MyZorro, Inc., doing business as Zorro (“Zorro”, “our”, “we” or “us”) offers organizations and their Employees (as defined below) its proprietary solution that collects and analyzes data obtained from Employer and its Employees and provides information in connection with health insurance plans (“Plans”), including (if requested by Employees and to the extent made available by Zorro in certain territories) enrollment for such Plans, and associated services as may be offered by Zorro (collectively, “Services”).
Zorro respects the privacy of Employers and their Employees using our Services (collectively referred herein as “User(s)”, “You” or “Your”). This Privacy Policy (the “Privacy Policy”) is intended to describe our practices regarding the information we may collect from you when you use or access our Services, the ways in which we may use such information, and the choices and rights available to you.
This Privacy Policy shall be read in conjunction with the terms applicable to your interaction with Zorro — either our Website Legal Terms or our in-product Terms of Use, as applicable — and may be supplemented by additional privacy statements, terms, or notices provided to you. Capitalized terms not defined herein shall have the meaning ascribed to them in the relevant Terms of Use.” Capitalized terms not defined herein shall have the meaning ascribed to them in the applicable terms governing your interaction with Zorro — either our Website Legal Terms or our In-Product Terms of Use, as applicable.
1. YOUR CONSENT
PLEASE READ THIS PRIVACY POLICY BEFORE ACCESSING AND/OR USING THE SERVICES. BY ACCESSING THE SERVICES, YOU AGREE TO THE TERMS AND CONDITIONS SET FORTH IN THIS PRIVACY POLICY, INCLUDING TO THE COLLECTION AND PROCESSING OF YOUR PERSONAL INFORMATION (AS DEFINED BELOW). IF YOU DISAGREE TO ANY TERM PROVIDED HEREIN, YOU MAY NOT ACCESS OR USE THE SERVICES.
Please note: you are not obligated by law to provide us with any Personal Information. You hereby acknowledge and agree that you are providing us with Personal Information at your own free will. You hereby agree that Zorro may collect and use such Personal Information pursuant to this Privacy Policy and any applicable laws and regulations.
In connection with enrollment and administrative activities, Zorro may receive personal and health-related information from Employer-designated representatives, including Brokers and Employer Admins, who may act on behalf of Employees. By using the Services, you acknowledge and consent to such parties acting in a representative capacity, and you agree that it is the responsibility of your Employer or Broker to notify you of such actions. Zorro is not responsible for decisions made by such representatives on your behalf
You may revoke consent for Brokers, Employer Admins, or other authorized parties to act on your behalf at any time by providing written notice to Zorro. Revocation will not affect any actions taken prior to such notice.
TO THE EXTENT USER, BROKER AND/OR EMPLOYER ADMIN, AS THE CASE MAY BE, PROVIDES ZORRO WITH ANY PERSONAL INFORMATION RELATED TO ANY OTHER PERSON BESIDES THEMSELVES, SUCH AS EMPLOYEE, EMPLOYEES’ FAMILY MEMBERS, SUCH USER, BROKER AND/OR EMPLOYER ADMIN, AS THE CASE MAY BE, IS SOLELY RESPONSIBLE FOR RECEIVING AND HEREBY REPRESENTS THAT IT HAS RECEIVED AND MAINTAINED THE CONSENT, AUTHORITY, PERMISSION, AND APPROVAL OF SUCH PERSONS AND PROVIDED THEM WITH SUFFICIENT DISCLOSURES, TO ALLOW ZORRO TO ACCESS, STORE, COLLECT, ANALYZE AND PROCESS SUCH PERSONAL INFORMATION AS DETAILED HEREIN.
2. WHAT TYPES OF INFORMATION DO YOU COLLECT?
The categories of personal information we collect depend on how you interact with Zorro. For example, if you only browse our website, we may collect technical and usage data. If you use our Services to enroll in a health plan, we may collect additional information necessary for enrollment (such as SSN, date of birth, and health-related details).
Non-Personal Information
“Non-Personal Information” is un-identified and non-identifiable information pertaining to a user, which may be made available to us, or collected automatically via your use and/or Broker and/or Employer Admin use on your behalf of the Services. Such Non-personal Information does not enable us to identify the person from whom it was collected, and mainly consists of technical and aggregated usage information which is not linked to an identifiable individual, such as system data related to your operating system and browser, duration of usage of the Services, etc.
