Privacy Policy

1) HIPAA & Our Role

We handle your health information in compliance with applicable privacy and security laws, including HIPAA where it applies.

When HIPAA applies: We act as a HIPAA Business Associate when we receive Protected Health Information from healthcare providers, health plans, or employers on your behalf. In these cases, we comply with HIPAA's security and privacy requirements.

Consumer health information: When you provide health information directly to us, we protect it using the same rigorous security standards we use for HIPAA-regulated data. We are also subject to the FTC Health Breach Notification Rule and state consumer health data privacy laws.

Enterprise customers: When we work with employer health plans or third-party administrators, we enter into Business Associate Agreements that govern our handling of Protected Health Information under HIPAA.

In all cases, we are committed to protecting your health information with industry-leading security practices.

2) Information We Collect

We collect information to provide and improve the Services:

3) How We Collect Information

• Directly from you (forms, SMS, uploads)
• From your health plan, employer, or healthcare provider, as authorized
• From health record connectivity platforms, with your authorization
• From publicly available sources (provider directories, price transparency files)
• From cookies and analytics tools on our website and app

4) How We Use Information

We use information to:

• Provide the Services — care navigation, provider matching, scheduling, benefits coordination, reminders, and support.
• Communicate with you — transactional messages, service notices, and troubleshooting.
• Secure and maintain the Services — fraud prevention, threat detection, debugging, and incident response.
• Improve and personalize — product development, analytics, provider recommendations, and service personalization.
• Comply with legal and contractual obligations — regulatory requirements, dispute resolution, and enforcement of our Terms.
• Share at your direction — with your providers, facilities, plans, or authorized representatives to coordinate care.

We will not use your information for materially different purposes without providing notice and, where required by law, obtaining consent.

De-identified data. We may use or disclose de-identified or aggregated information for analytics, research, or improving the Services. When we de-identify information, we commit to maintain and use it in de-identified form and not to re-identify it except as permitted by law.

5) AI & Automated Features

We use automation and AI-assisted software to support non-clinical tasks such as extracting referral details, suggesting providers, generating draft messages, and organizing scheduling information. We do not use AI for medical diagnosis or treatment decisions. You may request human assistance at any point.

Vendor Controls. We engage service providers to process information under data protection agreements. Where available, we configure vendors to disable training on your data and minimize data retention. We instruct vendors not to use your information to train their models or for advertising.

Limitations. AI-generated content may be incomplete or inaccurate and is provided for informational purposes only. Always confirm medical questions with your clinician.

Automated Messaging. Some messages may be sent using automated systems. Reply STOP to opt out or HELP for assistance.

6) Cookies & Analytics

We use cookies and similar technologies for functionality, analytics, and security. You can manage cookies through your browser settings; disabling certain cookies may impact functionality. We do not use cookies for cross-context behavioral advertising on health-related pages.

Technologies We Use:

• Cookies save your preferences and help us remember your account information to improve your experience.
• Pixels and tags provide analytical information about how visitors use our Services.
• Session replay and analytics tools record interactions with our Services (such as pages visited, clicks, and scrolling) to help us understand user experience, identify technical issues, and improve our product. These tools may capture information you enter into forms. We configure these tools to mask sensitive information like passwords and payment details.

Your Choices: You can manage or disable cookies through your browser settings, though some features may not function properly if you do so.

7) How We Share Information

We share information with:

• Service providers supporting hosting, communications (SMS/voice), health data connectivity, identity verification, analytics, security, and payments. They may access information only to perform services for us and are bound by contract.
• Health plans, providers, and employers as authorized to coordinate benefits and care, or under a BAA.
• Third parties at your direction (e.g., family members or caregivers you designate).
• Legal and safety purposes — to comply with law, respond to legal requests, and protect rights, safety, and security.
• Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this Policy's protections.

We do not sell your personal information as defined by applicable privacy laws, nor do we share it for cross-context behavioral advertising.

SMS Commitment. We will not share your mobile phone number, consent records, or message content with third parties for marketing or promotional purposes. Carriers and authorized message processors may handle phone numbers and message metadata solely to deliver messages and prevent fraud/abuse.

8) Your Privacy Rights

Depending on your state, you may have rights to access, correct, delete, port, or opt out of certain processing. You may also have the right to limit the use of sensitive personal information and to appeal our decisions.

How to Exercise Rights. Email contact@rovihealth.com with your request. You may use an authorized agent. We will verify your identity (and may decline requests we cannot verify) and generally respond within 45 days (with one permitted extension). We will not discriminate against you for exercising your rights.

Appeals. If we deny your request, you may appeal by replying to our decision email. We will respond to appeals within 45 days (or the period required by your state). If you remain unsatisfied, you may contact your state attorney general.

Automated Decision-Making. Where state law grants this right, you may opt out of or request human review of decisions based solely on automated processing that produce legal or similarly significant effects.

9) Data Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of information, including encryption, access controls, logging, and vendor oversight. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Breach Notification. In the event of a data breach affecting your information, we will notify you as required by applicable law, including the FTC Health Breach Notification Rule and state breach notification laws.

