Goal AI
Privacy Notice

Effective and Last Updated Date: October 20, 2025

1. Scope

This Privacy Notice explains how Goal AI collects, uses, discloses, and protects personal information in connection with the Service, including websites, mobile and web applications, and interactions with Goal AI support.

2. Core Principles

Goal AI does not sell personal information. Goal AI does not share personal information for cross‑context behavioral advertising. Goal AI provides employer reporting only in aggregate and de‑identified form. Goal AI does not disclose individual messages, notes, or detailed activity trails to employers.

3. Categories of Information Collected

Goal AI collects the following categories of information, depending on how you use the Service.

First, account and identity information. This may include full name, preferred name, work email address, employee identifier, and single sign‑on identifier. You may optionally provide a telephone number and general location such as city, state, and country.

Second, onboarding and profile inputs that you choose to provide. This may include your wellbeing goal stated in your own words, your preferred approaches to achieving that goal such as increased exercise or nutrition changes, and a description of the types of group members you believe would be helpful to your success, such as career stage or responsibilities. You are not required to provide sensitive traits or demographic data, but may choose to do so.

Third, group content and interactions. This may include the names and descriptions of groups you create or join, weekly activities, posts, reactions, files, and related group activity within the Service.

Fourth, device and usage information. This may include device and browser characteristics, application version, internet protocol address, event logs, and session timestamps that are generated by your device when you use the Service.

Fifth, support communications. This may include emails, support tickets, and limited transcripts of communications with Goal AI support.

Sixth, inferences that are derived from other information. This may include topic or interest groupings generated to personalize your experience and to improve the Service.

The following chart indicates the categories of personal data that we collect and share with third parties for a business purpose, or for targeted advertising.  Note that we do not “sell” personal data for money, and we do not share data for the purposes of cross-context behavioral advertising.

The above chart indicates some data fields that certain people, or jurisdictions, might consider sensitive.   Note that we only use those data fields to perform services that are reasonably expected by individuals, and to improve our products and services.  We do not sell or share such information. 

4. Purposes of Processing

Goal AI processes personal information for the following purposes.

To provide, operate, and secure the Service and its group features.
To personalize group recommendations and to generate group names, descriptions, and activity ideas based on the information you choose to provide.
To support users and administrators and to maintain and improve the Service.
To measure engagement and to produce de‑identified and aggregate analytics and employer reporting.
To detect, investigate, and prevent fraud, abuse, and security incidents.
To comply with legal obligations, to enforce terms, and to protect the rights and safety of users and others.

5. Basis for Processing

Where required by law, Goal AI relies on one or more lawful bases for processing, including performance of a contract, legitimate interests such as security and analytics, and consent for optional inputs and certain notifications. You may withdraw consent at any time. If you withdraw consent for information that is necessary to provide the Service, some features may no longer be available.

6. AI‑Related Disclosures

AI is used to generate group names, descriptions, and activity ideas. Goal AI does not use demographic or sensitive attributes to drive AI outputs. AI does not make decisions related to employment or ethics. AI outputs are grounded in structured inputs provided by users. Goal AI applies human review on a sample basis and conducts regular manual reviews to improve quality and reduce bias risk.

For AI inference, Goal AI transmits only the minimum information needed to generate the requested content. Goal AI configures requests so that personal identifiers are not included in the AI prompt. Goal AI does not permit model providers to use customer data to train publicly available foundation models. Calls to model providers are handled in a stateless manner and are configured so that providers do not retain content for their own product improvement. 

Goal AI reviews AI system performance on at least a quarterly basis and tests for changes in underlying models on at least a weekly cadence. The Service provides clear indicators when AI is generating content.

7. Sharing of Information

Goal AI shares personal information with service providers that perform services on its behalf. These providers are bound by contractual obligations to protect personal information and to use it only to provide services to Goal AI.

Goal AI shares information with the sponsoring employer only in de‑identified and aggregate form, for example participation counts and the adoption of activities across a population. Goal AI may disclose limited identifiers to the employer or its administrators solely to confirm eligibility or to resolve support requests.

