Juul Labs, INC.

Corporate Websites Privacy Policy

Effective Date: November 13, 2024

This privacy notice (“Corporate Privacy Notice”) applies to personal information processed by Juul Labs, Inc. (“Juul Labs,” “we,” “us,” or “our”) when engaging with us on our corporate websites including www.juullabs.com, www.juullabsretailer.com, or www.juullabsscience.com (collectively, the “Corporate Sites”), or other online informational offerings owned or operated by Juul Labs (collectively, the “Services”). Our Corporate Privacy Notice is designed to help you understand how we collect, use, process, and share your personal information when you engage with us through the Corporate Sites and to help you understand and exercise your privacy rights.

As used in this Corporate Privacy Notice, “personal information” has the meaning given to it under the law where you live, but typically refers to information that can be used to identify you as an individual; meanwhile our activities taken with respect to your personal information are referred to as “processing.”  For residents of California and other US states with specific privacy rights, additional disclosures are available below.

You can also download a copy of the policy.

  1. SCOPE

    This privacy notice (“Corporate Privacy Notice”) applies to personal data processed by Juul Labs, Inc. (“Juul Labs,” “we,” “us,” or “our”) when engaging with us on our corporate websites including www.juullabs.com, www.juullabsretailer.com, www.juullabsscience.com and www.juullabs.co.uk (collectively, the “Corporate Sites”), or other online informational offerings owned or operated by Juul Labs that link to this Corporate Privacy Notice (collectively, the “Services”). Our Corporate Privacy Notice is designed to help you understand how we collect, use, process, and disclose information that could reasonably be used to identify you (“personal data” or “personal information”). Juul Labs is the controller of the personal data we process under this Corporate Privacy Notice.

    Our Corporate Sites provide information about our work to offer smokers who are legally eligible to purchase our products in the jurisdiction in which they are offered (“Adults”) viable noncombustible alternatives and reduce the harm associated with combustible cigarettes. The Corporate Sites also provide information about, and our Services support, our work to combat the serious problem of underage use of vapor products directly, and through our authorized retailers.

    We have independent, age-restricted websites through which we offer our products to eligible Adult smokers and other users (the “E-Commerce Sites”). Data we process through our E-Commerce Sites is described in our Global Privacy Notice.

    If you work for Juul Labs or apply for a job with us, our Worker and Applicant Privacy Notice describes how we process your personal data. For residents of the UK, EU and other jurisdictions and certain US states with comprehensive privacy laws, additional disclosures about the information we collect are contained in the SUPPLEMENTAL DISCLOSURES section of this Corporate Privacy Notice.

  2. PERSONAL INFORMATION WE COLLECT

    The categories of personal data we collect depends on how you interact with us, our Services, and the requirements of applicable law. We collect information that you provide to us directly, information we obtain automatically when you use our Services, and information from other sources as described below.  If we are required by applicable law or by the terms of a contract to collect your personal data, and you fail to provide the necessary information to us, we may not be able to provide you with Services you requested or otherwise perform under our contract with you.

    Information You Provide to Us Directly

    • Communications with Us.We collect personal data from you such as name and email address when you request information or register for ongoing communication from us, inquire about our corporate initiatives, request retailer or technical support, report unlawful or inappropriate sale or use of our products, use other communication tools we may offer through the Services (such as a chatbot), or otherwise communicate with us.
    • Information Related to Research. We are committed to supporting scientific research through our Investigator Initiated Research Program (“IIR Program”). Researchers may choose to provide personal data through the IIR Program including name, credentials, organization, phone number, email address, written agreement, research study, and any other information you submit to us when you submit a research proposal, participate as an investigator in the IIR Program, communicate with us about the IIR Program, or participate as a member of an institution engaged in IIR research. We use this information to run and manage the IIR Program, as well as to communicate directly with you about the IIR Program.
    • Adverse Experience Reports. If you contact us report a potential issue, concern, or complaint related to an adverse experience potentially related to the use of our products (an “Adverse Experience”), we are required to collect certain information, including potentially sensitive and special category personal data about the health and habits of the person with whom the Adverse Experience is associated.
    • Social Media Content. Juul Labs maintains a social media presence for corporate communications. Any content or personal data you provide on these channels will be subject to the privacy policies and other terms of the applicable social media platform provider(s).
    • Customer Service and Feedback. We may collect personal data, such as email address, phone number, or mailing address when you request information about our Services, register for any informational communications, marketing and promotional correspondence, request customer or technical support, or otherwise communicate with us.
    • Business Development and Strategic Partnerships.We may collect personal data from individuals and third parties to assess and pursue potential business opportunities.