Personal Information
“Personal Information” is information that identifies an individual or may with reasonable efforts or together with additional information we have access to, enable the identification of an individual, or may be of a private or sensitive nature relating to an identified or identifiable natural person. Identification of an individual also includes the association of such an individual with a persistent identifier such as a name, social security number, persistent cookie identifier etc. Personal Information does not include information that has been anonymized or aggregated; provided, that, such information can no longer be used to identify a specific natural person. Such Personal Information that is collected by us consists of the following types of information:
- Registration to the Services. Information such as, but not limited to, Employees’ name, email, workplace, date of birth and social security number provided in connection with the registration process for the Services.
- Medical Information. Information provided by Employees and/or their family members, or information provided on behalf of Employees and/or their family members, concerning their health conditions and medical history as applicable with respect to the Plans.
We do not collect any Personal Information from you or related to you and/or your family members without your approval, which is obtained, inter alia, through your acceptance of this Privacy Policy or through a Broker and/or Employer Admin’s acceptance of this Privacy Policy, as described in Section 1 above.
To the extent Zorro collects, accesses, or processes Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Zorro shall comply with all applicable HIPAA privacy and security rules. PHI will only be used and disclosed as permitted under applicable law and in accordance with this Privacy Policy.
3. HOW DO YOU COLLECT INFORMATION FROM ME?
- We collect information through your use or the use on your behalf of the Services. To clarify, Zorro informs you that we are aware of your usage of the Services and may collect, record, and analyze information relating to such usage, including through the use of “cookies” and other tracking technologies, as further described in Section 9 below.
- We collect information which you provide us (or Broker and/or Employer Admin provides us on your behalf) voluntarily. For example, we collect Personal information which you voluntarily provide (or Broker and/or Employer Admin provides on your behalf) when you request (or Broker and/or Employer Admin requests on your behalf) to receive communications from us or when you contact us (or Broker and/or Employer Admin contacts us on your behalf) directly via the Services.
- AI Agent / Automated Recommendations
We may use automated tools, including artificial intelligence, to assist in providing recommendations, guidance, or support. These tools may process Personal Information you provide during interactions (for example, through our chat assistant) in order to generate responses. Such tools operate under Zorro’s control, are not used for independent decision-making, and are subject to the safeguards and limitations described in this Privacy Policy.
4. WHY DO YOU COLLECT INFORMATION FROM ME?
- To provide and operate our Services, including without limitation, to provide information concerning Plans and related services.
- To enable us to provide our Users with a better user experience, with more relevant and accurate information, services, third party services, features and functionalities.
- To be able to set up, manage, and maintain (as applicable) your Zorro Account and provide you with support services.
- To send you updates, notices, notifications, newsletters, and additional information related to the Services.
- To create cumulative statistical data and other cumulative information that is non-personal, with which we and/or our business partners might make use in order to operate and improve our Services and offer related products.
- To prevent, detect, mitigate, and investigate fraud, security breaches or other potentially prohibited or illegal activities
- To comply with any applicable rule or regulation and/or response or defend against legal proceedings versus us or our affiliates.
By using our Services and providing your contact details (including in cases where Broker and/or Employer Admin provides your contact details on your behalf), you agree to receive electronic communications from Zorro, including (but not limited to) emails, in-app notifications, etc., related to enrollment deadlines, service updates, and relevant plan information. You acknowledge that continued receipt of such communications constitutes implied consent to receive them. Failure to review or act on such communications may result in missed deadlines or loss of coverage.
5. WHAT ARE YOUR LEGAL GROUNDS FOR COLLECTING MY PERSONAL INFORMATION?
- In Performing an agreement with you: We collect and process your Personal Information in order to provide you with the Services, following your acceptance (including, the acceptance of Broker and/or Employer Agent on your behalf) of this Privacy Policy and pursuant to the Terms of Use.
- With your consent: We ask for your agreement, whether directly to Zorro or through your consent obtained by Employer, Broker, and/or Employer Admin, to process your information for the specific purposes stated in this Privacy Policy and you have the right to withdraw your consent at any time. Revocation of consent will not affect any actions taken prior to such notice.
