Privacy Policy

1. Who we are

Rosa Health, Inc. ("Rosa Health," "we," "us," or "our") is a care management intelligence platform built for organizations serving individuals with autism spectrum disorder (ASD) and intellectual and developmental disabilities (IDD). We are headquartered in Dedham, Massachusetts.

This Privacy Policy describes how we collect, use, and share information through our website at rosahealth.io (the "Site"). It does not apply to any separate product, service, or customer environment we may operate, which are governed by separate agreements.

2. Information we collect

Information you provide directly

When you request a demo, contact us, or otherwise interact with our Site, you may provide:

• Your first and last name
• Your work email address
• Your job title or role (optional)
• Your organization or health plan name
• Your organization's plan type (e.g., Medicaid MCO, CHIP, Commercial, State Agency)
• How you heard about us (optional)
• A free-text message describing what you are looking to solve

Information collected automatically

When you visit our Site, we and our service providers may automatically collect:

• Technical information: IP address, browser type, operating system, device identifiers, and referring URL
• Usage information: pages viewed, links clicked, time spent on pages, and similar engagement data
• Approximate location derived from your IP address

3. How we use information

We use the information we collect to:

• Respond to your demo requests and inquiries
• Communicate with you about Rosa Health products, services, and relevant industry information
• Understand how visitors use our Site and improve its content and performance
• Measure the effectiveness of our marketing and outreach
• Detect, prevent, and address technical issues, fraud, or abuse
• Comply with legal obligations and enforce our agreements

We rely on our legitimate business interests, your consent (where required), the performance of a contract, and our legal obligations as lawful bases for these activities.

4. How we share information

We do not sell your personal information. We share information only in the following circumstances:

• Service providers. We share information with vendors who help us operate the Site and our business — for example, hosting providers, email tools, CRM systems, and analytics providers. These vendors are contractually restricted to using your information only to provide services to us.
• Legal and safety. We may disclose information if required by law, legal process, or government request, or to protect the rights, property, or safety of Rosa Health, our users, or others.
• Business transactions. In the event of a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections.
• With your consent. We will share information for any other purpose disclosed to you with your consent.

5. Analytics and tracking technologies

We use cookies and similar technologies to understand how visitors use our Site. Our current analytics and visitor identification tools may include:

• Google Analytics 4 — aggregate traffic and engagement analytics
• Netlify — hosting and form submission infrastructure
• Other business-to-business visitor identification, advertising measurement, or CRM tools that we may add over time

These tools collect information such as your IP address, browser, and pages visited. We configure them not to receive the contents of form fields, including the free-text message you provide when requesting a demo.

Most browsers allow you to refuse cookies or alert you when cookies are being sent. You can also opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

6. Data retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, unless a longer period is required or permitted by law. In general:

• Demo requests and business inquiries are retained for as long as there is a potential or active business relationship, plus a reasonable period thereafter for records and legal purposes.
• Website analytics data is retained according to the retention settings of each analytics provider (typically 14 to 26 months for Google Analytics 4).
• We periodically review and delete information that is no longer needed.

7. Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect the information we collect. These include access controls, encrypted transmission (HTTPS), and limited staff access to contact data. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. Your rights and choices

Depending on where you live, you may have the following rights regarding your personal information:

• Access. Request a copy of the personal information we hold about you.
• Correction. Ask us to correct inaccurate or incomplete information.
• Deletion. Ask us to delete your personal information, subject to certain exceptions.
• Opt-out of marketing. Unsubscribe from marketing emails by following the instructions in those emails or by contacting us.
• Withdraw consent. Where we rely on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at partnerships@rosahealth.io. We will respond within the time period required by applicable law.

9. California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act provide you with additional rights:

• The right to know what personal information we collect, use, disclose, and (if applicable) sell or share
• The right to delete personal information we have collected from you
• The right to correct inaccurate personal information
• The right to opt out of the sale or sharing of personal information
• The right to limit the use of sensitive personal information
• The right to non-discrimination for exercising your privacy rights

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. To exercise any California privacy right, contact us at partnerships@rosahealth.io.

10. EU/UK residents (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (and the UK GDPR) provide you with rights including access, rectification, erasure, restriction of processing, data portability, and the right to object to processing. You also have the right to lodge a complaint with a supervisory authority.

Rosa Health is the data controller for information collected through this Site. If you transfer personal information to us from outside the United States, please be aware that your information will be processed in the United States.

11. Children's privacy

Our Site is intended for business users and is not directed to children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take appropriate steps to delete it.

12. A note on protected health information

Rosa Health's website is a marketing site. It is not intended for, and should not be used to transmit, protected health information (PHI) or individually identifiable health information about any member, patient, or other individual. Our demo request form asks you to describe your organization's challenges at a general business level and specifically asks you not to include individual member or patient details.

If PHI is inadvertently submitted through our Site, we will take reasonable steps to delete it from our systems and will not use it for marketing or business development purposes. When Rosa Health engages with customers through its commercial platform, any handling of PHI is governed by a separate Business Associate Agreement and the terms of the customer's contract, not by this Privacy Policy.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, provide additional notice. Your continued use of the Site after any changes become effective constitutes your acceptance of the revised policy.

14. Contact us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Rosa Health, Inc.
Dedham, Massachusetts, USA
Email: partnerships@rosahealth.io