Goal AI may disclose information as required by law or legal process, to protect the rights and safety of users or others, and in connection with a merger, acquisition, or other corporate transaction. Any successor entity will be required to honor this Privacy Notice with respect to information already collected.

Goal AI does not sell personal information. Goal AI does not share personal information for cross‑context behavioral advertising.

8. Cookies and Similar Technologies

The Service uses essential cookies and limited analytics to operate and understand how features are used. Cookies are small text files which are placed on your browser when you visit a website, open or click on an email, or interact with an advertisement. The in‑product experience does not use advertising cookies. Marketing websites may use analytics cookies. You can control cookies through your browser settings, although disabling certain cookies may affect functionality. The Service does not respond to Do Not Track signals.

9. Security

Goal AI uses administrative, technical, and physical safeguards that are designed to protect personal information. These include encryption in transit and at rest, role‑based access, least privilege, logging, and regular backups. Access to systems is reviewed regularly. Goal AI aligns its information security program with recognized frameworks. Hosting and core platform providers maintain independent attestations appropriate to their services. Nevertheless, transmission via the Internet is not completely secure, and Goal AI cannot guarantee absolute security of user’s personal information.

10. International Transfers

Goal AI stores and processes information in the United States and may transfer information to other locations as necessary to provide the Service. Where required, Goal AI uses appropriate transfer mechanisms such as standard contractual clauses and related measures.

11. Retention and Deletion

Goal AI retains personal information for the duration of the customer relationship and as necessary to provide the Service, comply with our legal obligations, resolve disputes, prevent fraud and enforce contracts. If an account becomes inactive, Goal AI retains personal information for twelve months unless deletion is expressly requested. The purpose of retention for inactive accounts is to support audits, preserve continuity of shared content and group history, and facilitate account reactivation.

Upon termination of a customer contract, Goal AI retains user‑specific data for thirty days and then securely purges it. Operational logs are retained for security and diagnostic purposes and are designed not to contain personal information.

You may request deletion of your account data by contacting support as described below. Goal AI will verify your identity and implement your request in accordance with applicable law and contractual commitments.

12. Your Choices and Rights

You may have rights under applicable law to access, correct, delete, or receive a copy of your personal information, to restrict or object to certain processing, and to appeal a decision concerning your request. Residents of certain United States jurisdictions have rights under state privacy laws. Residents of the European Economic Area, the United Kingdom, and Switzerland have rights under regional data protection laws (See below). Goal AI does not sell personal information and does not share personal information for cross‑context behavioral advertising, so opt‑out rights for those activities do not apply.

You may submit a privacy request, including a request to opt-out of receiving emails, by contacting Goal AI using the contact information below. Goal AI will verify your identity and respond within the time periods required by law. You may authorize an agent to act on your behalf where permitted by law.

13. Children

The Service is intended for use by adults who are at least eighteen years of age. Goal AI does not knowingly collect personal information (as that term is defined by the U.S. Children’s Privacy Protection Act, or “COPPA”) from children.

14. Subprocessors and Vendors

Goal AI uses subprocessors and vendors to support hosting, analytics, messaging, logging, and similar functions. A current list is available on request. Goal AI maintains contracts with these providers that require confidentiality, appropriate security, and processing only for the purposes of providing services to Goal AI.

15. Incident Response and Business Continuity

Goal AI maintains a written incident response plan that assigns responsibilities, defines escalation, and addresses notification to affected customers in accordance with applicable data breach laws. Goal AI conducts exercises of its plans and maintains business continuity and disaster recovery capabilities that are tested and updated on a regular cadence.

16. Information We Do Not Seek

Goal AI does not seek to collect biometric identifiers. Goal AI does not require protected health information as defined by the Health Insurance Portability and Accountability Act. Users should not upload highly confidential information to the Service.

17.  California Residents

These additional rights and disclosures apply only to California residents. Terms have the meaning ascribed to them in the California Consumer Protection Act as amended by the California Privacy Rights Act (“CPRA”), unless otherwise stated.