- Legitimate interests: We process your information for our legitimate interests while applying appropriate safeguards that protect your privacy. This means that we process your information for purposes like detecting, preventing or otherwise addressing fraud, abuse, security, usability, functionality or technical issues with our Services; protecting against harm to the rights, property or safety of our Services, our users or the public as required or permitted by law; enforcing legal claims, including investigation of potential violations of this Privacy Policy; and in order to comply and/or fulfil our obligations under applicable laws, regulation, guidelines, industry standards and contractual requirements, legal process, subpoena or governmental request.
6. WHO DO YOU SHARE MY INFORMATION WITH AND WHY?
We may share information with third parties (or otherwise allow them access to it) only in the following manners and instances:
- Internally – We may share information with our affiliates, as well as our employees, for the purposes described in this Privacy Policy and in accordance with Section 5 above. In addition, should Zorro or any of its affiliates undergo any change in control, including by means of merger, acquisition or purchase of substantially all of its assets, your information may be shared with the parties involved in such event under strict security conditions, for the purpose of evaluating such event and in accordance with the terms of this Privacy Policy. If we believe that such change in control might materially affect your Personal Information then stored with us, we will notify you of this event and the choices you may have, through prominent notice on our Services.
- Protecting Our Rights and Safety – We may share your information to enforce this Privacy Policy and/or the Terms of Use, including investigation of potential violations thereof; to detect, prevent, or otherwise address fraud, security or technical issues; or otherwise, if we believe in good faith that this will help protect the rights, property or personal safety of any of our users, or any member of the general public.
- Third Parties & Business Partners – We may share your information with a number of selected service providers, whose Services and solutions are required or otherwise facilitate achievement of the purposes of processing set forth under Section 4 above. These third parties serve in facilitating and enhancing our Services and related Services, namely to allow cloud hosting Services (e.g. AWS) and to facilitate enrollment to Plans by sending specific required information to the insurance carrier selected by an Employee pursuant his/her request. Our third party Services providers act as our sub-processors and may only process your information according to our instructions (which are given in accordance with the terms hereof). We remain responsible for any processing of your information done by such third party service providers on our behalf not in accordance with the terms hereof, except for events outside of such service providers’ reasonable control or instances where such service providers act in violation of our instructions.
- Law Enforcement – We may cooperate with government and law enforcement officials to enforce and comply with the law. We may therefore disclose any information to government or law enforcement officials as we believe necessary or appropriate to respond to claims and legal process (including but not limited to subpoenas), to protect our or a third party’s property and legal rights, to protect the safety of the public or any person, or to prevent or stop any activity we may consider to be, or to pose a risk of being, illegal, unethical, inappropriate or legally actionable.
For avoidance of doubt, we may share anonymized or de-identified information with any other third party, at our sole discretion.
7. WHERE DO YOU TRANSFER OR STORE MY INFORMATION?
Your information may be transferred to, maintained, processed and stored by us and our authorized affiliates and service providers in the US and in Israel. Please note that Israeli data and privacy laws may not be as comprehensive as those in your country of residence. Residents of certain countries may be subject to additional protections, as set forth in below.
GDPR (EEA Users): This section applies only to natural persons residing in the European Economic Area (for the purpose of this section only, "you" or "your" shall be limited accordingly). It is Zorro's policy to comply with the EEA's General Data Protection Regulation (“GDPR”). In accordance with the GDPR, we may transfer your Personal Information from your home country to Israel, the U.S. and/or other countries, provided that the transferee has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Specifically, we may cause such transfer if we ensured that at least one of the following applies:
- The country to which Personal Information has been transferred, has been determined by the EU Commission to be a country providing adequate protection to the privacy rights of EU residents.
- Application of Standard Contractual Clauses where appropriate.
You have additional rights regarding your personal data under the GDPR, please refer to Section 8 below.
8. WHAT ARE MY RIGHTS?
If applicable to you under your country’s jurisdiction, you may have certain rights in connection with your Personal Information and how we handle it. You can exercise your rights at any time by contacting us via any of the methods set out below. Those rights may include, but are not limited to, the following:
- Right of access. You may have a right to know what information we hold about you and, in some cases, to have the information communicated to you. We reserve the right to ask for reasonable evidence to verify your identity before we provide you with any information.
- Right to correct Personal Information. We endeavor to keep the information that we hold about you accurate and up to date. Should you realize that any of the information that we hold about you is incorrect, please let us know and we will correct it as soon as we can.
- Data deletion. In some circumstances you have a right to request that some portions of the Personal Information that we hold about you be deleted or otherwise anonymized.
