1. Scope
This Privacy Policy covers information processed by Rosiflow, Inc. on the marketing site, in the customer-facing application, and through patient portals provided to our clinic customers. Protected Health Information ("PHI") submitted by patients to a clinic is governed by the Business Associate Agreement between Rosiflow and that clinic, in addition to this policy.
2. Information we collect
- Account information — name, work email, organization, and role for clinical users.
- Usage information — pages viewed, actions taken, and audit-log events necessary for security and product operation.
- PHI submitted on behalf of a clinic — processed strictly under the BAA with that clinic and never used to train shared models.
- Marketing site requests — standard server logs (URL, status code, anonymized IP hash) for security and product operation. We do not run third-party analytics or advertising trackers on the marketing site.
3. How we use information
To provide and operate the Rosiflow service, secure it, communicate with customers, comply with legal obligations, and improve the product. We do not sell personal information.
4. Sharing
We share information only with subprocessors required to operate the service (cloud infrastructure, observability, customer support tooling), all of which are bound by written agreements. A current subprocessor list is available on request.
5. Retention
We retain information for the duration of the customer relationship and for the period required by law thereafter. Patients may request deletion through the clinic that issued their portal link.
6. Your rights
Depending on your jurisdiction, you may have rights to access, correct, or delete personal information we hold about you. Contact privacy@rosiflow.com to exercise these rights.
7. Contact
Questions about this policy: privacy@rosiflow.com. For HIPAA-specific inquiries: security@rosiflow.com.
Last updated: May 13, 2026.