a list of all third parties with whom StepoAI has shared consumer health data relating to the consumer or to whom StepoAI has sold such consumer health data; (iii) request that StepoAI cease collecting, sharing, or selling consumer health data relating to the consumer; and (iv) request that StepoAI delete consumer health data.

The rights afforded to consumers under MHMDA and NVCHDPL are subject to certain exceptions.

Subject to certain legal limitations and exceptions, you have the following rights with respect to any Consumer Health Data we may collect about you:

• The right to confirm whether we are collecting, sharing, or selling your Consumer Health Data and to access such data, including to receive a list of affiliates or specific third parties with whom we have shared or sold your information, along with contact information such as an active email address for each third party;
• The right to review and request corrections to your Consumer Health Data;
• The right to withdraw consent from our collection or sharing of your Consumer Health Data; and
• The right to request that we delete your Consumer Health Data.

You may submit a request pursuant to any of these rights by contacting us as described in “Contact Us.”

StepoAI will not discriminate against you for exercising any of your rights. We will make reasonable efforts to respond promptly to your requests in accordance with applicable laws. Please allow 45 days for a response.  We may, after receiving your request, require additional information from you to authenticate your request and verify your identity. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.