- Data portability. In some circumstances, you may have the right to request that data which you have provided to us is provided to you, so you can transfer this to another data controller.
- Restriction of processing. In some cases, you may have the right to request a restriction of the processing of your Personal Information, such as when you are disputing the accuracy of your information held by us.
9. DO YOU USE COOKIES OR SIMILAR TRACKING TECHNOLOGIES?
We use certain monitoring and tracking technologies, including ones offered by third party service providers. These technologies are used in order to maintain, provide and improve our Services on an ongoing basis, and in order to provide a better experience to our users. For example, these technologies enable us to: (i) keep track of our Users’ preferences and authenticated sessions, (ii) secure our Services by detecting abnormal behaviors, (iii) identify technical issues and improve the overall performance of our Services, and (iv) create and monitor analytics. We may use cookies in connection with our Services. A “Cookie” is a small data file that is downloaded and stored on your computer when you visit our Services.
Learn more about your choices and how to opt-out of tracking technologies:
In order to delete or block any tracking technologies, please refer to the “Help” area on your internet browser for further instructions, or you may also opt out of third party tracking technologies by following the instructions provided by each third party service provider in its privacy policy listed above or visiting www.youronlinechoices.eu or www.aboutads.info/choices. Please note however that deleting any of our tracking technologies or disabling future tracking technologies may prevent you from accessing certain areas or features of our Services, or may otherwise adversely affect your user experience.
10. HOW DO YOU KEEP MY INFORMATION SECURE?
Zorro maintains industry-standard administrative, technical, and physical safeguards to protect your information, including compliance with SOC 2 Type II standards. We have implemented administrative, technical, and physical safeguards to help prevent unauthorized access, use, or disclosure of your Personal Information. Your information is stored on secure servers and isn’t publicly available. We limit access of your information only to those employees, third party service providers or partners on a “need to know” basis, and strictly in order to enable us to perform the agreement between you and us. Zorro applies additional technical and organizational safeguards when processing sensitive identifiers such as Social Security Numbers, ensuring they are used only for enrollment and compliance purposes and not for any secondary use
Despite these measures, Zorro cannot provide absolute information security or eliminate all risks associated with Personal Information, and security breaches may happen. If there are any questions about security, please contact us as soon as possible at contact@myzorro.co.
11. HOW LONG WILL YOU RETAIN MY INFORMATION?
We will retain your Personal Information only for as long as necessary to achieve the purposes for collection and processing set forth above. Retention periods will be determined taking into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time. If you withdraw your consent with respect to processing your Personal Information, we will delete your Personal Information from our systems (except to the extent retaining such data in whole or in part is necessary to comply with any applicable rule or regulation and/or to respond to or defend against legal proceedings brought against us or our affiliates).
12. HOW DO YOU PROTECT THE PRIVACY OF CHILDREN?
To receive the Services, you must be over the age of eighteen (18). If Employee, Broker, and/or Employer Admin, as the case may be, provides information concerning Employee’s family members under the age of 18 through the Zorro platform, Employee, Broker, and/or Employer Admin, as the case may be, hereby declares to Zorro that he/she is the parent or legal guardian of such an individual in the case of an Employee, or have received the consent from such parent or legal guardian of such an individual in the case of Broker and/or Employer Admin. In such a case, Employee (in his/her capacity as parent or guardian) assumes full responsibility for ensuring that the information provided to Zorro about the child or dependent is kept secure and accurate.
In the event that it comes to our knowledge that a person under the age of eighteen (18) is using our Services, not in accordance with the abovementioned terms, we will prohibit and block such User from accessing our Services and will make all efforts to promptly delete any Personal Information (as such term is defined in herein with regard to such User).
13. UPDATES TO THIS PRIVACY POLICY
This Privacy Policy is subject to changes from time to time, in our sole discretion. The most current version will always be posted on our Services (as reflected in the “Last Revised” heading). You are advised to check for updates regularly. By continuing to access and use our Services after any updates become effective, you accept and agree to be bound by the updated Privacy Policy.
14. GENERAL INFORMATION
This Privacy Policy, its interpretation, and any claims and disputes related hereto, shall be governed by the laws of the State of New York, without regard to its conflict of law principles. All such claims or disputes shall be resolved exclusively through binding individual arbitration, as further described in our Terms of Use. You waive any right to a jury trial or to participate in a class action. If arbitration is not enforceable in a specific context, claims shall be brought in a court of competent jurisdiction located in New York, NY.