    Information We Collect Automatically.  We as well as third parties that provide content, analytics, or other functionality on our Services, may use cookies, pixel tags, and other technologies (collectively, “Tracking Technologies”) to automatically collect information through your use of our Services. This includes information about your equipment, browsing actions and patterns.

    Information We Collect from Third-Party Services and Other Sources.  Where permitted by law, we may obtain personal data about you from other sources, including through third-party services and organizations.  For example, if you access our Services through a social networking site, we may collect personal data about you from that third-party application that you have made available via your privacy settings. If you are a research professional who has submitted a proposal to our IIR Program, we may collect or validate personal data if and as applicable, such as your institutional affiliation, license information, past publications, and other due diligence related information from various sources. Finally, we may also obtain personal data about you from other individuals, for example, a spouse or family member who contacts us to report a potential Adverse Experience you may have experienced when using our products.

  3. HOW WE USE INFORMATION

    We will only use your personal data for lawful purposes. Specifically, we may use your personal data for a variety of business purposes, including to provide our Services, for administrative purposes, and to market our products and Services, as described below. More information about the legal basis for each of these purposes under applicable data protection laws is set forth in our Supplemental Disclosures.

    We will only use your personal data for the purpose for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose as specified in applicable data protection laws. If we need to use your personal data for a purpose that we have not specified in this Corporate Privacy Notice, we will notify you where we are required by applicable data protection laws to do so and we will explain the legal basis which allows us to do so, or seek your consent, as required.

    Provide Our Services. We use your information to fulfil our contract with you and provide you with our Services, such as:

    • Managing your information and associated profile or account(s) if applicable (e.g., as a retailer or scientific contributor);
    • Providing access to certain areas, functionalities, and features of our Services;
    • Answering requests for support;
    • Communicating with you about your activities on our Services or changes to our policies;
    • Undertaking activities to verify or maintain the quality or safety of our Services; and
    • Allowing you to register for events (e.g., an industry associated event).

    Administrative and Business Purposes. We use your information for various administrative purposes, such as:

    • Pursuing our legitimate interests such as research, and development (including marketing research), network and information security, and fraud prevention;
    • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
    • Measuring interest and engagement in our Services;
    • Short-term, transient use, such as contextual customization of ads;
    • Improving, upgrading, or enhancing our Services;
    • Developing new products and services;
    • Ensuring internal quality control and safety;
    • Authenticating and verifying individual identities, including requests to exercise your rights under this Corporate Privacy Notice;
    • Providing information required to meet our compliance obligations or commitments, such as preventing underage use of our products or collecting information from individuals who may have experienced potentially Adverse Experiences when using our products;
    • Reporting Adverse Experiences reported to, or discovered by us, to relevant oversight authorities;
    • Debugging to identify and repair errors with our Services;
    • Auditing relating to interactions, transactions, and other compliance activities;
    • Disclosing personal data with third parties as needed to provide the Services;
    • Performing services on behalf of the business, including maintaining or servicing accounts, providing analytic services, providing storage, or providing similar services on behalf of the business;
    • Enforcing our agreements and policies;
    • Supporting industry initiatives, symposia, conferences, and scientific, educational, and volunteer events related to our customers or our business;
    • Carrying out activities that are required to comply with our legal obligations, and
    • For other legitimate business purposes as permitted by law.
    • De-identified and Aggregated Information. We may use personal data to create de-identified and/or aggregated information, such as demographic information, information about the device from which you access our Services, or other analyses we create. We use this deidentified or aggregated data for the purposes outlined in this Corporate Privacy Notice and afford it appropriate protections as required by applicable data protection and other laws.
    • Other Purposes. We may also use your personal data for other purposes with your consent, as requested by you, or as required or permitted by applicable law.

  4. HOW WE DISCLOSE INFORMATION

    We may disclose your personal data to third parties for a variety of business purposes, including to provide our Services, to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer, as described below. We may also disclose your information to third parties as appropriate and permitted by law. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers that process your personal data on our behalf to use your personal data for their own marketing or any other purposes, and we only permit them to process your personal data for specified purposes and in accordance with our instructions.

