Rosc.ai Privacy Policy

ROSC AI Privacy Policy Last updated: February 17, 2026

This Privacy Policy for ROSC AI (“ROSC AI,” “we,” “us,” or “our”) explains how and why we collect, store, use, disclose, and/or share your personal information when you use our services (“Services”) or enter a business relationship with us.

Who We Are

ROSC AI offers a platform designed to improve the efficiency, accuracy, and personalization of medical transcriptions, supporting healthcare professionals in their clinical documentation and communication workflows. Our headquarters are in Vancouver, BC, Canada.

Important note regarding Protected Health Information (PHI): ROSC AI acts as a Business Associate under the U.S. Health Insurance Portability and Accountability Act (HIPAA). We only process PHI on behalf of Covered Entities (healthcare providers) under a signed Business Associate Agreement (BAA). We do not sell PHI, use it for our own marketing purposes, or disclose it except as expressly permitted by the BAA and HIPAA.

What is Personal Information?

“Personal information” means any information relating to an identified or identifiable individual (sometimes called a “data subject” or “consumer”).

Questions or Concerns?

If you do not agree with this Privacy Policy, please do not use our Services. For questions or to exercise your rights, contact our Data Protection Officer at: privacy@rosc.ai

Sections

  1. Data we collect when you visit our website
  2. Data we collect when you contact us
  3. Data we collect when you use our Services
  4. Data we collect when you apply to work with us
  5. Data we collect when you work with us
  6. Special measures we take to protect confidentiality
  7. Data Breaches
  8. Usage of AI
  9. Personal information of minors
  10. Mergers and acquisitions
  11. Region-specific rights and regulations
  12. The legal bases we rely on to collect and process your data
  13. Your privacy rights
  14. How to contact us
  15. How to file a complaint
  16. Changes to our Privacy Policy

1. Data we collect when you visit our website

What data do we collect? (website)

When you visit our website, we need to automatically collect some information about the website’s functionality. Additionally, we collect some information in order to improve the Services we offer to you and to better understand user engagement. This information helps us enhance the overall user experience and optimize our website’s features.

  • IP Address
  • Browser type and version
  • Operating system
  • Location data
  • Clickstream data
  • Referring URL (the website you came from)
  • Pages visited and time spent on each page
  • Device information
  • Cookies

How do we collect this data? (website)

We collect this data automatically through the use of cookies, visitor logs, and other tracking technologies used by our website

  • Cookies: Small text files stored on your device that help us remember your preferences, login information and activity during your visit.
  • Visitor Logs: Logs that track and record your IP address, browser type, device type and other essential information.
  • Tracking Technologies: Pixels, beacons and tags, which monitor how users interact with our website, including page views, link clicks, and session duration.
  • Google Analytics and traffic data.

What are cookies? (website)

Cookies are text files stored by a web browser on a computer (or other device) to collect information about website visitors. Cookies might be essential to some website’s functionalities and features, or might help remembering visitors’ preferences, saving login statuses, collecting analytics data, analyzing visitors’ browsing behaviors, collecting or sharing advertising information, and more.

Why do we collect this data and how do we use cookies? (website)

  • Website functionality: We use cookies to ensure that basic website functions, such as user authentication, navigation, and language preferences, work smoothly.
  • User personalization: Cookies help personalize our experience by remembering your preferences and adjusting the content you see based on your previous visits or actions.
  • Performance and analytics: If you consent via our cookie banner, we use cookies to collect information about how users interact with our website. This helps us understand site performance, monitor traffic, and analyze user behavior. With this data, we can improve the website’s speed, usability, and content relevance.

Additionally, cookies may be used for advertising purposes, enabling us to display relevant ads based on your browsing behavior. These cookies collect data on your website activities, which we may share with third-party advertising partners.

If we need to use your information for any purposes different from the purposes previously described, we will ask for your consent again first. Unless otherwise required by law, we will use your information only once we have received your consent to use it for this new purpose.