15. STATE-SPECIFIC PRIVACY RIGHTS (US RESIDENTS)
Certain U.S. state laws provide residents with additional rights regarding their personal information. If you are a resident of California, Virginia, Colorado, Connecticut, or Utah, you may have the right to:
- Request access to the categories and specific pieces of personal information we have collected about you.
- Request deletion of your personal information, subject to applicable exceptions.
- Request correction of inaccurate personal information.
- Request information about the categories of personal information we collect, use, disclose, or sell/share.
- Opt out of the sale or sharing of personal information or targeted advertising (note: Zorro does not sell your personal information).
- Appeal our decision if we deny a request.
We have included an Appendix I below describing the categories of Personal information we may collect, examples of each, purposes of use, and retention.
You may exercise these rights by contacting us atcontact@myzorro.co. We will respond to your request as required by applicable law.
16. HOW CAN I CONTACT YOU?
If you wish to exercise any of the aforementioned rights, or receive more information, please contact us using the details provided below:
MyZorro, Inc.
Email: contact@myzorro.co
Address: 135 W 50th St Suite 200, New York, NY 10020
APPENDIX I: CATEGORIES OF PERSONAL INFORMATION COLLECTED
We may collect the categories of Personal Information listed below, as defined under applicable U.S. state privacy laws. Not all categories apply to every user; certain information is collected only if you use specific features of our Services, such as enrolling in a health plan, interacting with our AI-powered assistant, or communicating with customer support. Where required, we collect limited sensitive information (such as SSN, age, or health data) solely to facilitate plan enrollment in compliance with HIPAA and applicable laws.
Category | Examples | Collected | Purpose of Collection/Use |
|---|---|---|---|
Identifiers | Real name, alias, postal address, email address, telephone number, account name, or other similar identifiers | Yes | To create and manage your Zorro Account; provide customer support; communicate with you; comply with legal obligations |
Government Identifiers | Social Security Number (SSN), driver’s license, state ID, passport number | Yes (enrollment only) | To facilitate plan enrollment as required by carriers and law; fraud prevention |
Protected Classifications | Age, date of birth, gender | Yes (enrollment only) | To determine eligibility and facilitate plan enrollment |
Commercial Information | Records of products/services purchased, obtained, or considered; transaction history | Yes | To process payments; manage billing; provide account support |
Internet/Network Activity | Browsing history, search history, interaction with website, application, or advertisements; user behavior tracking for analytics and product | Yes | To operate and improve our Site/Services; personalize experience; study and improve user experience; security and fraud prevention |
Geolocation Data | IP address-based location, device location (approximate) | Yes | Security; fraud prevention; to tailor offerings |
Biometric Information | Fingerprints, faceprints, voiceprints, iris/retina scans, keystroke or gait recognition | No | N/A |
Audio, Electronic, or Visual Data | Customer support calls, chat transcripts, session recordings (with sensitive information removed), or other communications | Yes (support and user experience improvement) | To provide customer service; quality assurance; compliance; study and improve user experience |
Professional or Employment Information | Employer name, role, work contact details | Yes | To facilitate employer-sponsored enrollment and benefits administration |
Education Information | Student records subject to FERPA | No | N/A |
Inferences | Preferences, characteristics, behavior patterns derived from other personal information | Yes (limited- only to support plan enrollment and product personalization, such as recommending plan options; we do not create broader behavioral or marketing profiles) | To improve Services and provide plan recommendations |
Sensitive Personal Information (SPI) | Health information, medical history, insurance selections, SSN, age, DOB | Yes (enrollment only) | To facilitate enrollment in health plans; comply with HIPAA and applicable laws |
Automated Tools / AI Agent Data | Information you provide to Zorro’s AI assistant during enrollment or plan selection | Yes (when used) | To provide recommendations, guidance, and support; AI tools operate under Zorro’s control and subject to safeguards in this Privacy Policy |
Not Collected:
We do not collect biometric identifiers (such as fingerprints, facial recognition data, or voiceprints) or precise geolocation data. Should Zorro in the future implement features requiring such information (e.g., secure biometric login), you will be notified in advance and this Privacy Policy will be updated accordingly. While we do not capture audio/video of Users, we may use privacy-protected session recording tools to study and improve the user experience. These recordings are scrubbed of sensitive identifiers (e.g., SSN, health information) before analysis.