Privacy Policy

Go Round Peg

Last Updated: March 17, 2026

1. Introduction

Go Round Peg (“RoundPeg,” the “Company,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your Personal Data. This Privacy Policy describes how we collect, use, disclose, retain, and protect information when you access or use our websites, applications, platforms, software, communications tools, and related services (collectively, the “Services”).

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy and that your use of the Services is subject to this Privacy Policy and our Terms of Use. If you do not agree with our practices, you should not access or use the Services.

This Privacy Policy is intended to work together with the Terms of Use. In the event of a conflict between this Privacy Policy and the Terms of Use regarding privacy practices, this Privacy Policy will control with respect to the collection, use, and disclosure of Personal Data, unless a separate written agreement between you and the Company provides otherwise.

2. Scope of This Privacy Policy

This Privacy Policy applies to Personal Data that we collect through the Services, through direct communications with you, through account registration and use, through web forms, and through certain automated technologies such as cookies and analytics tools.

For purposes of this Privacy Policy, “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, or otherwise constitutes personal information, personal data, or personally identifiable information under applicable law.

This Privacy Policy does not apply to the practices of third parties that we do not own or control, including third-party websites, platforms, benefits providers, insurers, brokers, carriers, administrators, or service providers except to the extent expressly stated herein.

3. Categories of Personal Data We Collect

Depending on how you interact with the Services, we may collect the following categories of Personal Data:

Profile and Contact Information. This may include your first and last name, business name, employer, job title, mailing address, email address, telephone number, mobile number, account username, and other contact details you provide.

Account and Authentication Information. This may include account credentials, password-protected login data, account preferences, security-related information, and records related to your registration or authentication activities.

Communications Information. This may include the content of communications you send to us, communications sent through the Services, customer support inquiries, appointment requests, uploaded documents, notes, messages, or other content you or your authorized users provide through the Services.

Benefits and Administrative Information. Because RoundPeg provides tools related to employee health plans, benefits administration, and related business operations, we may collect information you provide in connection with those functions, including employer information, employee census information, plan-related information, eligibility data, enrollment-related information, and similar administrative records.

Health-Related Information. In limited circumstances and depending on how the Services are used, we may receive or process information related to benefits, plan eligibility, medical coverage, insurance selections, or other information associated with health plan administration. We do not provide medical advice, diagnosis, or treatment.

Payment and Transaction Information. If payments are processed through the Services or in connection with the Services, we may collect billing-related details, payment status, invoices, and transaction records. Payment card information may be processed by third-party payment processors and may not be stored directly by us except as necessary for recordkeeping.

Device and Technical Information. This may include IP address, browser type, device type, operating system, domain server, approximate location derived from IP address, referral URLs, pages viewed, session duration, time zone, clickstream data, and other information regarding how you interact with the Services.

Cookies and Tracking Data. We may collect information through cookies, pixels, tags, web beacons, local storage, scripts, and similar tracking technologies.

SMS and Mobile Messaging Information. If you opt in to receive SMS or other mobile messaging communications from us, we may collect your mobile phone number, consent status, consent timestamp, source of consent, opt-in records, opt-out records, delivery confirmations, carrier-related information, support requests, and message interaction history. For avoidance of doubt, mobile opt-in data and consent records are treated as highly restricted information.

User Content. To the extent the Services allow you or your authorized users to submit, upload, transmit, or otherwise provide content, we may collect that information in connection with operating and supporting the Services.

4. Sources of Personal Data

We may collect Personal Data from the following sources:

Directly from you. We collect information you voluntarily provide when you register for an account, complete forms, request services, contact us, send us communications, upload documents, subscribe to updates, request support, or otherwise interact with the Services.

From your employer, organization, broker, administrator, or authorized representative. If you access the Services through an employer-sponsored or organization-sponsored relationship, we may receive Personal Data from that employer, organization, or its authorized representatives.

From your authorized users. If another user is authorized to administer or manage an account on behalf of an organization, that user may provide information relating to you.

Automatically from your device or browser. We collect certain technical and usage data automatically through cookies, server logs, analytics platforms, and similar technologies.

From service providers and business partners. We may receive information from hosting providers, analytics vendors, fraud prevention vendors, communications vendors, customer support providers, and similar parties acting on our behalf.

From third parties you authorize. If you direct us to receive information from a third party, or authenticate through or connect to a third-party service, we may receive information from that party consistent with your authorization.

5. How We Use Personal Data

We may use Personal Data for the following business and commercial purposes:

To provide, operate, maintain, support, and improve the Services.

To create and administer accounts, authenticate users, manage access, and protect account security.

To facilitate employee health plan administration, communications, enrollment-related processes, benefits-related workflows, and related administrative services.

To respond to questions, requests, and customer support inquiries.

To provide transactional and service-related communications, including confirmations, reminders, account alerts, administrative notices, and other communications necessary for the operation of the Services.

To send SMS or other mobile messages where you have provided the required consent.