10) Data Retention

We retain information as long as reasonably necessary to provide Services, meet legal and contractual obligations, and resolve disputes. Retention periods vary based on the type of information and applicable law:

• Account and communication records: retained while your account is active and for up to 7 years thereafter to meet legal, regulatory, and business requirements.
• Scheduling and coordination records: retained for up to 7 years to support care coordination history and compliance obligations.
• SMS consent and opt-out records: retained for at least 5 years to comply with telecommunications laws.
• Analytics and session data: retained for up to 90 days to support product improvement and troubleshooting.
• Logs and diagnostics: retained for up to 2 years, or longer if needed for security investigations or legal requirements.
• HIPAA contexts: where we act as a Business Associate, we retain required documentation (BAAs, authorizations) for at least 6 years and follow retention terms in applicable BAAs or as required by law.

We may retain information longer when required by law, necessary for legal proceedings, or to protect our legitimate business interests and legal rights. Upon account closure, we will deactivate your account and delete or de-identify personal information subject to these retention requirements. Backups may persist for a limited period consistent with disaster recovery practices.

11) Children's Privacy

The Services are intended for individuals 18 and older. We do not knowingly collect information from children under 13. If we learn we have collected such information, we will delete it.

12) Data Storage

We process and store data in the United States. If we transfer personal information internationally in the future, we will implement appropriate safeguards and provide required notices.

13) Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will provide notice by updating the "Effective date" and through in-product messaging, SMS, or email where feasible. Your continued use after changes take effect constitutes acceptance.

14) Contact Us

Rovi Health, Inc.
1620 Sansom Street, #1507
Philadelphia, PA 19103
Email: contact@rovihealth.com

For accessibility accommodations, please include "Accessibility Request" in your subject line.

State-Specific Privacy Rights

These disclosures apply to residents of states with comprehensive privacy laws. Where these provisions conflict with the general Policy, they control.

Your State Privacy Rights

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, Montana, Oregon, Texas, Delaware, Iowa, Indiana, Tennessee, Nebraska, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, or Rhode Island, you have specific rights under your state's privacy law:

• Access & Portability: Request a copy of the personal information we hold about you in a portable format.
• Correction: Request correction of inaccurate personal information.
• Deletion: Request deletion of your personal information, subject to legal and security exceptions.
• Opt-Out Rights: Opt out of (1) sale of personal information (we do not sell personal information), (2) sharing for targeted advertising (we do not share for targeted advertising), and (3) certain profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
• Limit Use of Sensitive Information: Limit our use/disclosure of sensitive personal information (including health information) to purposes necessary to provide the Services you requested and as permitted by law.
• Appeal Rights: If we deny your request, you may appeal our decision as described in Section 8.

How to Exercise Rights: Email contact@rovihealth.com. We will verify your identity and respond within the timeframe required by your state's law (typically 45 days, with one extension allowed).

California Residents (CPRA)

• Categories of Information Collected: See Section 2.
• Purposes of Use: See Section 4.
• Categories of Information Disclosed: We disclose the categories listed in Section 2 to service providers, health plans and providers (as authorized), and for legal/safety purposes as described in Section 7.
• Sensitive Personal Information: We collect sensitive personal information (e.g., health information, account credentials) only to provide Services you request, for security purposes, and to comply with law. We do not use sensitive personal information to infer characteristics about you.
• No Sale or Share: We do not sell personal information or share it for cross-context behavioral advertising.
• Retention: See Section 10.
• Your Rights: California residents have rights to access, delete, correct, and port personal information; to limit use/disclosure of sensitive personal information; and to opt out of sale and sharing (not applicable). You may designate an authorized agent.

Washington (My Health My Data Act) & Nevada

• Consumer Health Data: We collect health-related information you provide (symptoms, referrals, appointments), insurance and benefits information, records necessary to coordinate care, and inferences used to suggest scheduling options.
• Sources: Directly from you; from authorized health plans, providers, and employers; from health record platforms (with authorization); and from publicly available sources.
• Purposes: To provide Services you request; secure and improve Services; comply with legal obligations; and share with providers and plans at your direction.
• Disclosure: We share consumer health data with service providers, authorized health plans and providers, and for legal/safety purposes. We do not sell consumer health data or use it for targeted advertising.
• Your Rights: Access, delete, and withdraw consent. You may revoke authorizations you provide to collect data from providers or plans; revocation does not affect prior disclosures.
• Consent & Withdrawal: By using the Services and providing health information, you consent to our collection and use as described in this Policy. You may withdraw consent at any time by emailing contact@rovihealth.com; withdrawal may limit our ability to coordinate care.
• Geofencing: We do not use geofencing to establish physical location for marketing related to health facilities.

Mobile & SMS Terms Summary

By opting in to SMS, you consent to receive text messages related to care coordination and scheduling. Reply STOP to opt out or HELP for assistance. Message and data rates may apply. We will not share your mobile phone number or message content with third parties for marketing purposes. Detailed SMS terms are available in our Terms of Service.