    • To Provide our Services

    The categories of third parties with whom we may share your personal data are described below:

    • Service Providers. We may share your personal data with our third-party service providers and vendors that assist us with the provision of our Services. This includes service providers and vendors that provide us with IT support, business analytics, hosting, customer service, and related services.
    • Business Partners. We may share your personal data with business partners to provide you with a product or service you have requested. We may also share your personal data with business partners with whom we jointly offer products or services.
    • Affiliates. We may share your personal data with our affiliated companies for our administrative or regulatory compliance purposes, IT management, or for them to provide services to you or support and supplement the Services we provide.
    • To Protect Ourselves or Others

    We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

    • In the Event of Merger, Sale, or Other Asset Transfers

    If we are involved in an actual or proposed merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another commercial entity, your information may be disclosed, sold, or transferred as part of such a transaction, as permitted by law and/or contract.

  5. ONLINE TRACKING TECHNOLOGIES

    We as well as third parties that provide content, analytics, or other functionalities in relation to our Services, may use Tracking Technologies to automatically collect information through your use of our Services and distinguish you from other users of the Services.

    We may use Tracking Technologies in various ways, as described by the following categories:

    • Essential Tracking Technologies. These Tracking Technologies are essential to our ability to offer our Services and include technologies that allow you access to our Services, applications, and enable tools that we use to identify irregular website behavior, prevent fraudulent activity, improve security, or allow you to make use of embedded functionalities or features of our Services.
    • Performance-Related Tracking Technologies. These Tracking Technologies help us assess the performance of our Services, including as part of our analytic practices to help us understand how individuals use our Services.
    • Functionality-Related Tracking Technologies. These Tracking Technologies allow us to operate our Services and offer enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services or keeping track of your specified preferences, interests, or past viewing activities.
    • Analytics. These Tracking Technologies allow us to better understand how our digital Services are used and to continually improve and personalize our Services.
    • Social Media Platforms. We maintain corporate social media accounts that contain only informational, non-promotional content such as job postings, press releases on scientific research, public policy updates, or potential product safety notices. If you visit one of our corporate social media accounts, the social media site, like any other third-party site, may collect personal data. Your interactions with these platforms are governed by the privacy policy of the company providing it.
    • Fraud and Abuse Prevention Providers.We may use third-party services to protect our Sites from fraud and abuse. For example, we may use Google’s reCAPTCHA technology to evaluate various device-and-user based analytics to estimate whether the activity is from an automated program (i.e. a “bot”) or a human. You can learn more about how data processed by reCAPTCHA is used by reviewing Google’s privacy policy.

  6. YOUR PRIVACY CHOICES

    The privacy choices you may have about your personal data are determined by applicable law and described below.

    • Email Communications. If you receive an unwanted email from us, you can use the ‘unsubscribe’ link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (e.g., communications regarding our Services, updates to legal terms or this Corporate Privacy Notice).
    • Tracking Technologies. You can control our use of certain Tracking Technologies in the following ways:
      • Cookie Controls. You may decline all or select the types of non-essential Tracking Technologies that apply to your use of our Services by managing your preferences at any time by clicking the paperclip icon in the bottom left-hand corner of a Corporate Site.
      • Browser Controls. You may also stop or restrict the placement of certain Tracking Technologies in your browser or remove them by adjusting your preferences as your browser permits. These tools are generally available in the help section of browsers. You can also use the quick links, based on the browser type that you are using: Internet Explorer, Google Chrome, Firefox, and Safari.
      • Mobile Device Controls. You may opt-out of personalized advertisements on some mobile applications by following the instructions for Android, iOS, and others. Please note that cookie-based opt-outs may not stop all mobile tracking, such as tracking done on mobile applications.
      • Ad Industry Opt-outs. The online advertising industry also provides websites from which you may opt out of receiving targeted ads from data partners and other advertising partners that participate in self-regulatory programs. You can access these and learn more about targeted advertising and consumer choice and privacy by visiting the Network Advertising Initiative, the Digital Advertising Alliance, the European Digital Advertising Alliance, and the Digital Advertising Alliance of Canada. Please note you must separately opt out in each browser and on each device.
      • Do Not Track/ Global Privacy Control.”You may exercise your opt-out right by broadcasting an opt-out preference signal, called the Global Privacy Control (“GPC”) on the browsers and/or browser extensions that support such a signal. You can learn more about the GPC here. Please note that your request to opt-out of sale/sharing will be linked to your browser identifier only. If you use a different computer or Internet browser to access the Corporate Sites, you will need to renew your opt-out request. Note that while we honor the GPC, we do not listen for or respond to older, Do Not Track (“DNT”) technologies that users may set in certain web browsers. (Note you must turn the GPC signal on for each supported browser or browser extension you use to connect with our Services.)