To monitor usage, troubleshoot issues, analyze trends, improve user experience, and develop new features or services.

To protect the security and integrity of the Services, investigate fraud or abuse, and enforce our legal rights.

To comply with legal obligations, legal process, court orders, subpoenas, regulatory requests, and other lawful requirements.

To carry out internal administrative purposes such as auditing, recordkeeping, billing support, contract management, reporting, and quality assurance.

To create aggregated, de-identified, or anonymized information that does not reasonably identify any individual and to use such information for lawful business purposes.

We do not use Personal Data in a manner materially inconsistent with this Privacy Policy without providing additional notice where required by law.

6. SMS, Text Messaging, iMessage, and Mobile Communications

RoundPeg may offer text-based communications in connection with the Services, including SMS messages and, where technically supported and delivered through a compatible device or platform, similar mobile messaging channels such as iMessage or equivalent device-native messaging experiences. For purposes of this Privacy Policy, all such communications are referred to collectively as “Mobile Messaging.”

We may use Mobile Messaging to provide appointment reminders, service notifications, account alerts, customer service responses, receipts, support-related communications, operational updates, and, where permitted by law and where you have affirmatively consented, promotional communications.

When you opt in to Mobile Messaging, we may collect and store your mobile phone number, opt-in source, consent language accepted, consent timestamp, confirmation records, delivery records, message history, opt-out records, HELP requests, carrier or routing metadata, and related compliance records. We use this information to provide the Mobile Messaging service, maintain compliance records, respond to support requests, demonstrate consent where necessary, and enforce our Terms of Use.

Mobile phone numbers and mobile opt-in data are not sold, rented, or shared with third parties or affiliates for their own marketing or promotional purposes. We may disclose such information only to service providers, messaging platforms, aggregators, carriers, infrastructure providers, or vendors strictly to the extent necessary to deliver, support, secure, or document the Mobile Messaging service, or where disclosure is required by law.

You may opt out of SMS communications at any time by replying “STOP” to a message you receive from us. You may request assistance by replying “HELP” or by contacting us using the contact information below. Message frequency may vary. Message and data rates may apply depending on your wireless plan and carrier. Wireless carriers and related providers are not liable for delayed or undelivered messages.

Consent to receive Mobile Messaging is not a condition of purchasing any goods or services from us. Participation in Mobile Messaging is limited to individuals who are at least eighteen (18) years of age.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to support the functionality, security, and performance of the Services and to better understand how users interact with the Services.

Cookies are small text files stored on your device. Some cookies are strictly necessary for the operation of the Services, such as those used for authentication, session continuity, fraud prevention, and security. Other cookies may be used for analytics, performance monitoring, feature optimization, and user experience improvements. In some cases, third-party technologies integrated into the Services may also place cookies or similar tracking technologies on your device.

We may use categories of cookies such as:

Essential Cookies, which are necessary for core functionality, security, and access to secure areas of the Services;

Functional Cookies, which remember preferences and settings;

Performance or Analytics Cookies, which help us understand usage patterns and improve the Services.

You may be able to control cookies through your browser settings or, where applicable, through cookie management tools made available on the Services. Disabling certain cookies may cause portions of the Services to function improperly or become unavailable.

For additional information about our use of cookies and tracking technologies, please review this Privacy Policy and any cookie disclosures or controls that may be provided through the Services.

8. User Content and Submitted Information

To the extent you or your authorized users submit, upload, transmit, or otherwise provide content through the Services, we may collect and process that information as necessary to provide, maintain, support, secure, and improve the Services and to comply with applicable law and contractual obligations.

You are responsible for ensuring that you have the necessary rights and permissions to provide such information to us. We do not assume responsibility for verifying the legality, accuracy, or ownership of information submitted by users, employers, administrators, or authorized representatives.

9. How We Share Personal Data

We do not sell Personal Data in the ordinary sense of exchanging personal information for money. We also do not share mobile numbers, SMS consent records, or mobile opt-in data with third parties or affiliates for their own marketing or promotional purposes.

We may disclose Personal Data to the following categories of recipients, as reasonably necessary for the purposes described in this Privacy Policy:

Service Providers. These may include hosting providers, cloud infrastructure vendors, analytics providers, security vendors, customer support vendors, payment processors, communications vendors, messaging providers, and other service providers performing services on our behalf.

Business and Operational Partners. Where necessary to provide the Services, we may disclose information to brokers, benefits administrators, employers, plan sponsors, insurers, carriers, enrollment partners, or other authorized parties involved in plan administration or related services, subject to applicable contractual and legal restrictions.

Parties You Authorize. We may share information with third parties when you direct us to do so or when you authorize an integration, connection, or disclosure.

Legal and Compliance Recipients. We may disclose information where required by law, subpoena, court order, regulatory request, legal process, or where we reasonably believe disclosure is necessary to protect our rights, investigate fraud, enforce agreements, or protect the safety, rights, or property of the Company, our users, or others.