‍Note that these rights and disclosures only apply to personal information we collect where we control the purposes and means of collection. Any questions or requests that you have relating to the processing of personal data by us on behalf of a client should be directed to the relevant client. We will support the client to the extent required by applicable law in responding to your request.

‍Notice at Collection

‍At or before the time of collection of your personal information, you have a right to receive notice of our data practices. Our data practices are as follows:

‍● For the categories of personal information we have collected in the past 12 months, see the Categories of Information Collected section above.

● For the categories of sources from which personal information is collected, see the Categories of Information We Collect section above.

● For the specific business and commercial purposes for collecting and using personal information, see the Purposes of Processing section above.

● For the categories of third parties to whom information is disclosed, see the Sharing of Information section above.

● For the criteria used to determine the period of time information will be retained, see the Retention and Deletion section above.

‍We do not sell your personal information as that term is traditionally understood. However, some of our disclosures of personal information may be considered a “sale” or “share” as those terms are defined under the CPRA. A “sale” is broadly defined under the CPRA to include a disclosure for something of value, and a “share” is broadly defined under the CPRA to include a disclosure for cross-context behavioral advertising. We collect, sell, or share the following categories of personal information for commercial purposes: device identifiers, device information, internet activity, non-precise geolocation data, and inferences drawn from any of the above. The categories of third parties to whom we sell or share your personal information include, where applicable, vendors and other parties involved in cross-context behavioral advertising. We do not knowingly sell or share the personal information of minors under 16 years old who are California residents. For details on your rights regarding sales and shares, please see the Right to Opt-Out of Sales and Shares section below.

‍Rights to Know, Correct, and Delete

‍You have the following rights under the CPRA:

‍● The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which personal information is collected, the business or commercial purposes for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you.

● The right to correct inaccurate personal information that we maintain about you.

● The right to delete personal information we have collected from you.

To exercise any of these rights, please follow the instructions for data subject requests in the Your Privacy Choices section above. Please note these rights are subject to exceptions. We will confirm receipt of your request within 10 business days and respond to your request within 45 days. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your request.

‍Right to Opt-Out of Sales and Shares

‍To the extent we sell or share your personal information as those terms are defined under the CPRA, you have the right to opt-out of the sale or sharing of your personal information. To exercise this right, please follow the instructions for opting out of sales, shares, and targeted advertising in the Your Choices and Rights section above.

‍Authorized Agent

‍You can designate an authorized agent to submit requests on your behalf. Requests must be submitted through the designated methods listed above. Except for opt-out requests, we will require written proof of the agent’s permission to do so and may verify your identity directly.

‍Right to Non-Discrimination

‍You have the right not to receive discriminatory treatment by us for the exercise of any of your rights.

Shine the Light

Under California’s Shine the Light law, customers who are residents of California may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom we disclose such information. To make a request, please write to us at the email or postal address set out in the Contact Us section above and specify that you are making a “California Shine the Light Request.” We may require additional information from you to allow us to verify your identity and are only required to respond to requests once during any calendar year.

18. ‍Other States with Comprehensive Data Privacy Laws

These additional rights and disclosures apply only to residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Minnesota, Montana, Nebraska, New Jersey, New Hampshire, Oregon, Tennessee, Texas, Utah, and Virginia. Those states have all adopted comprehensive data privacy laws. In addition, Maryland and Rhode Island have adopted comprehensive data protection laws that will go into effect in 2025 and 2026, and Maine, Michigan, Nevada, New York, Vermont and Washington have adopted consumer privacy laws. Terms used below have the meaning ascribed to them in the Colorado Privacy Act, the Connecticut Data Privacy Act, the Delaware Personal Data Privacy Act, the Indiana Consumer Data Protection Act, the Iowa Consumer Data Protection Act, the Kentucky Consumer Data Act, the Minnesota Consumer Data Privacy Act, the Montana Consumer Data Privacy Act, the Nebraska Data Privacy Act, the New Jersey Data Privacy Act, the New Hampshire Privacy Act, the Oregon Consumer Privacy Act, the Tennessee Information Protection Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act, as applicable.   