  7. YOUR PRIVACY RIGHTS

    The privacy rights you may have about your personal data are determined by applicable law and described below. If you would like to exercise any of these rights, please Contact Us at any time, or as otherwise instructed in SUPPLEMENTAL DISCLOSURES below. We will process such requests in accordance with applicable laws and will not discriminate or retaliate against you for the exercise of any of these rights. Note that to protect your privacy, we will take steps to reasonably verify your identity before fulfilling your request. These steps may involve asking you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal data or an authorized representative of that person.

    • Obtain Access to and Portability of Your Personal Information, including: (i) confirming whether and how we are processing your personal data; (ii) obtaining access to or a copy of your personal data including specific pieces of personal data; and (iii) receiving an electronic copy of personal data that you have provided to us, or asking us to send that information to another company in a structured, commonly used, and machine readable format (also known as the “right of data portability”).
    • Request Correction of your personal data where it is inaccurate or incomplete. In some cases, we may provide self-service tools that enable you to update your personal data.
    • Request Deletion of your personal data.
    • Withdraw your Consent to our processing of your personal data. Please note that your withdrawal will only take effect for future processing and will not affect the lawfulness of processing before the withdrawal.
    • Request Restriction of or Object to our processing of your personal data depending on the legal rights of your jurisdiction. For example, depending on where you live, you might have the right to opt out of (i) the sale or sharing of your personal data, (ii) our use or disclosure of your sensitive personal data, and/or (iii) the processing of your personal data for purposes of (a) targeted advertising, and (b) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
    • Appeal. You may have the right to appeal our decision or response to your request. To exercise your right to appeal, you can submit an appeal request using the same method used to submit your original request, including by Contacting Us at any time as set forth below.
    • Lodge a Complaint. While we are always willing and eager to listen and respond to your concerns about this Notice or our data practices, at any time you have the right to lodge a complaint with the data protection authority or other regulatory body in charge of enforcing data protection laws in your jurisdiction.

  8. INFORMATION SECURITY

    We take steps to ensure that your information is treated securely and in accordance with this Corporate Privacy Notice. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any information you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized access, use, disclosure, or loss of your personal data.

  9. THIRD PARTY LINKS AND CONTENT

    The Corporate Sites may contain links to other Juul Labs websites or terms which govern those sites or activities. In addition, the Corporate Sites may link to, or be referenced by websites/applications that are operated by third parties and not controlled by us. We encourage you to read the privacy policy of each website or application you visit. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of any third-party website or application. Providing personal data to third-party websites or applications is at your own risk.

  10. INTERNATIONAL DATA TRANSFERS

    All information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States, Canada, and the United Kingdom, which may have data protection laws that are different from the laws where you live. We endeavor to safeguard your information consistent with the requirements of applicable laws.

  11. INFORMATION RETENTION

    We store the personal data we collect as described in this Corporate Privacy Notice for as long as you use our Services, or as necessary to fulfill the purpose(s) for which it was collected, or based upon other criteria, including, but not limited to, the sensitivity and volume of such data in each case in line with our data retention policies.

  12. UNDERAGE USERS AND AGE VERIFICATION

    The Services are directed exclusively at Adults, are designed to discourage non-Adults from engaging with our Services and from accessing the Corporate Sites, and we do not knowingly collect personal data from, or otherwise interact with, non-Adults.  Protecting underage individuals is important to us. If you are a parent or guardian and believe your underage child has submitted personal data through the Corporate Sites without your consent, and you wish to have that information modified or deleted, or you may Contact Us at any time as set forth below. If we become aware that an underage individual has provided us with personal data in violation of our policies, compliance obligations or applicable law, we will delete any personal data we have collected, unless we have a legal obligation to keep it.

  13. CHANGES TO THIS CORPORATE PRIVACY NOTICE

    We may revise this Corporate Privacy Notice from time to time in our sole discretion. If there are any material changes to this Corporate Privacy Notice, we will notify you as required by applicable law.

  14. CONTACT US

    If you have any questions about our privacy practices or this Corporate Privacy Notice, or to exercise your rights as detailed in this Corporate Privacy Notice, please:

    Make an online request by visiting our Privacy Center

    Email us at dataprivacy@juul.com

    Call us at 1-855-509-5885

    Write to us at:

    Juul Labs, Inc.
    Attn: Chief Compliance Officer
    1000 F Street NW
    Washington, DC 20004

  15. NOTICE AT COLLECTION AND SUPPLEMENTAL DISCLOSURES FOR SPECIFIC JURISDICTIONS

    • United States. This Notice at Collection and Supplemental Notice is for residents of those US states that have adopted comprehensive privacy legislation and others that may come into effect from time to time (collectively, “Applicable State Laws”).
      • Personal Data We Collect. As more fully described in the section titled Personal Information We Collect, the sources from which we collect personal data include directly from you when you interact with us, automatically from you when you use our sites and Services, and from third parties.
      • Personal Data we Disclose. Depending on how you use our Services, the information we may have collected about you, as well as the categories of third parties with whom we have disclosed this information, are described in the list below.