Business Transfers. We may transfer Personal Data as part of an actual or proposed merger, financing, acquisition, reorganization, sale of assets, bankruptcy, or other corporate transaction, subject to appropriate confidentiality and legal protections.

De-identified or Aggregated Data Recipients. We may disclose aggregated, anonymized, or de-identified information that does not reasonably identify you for lawful business purposes.

10. HIPAA-Adjacent and Health Information Practices

RoundPeg provides tools related to employee health plans, benefits administration, and related business functions. In certain circumstances, information processed through the Services may include information associated with health coverage, benefits eligibility, or other health-related administrative information.

RoundPeg is not a healthcare provider and does not provide medical advice, diagnosis, or treatment. To the extent we receive, process, store, or transmit information that may be subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), we implement administrative, technical, and physical safeguards designed to protect such information in accordance with applicable legal requirements, contractual commitments, and industry standards.

Where required by law or contract, we may enter into Business Associate Agreements or similar data protection agreements with Covered Entities, plan sponsors, or other authorized parties. Users remain responsible for determining whether HIPAA or other health privacy laws apply to their use of the Services and for ensuring that their own use of the Services complies with applicable law.

11. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards designed to protect Personal Data from unauthorized access, disclosure, alteration, misuse, and destruction. These safeguards may include access controls, encryption where appropriate, logging, monitoring, vendor oversight, secure storage, and related security practices.

Notwithstanding these measures, no system, network, or method of transmitting data over the Internet or storing data electronically is completely secure. As a result, we cannot guarantee absolute security, and you provide information at your own risk.

You are also responsible for maintaining the security of your credentials, devices, and accounts, including using strong passwords, limiting unauthorized access, and promptly notifying us of any suspected breach or unauthorized activity.

12. Data Retention

We retain Personal Data for as long as reasonably necessary to provide the Services, maintain business records, enforce agreements, satisfy legal, accounting, tax, audit, compliance, and reporting obligations, resolve disputes, and protect our legitimate business interests.

Retention periods may vary depending on the type of information, the nature of the relationship, contractual requirements, regulatory obligations, litigation holds, and other relevant circumstances. We may retain information for longer periods where required or permitted by law. We may also retain aggregated or de-identified information for lawful business purposes without time limitation where permitted by applicable law.

SMS consent records, opt-in records, opt-out records, and related compliance documentation may be retained for as long as reasonably necessary to demonstrate compliance with messaging, telecommunications, legal, and contractual obligations.

13. Children’s Privacy

The Services are not directed to children under the age of thirteen (13), and we do not knowingly collect Personal Data directly from children under thirteen. In addition, as set forth in the Terms of Use, certain aspects of the Services, including participation in the Mobile Messaging program, are limited to individuals who are at least eighteen (18) years of age.

If we become aware that we have collected Personal Data from a child in violation of applicable law, we will take reasonable steps to delete such information.

14. External Links and Third-Party Services

The Services may contain links to or integrations with third-party websites, applications, systems, or services that are not owned or controlled by us. We are not responsible for the privacy, security, or data handling practices of such third parties. You should review the privacy policies of those third parties before providing information to them.

15. Your Privacy Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your Personal Data, including the right to request access to, correction of, deletion of, or restrictions on the processing of certain Personal Data, as well as the right to object to certain processing or to request portability of certain information.

You may also have choices regarding:

whether to provide certain Personal Data;

whether to receive certain communications from us;

whether to opt out of SMS messages by replying STOP;

browser-level cookie settings and similar tracking controls.

If you wish to exercise applicable privacy rights, you may contact us using the contact information below. We may need to verify your identity before acting on a request, and we may deny or limit requests where permitted by law.

16. State-Specific Privacy Disclosures

Residents of certain states, including California and Nevada, may have additional rights under applicable privacy laws.

If you are a California resident, you may have rights under California law regarding access to, deletion of, or correction of certain Personal Data, as well as rights relating to certain disclosures about our information practices. California residents may also designate an authorized agent where permitted by law.

If you are a Nevada resident, you may have the right to request that we not sell certain covered information. At this time, RoundPeg does not sell Personal Data in exchange for monetary consideration as commonly understood under Nevada law.

To submit a privacy rights request, please contact us using the contact information below.

17. International Users

If you access the Services from outside the United States, please be aware that your information may be transferred to, processed in, and stored in the United States or other jurisdictions in which we or our service providers operate. By using the Services and providing information to us, you acknowledge that your information may be transferred to jurisdictions that may not provide the same level of data protection as your home jurisdiction.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time in our discretion. When we do, we will update the “Last Updated” date above and may provide additional notice where required by law. Your continued use of the Services after the effective date of an updated Privacy Policy constitutes your acknowledgment of the revised Privacy Policy, subject to applicable legal requirements.

19. Contact Information

If you have questions about this Privacy Policy, our privacy practices, or your rights and choices, you may contact us at:

Go Round Peg Email: [email protected]