‍Note that these rights and disclosures only apply to personal data we collect where we control the purposes and means of collection. Any questions or requests that users have relating to the processing of personal data by us should be directed to the user’s employer. We will support the employer to the extent required by applicable law in responding to a user’s request.

You may have the following rights under applicable state law:

‍● To confirm whether or not we are processing your personal data

● To access your personal data

● To correct inaccuracies in your personal data

● To delete your personal data

● To obtain a copy of your personal data that you previously provided to us in a portable and readily usable format

To exercise any of these rights, please follow the instructions for data subject requests in the Your Choices and Rights section above. Please note these rights are subject to exceptions. We will respond to your request within 45 days. We may require specific information from you to help us confirm your identity and process your request. If we are unable to verify your identity, we may deny your request. We do not process personal data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.

‍Right to Opt-Out of Sales and Targeted Advertising

You also may have the right to opt-out of the processing of personal data for purposes of targeted advertising or the sale of personal data. To exercise this right, please follow the instructions for opting out of sales, shares, and targeted advertising in the Your Choices and Rights section above.

‍Authorized Agent

You can designate an authorized agent to submit requests on your behalf. Requests must be submitted through the designated methods listed above. Except for opt-out requests, we will require written proof of the agent’s permission to do so and may verify your identity directly.

‍Appeals

If we refuse to take action on a request, you may appeal our decision within a reasonable period of time by contacting us at support@goal.ai and specifying your wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint as follows:

‍● For Colorado residents, to the Colorado AG at https://coag.gov/file-complaint/

● For Connecticut residents, to the Connecticut AG at https://www.dir.ct.gov/ag/complaint/

● For Virginia residents, to the AG at https://www.oag.state.va.us/consumercomplaintform

‍Nevada

‍If you are a Nevada consumer, you have the right to direct us not to sell certain information that we have collected or will collect about you. To exercise this right, please follow the instructions for opting out of sales, shares, and targeted advertising in the Your Choices and Rights section above.

19. European Economic Area, Switzerland, and United Kingdom

These additional disclosures and rights apply only to individuals located in the European Economic Area, Switzerland, or the United Kingdom (collectively, “Europe”). Terms have the meaning ascribed to them in the General Data Protection Regulation (“GDPR”), the Data Protection Act 2019 (United Kingdom) and the Federal Act on Data Protection (Switzerland).

‍Roles

‍Goal AI acts as a controller with respect to personal data collected as you interact with our Service. Any questions or requests that you have relating to the processing of personal data by us should be directed to us. 

Lawful Basis for Processing

‍Data protection laws in Europe require a “lawful basis” for processing personal data. Our lawful bases include where: (a) you have given consent to the processing for one or more specific purposes, either to us or to our service providers, partners, or clients; (b) processing is necessary for the performance of a contract with you; (c) processing is necessary for compliance with a legal obligation; or (d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party, and your interests and fundamental rights and freedoms do not override those interests. Where applicable, we will transfer your personal data to third countries subject to appropriate or suitable safeguards, such as standard contractual clauses.

‍Data Subject Requests

‍You have the right to access, rectify, or erase any personal data we have collected about you. You also have the right to data portability and the right to restrict or object to our processing of personal data we have collected about you. In addition, you have the right to ask us not to process your personal data (or provide it to third parties to process) for marketing purposes or purposes materially different than for which it was originally collected or subsequently authorized by you. You may withdraw your consent at any time for any data processing we do based on consent you have provided to us.

‍To exercise any of these rights, please follow the instructions for data subject requests in the Your Choices and Rights section above. We will respond to your request within 30 days. We may require specific information from you to help us confirm your identity and process your request. For details on our retention practices for personal data, see the Retention and Deletion section above.

‍You also have the right to lodge a complaint with the data protection regulator in your jurisdiction.

‍20. Changes to this Privacy Notice

Goal AI may modify this Privacy Notice from time to time. The effective date at the top of this document reflects the date of the most recent changes. For material changes, Goal AI will provide reasonable notice through the Service or by other appropriate means. Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Notice.

21. Contact Information

You may contact Goal AI regarding privacy or data protection matters at the following e-mail address: support@goal.ai.