    Category of Personal Information Collected by Juul Labs: Identifiers. For example, real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.

    • Category of Third Parties to Whom Personal Information May Disclosed for a Business Purpose:
      • Service providers
    • Category of Third Parties with Whom Personal Information May be Shared:
      • Data analytics providers

    Category of Personal Information Collected by Juul Labs: Personal information categories  For example, name, address, telephone number or professional information.

    • Category of Third Parties to Whom Personal Information May Disclosed for a Business Purpose:
      • Service providers
      • Affiliates

    Category of Personal Information Collected by Juul Labs: Internet or other electronic network activity. For example, browsing history, search history, information on a consumer’s interaction with an internet website, application, or advertisement.

    • Category of Third Parties to Whom Personal Information May Disclosed for a Business Purpose:
      • Service providers
      • Advertising networks
      • Data analytics providers
    • Category of Third Parties with Whom Personal Information May be Shared :
      • Data analytics providers

    Category of Personal Information Collected by Juul Labs: Sensitive personal information. Any information concerning a consumer’s health, medical history, physical or mental condition or treatment.

    • Category of Third Parties to Whom Personal Information May Disclosed for a Business Purpose:
      • Service providers
      • Government entities

    Category of Personal Information Collected by Juul Labs: Sensory data: Audio or similar information.

    • Category of Third Parties to Whom Personal Information May Disclosed for a Business Purpose:
      • Service providers
      • Affiliates
    • Our Use of Personal Data. We may use or disclose the personal data we collect for the purposes outlined in Use of Information Where required under applicable law, we will not collect additional categories of personal data or use the personal data we have collected for materially different, unrelated, or incompatible purposes without first providing you notice.
    • Sales/Sharing of Personal For purposes of certain laws, Juul Labs does not “sell” personal data, nor do we have actual knowledge of any sale of personal data as the term “sell” is commonly understood. We may share information with third parties for the purpose of analyzing traffic on the Corporate Sites as described above. You may limit such sharing by adjusting your browser settings to send a GPC signal, or by Contacting Us.
    • Retention of Personal Information. We store the personal data we collect as described in the INFORMATION RETENTION section of our Corporate Privacy Notice.
    • Privacy Rights. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request to exercise any of your privacy rights outlined in the YOUR PRIVACY RIGHTS section of the Corporate Privacy Notice related to your personal data. You may also make a verifiable consumer request on behalf of your minor child. To authorize an agent, provide written authorization signed by you and your designated agent and Contact Us for additional instructions.

    United Kingdom and European Union. The information below contains a list of the legal bases on which we rely when processing personal data that is subject to applicable data protection laws in Europe, including the EU General Data Protection Regulation (the “EU GDPR”) and the EU GDPR as it forms part of retained EU law in the United Kingdom, (the “UK GDPR”). Please also note that if your personal data is subject to the EU GDPR or UK GDPR, you may receive a copy of the safeguards we use to protect your personal data when it is transferred internationally on request.

    Processing Purpose: Providing our Services

    • Data: Information you share with us including information about your identity.
    • Applicable Legal Bases: Performance of a contract with you; necessary for our legitimate interests (managing our relationship with you; to keep our records updated and resolve customer issues; to improve, personalize and develop the Services we offer you, to communicate with you about your use of our Services), and with your consent.

    Processing Purpose: Administrative and Regulatory Purposes

    • Data: Information you share with us including identity, contact, communications, profile, information collected automatically through the Corporate Sites.
    • Applicable Legal Bases: Performance of a contract with you; Necessary to comply with a legal or regulatory obligation (including the defense of claims); Necessary for our legitimate interests (to operate our business, provide administrative and IT services, network security, to prevent fraud and in the context of a business reorganization; to maintain current business records, study how customers use our products/services, resolve customer issues, improve the Corporate Sites, support personalized features, to detect and resolve technical problems and to develop our business), and with your consent.

    Processing Purpose: Marketing Purposes

    • Information you share with us including identity, contact, information collected automatically through the Corporate Sites and communications data.
    • Necessary for our legitimate interests (to study how customers use our products/services, to develop them and to develop and grow our business); Consent if required by law (e.g. for use of non-essential cookies)