What types of cookies do we use? (website)

There exists many different types of cookies, our website uses the following:

  • Functionality Cookies: Rosc.ai uses functionality cookies so that our website recognizes you and remembers your preferences. These preferences might include the language you prefer, your location, or the interface preferences you previously selected. Both first-party and third-party cookies are used for this.
  • Authentication Cookies: Rosc.ai uses authentication cookies to detect if you are logged in your account, and in which account you are logged into. Without these cookies you would have to authenticate yourself each time you access our website.
  • Analytics Cookies: Rosc.ai uses analytics cookies to track your activity while you browse our website and to analyze how our website is utilized by our visitors.
  • Advertising Cookies: Rosc.ai uses advertising cookies to collect information about your website visit, your IP address (Internet Protocol), your browser and device, the content you viewed, and the links you clicked on. We sometimes partially share this data with third parties for advertising purposes. We also share online data collected through cookies with our advertising partners Google & Meta Platforms. When you visit another website, you may see advertising based on your browsing on our website.
  • Performance Cookies: Rosc.ai uses performance cookies to monitor our website’s performance and track visitors’ activities anonymously. For example, these cookies might help us count the number of page visits, see how much time a visitor stays on our website, or analyze our website response’s speed to improve performance.
  • Social Media Cookies: Rosc.ai uses social media cookies to facilitate our website visitors sharing content from our website on their social media account(s), and to link this activity between our website and the third-party sharing platform.

How to manage cookies:

You can reject all non-essential cookies from our website cookie banner. If you select this option, only cookies that are necessary for the website’s functionality will be enabled.

Additionally, you can set your browser to block cookies, or you can delete cookies from your browser after a session. Keep in mind however that consequently, some of our website features might not function as intended.

Do we share this data? (website)

We do not share the personal information collected from our website with any third party without seeking your consent first, except in limited circumstances, such as:

  • Analytics: We share your information with third-party platforms, such as Google Analytics, for analytics purposes. When we do, it is only to be used for the purpose for which it was transferred.
  • Obligations: On rare occasions, we may be obligated to share your personal information to comply with applicable laws, court orders, regulations, or other legal processes. We may also be obligated to share your personal information to enforce your agreements with us (including this Privacy Policy) or to respond to claims that your use of our Services violates any third party rights.

Where and how do we store this data? (website)

At ROSC AI, we store the data we collect from our website using industry-standard security practices. Data storage is managed in secure cloud environments provided by trusted third-party providers such as Amazon Web Services (AWS) and Google Cloud.

Here’s an overview of how we handle and store your data:

  1. Data Storage Location: Stored on secure servers located in geographically distributed data centers within Canada managed by AWS & Google Cloud. These providers follow stringent physical and digital security measures to ensure data protection.
  2. Data Encryption: All personal information and any sensitive data are encrypted both in transit and at rest using industry-standard encryption protocols, such as TLS (Transport Layer Security) for data in transit and AES-256 for data at rest.
  3. Access Control: Access to the data stored in our systems is restricted and managed through role-based access control (RBAC), ensuring only authorized personnel have access to sensitive data. All access is logged, and we regularly audit access logs to identify and address any anomalies.
  4. Data Backup and Retention: We regularly perform automated backups of the stored data to ensure data integrity and availability. Backups are encrypted and stored securely, and we follow a defined data retention policy to store data only as long as necessary for the purposes outlined in our privacy policy.
  5. Compliance: Our data storage practices comply with all relevant data protection laws and regulations, including PIPEDA, GDPR, and HIPPA where applicable.

How to opt-out of direct marketing communication? (website)

You may opt-out of direct marketing communications or the profiling we carry out for marketing purposes at any time by:

  • Unsubscribe via Email: Click the "unsubscribe" link located at the bottom of any marketing email we send. This will take you to a page where you can confirm your decision to opt-out of further communications.
  • Account Settings: If you have a ROSC AI account, you can log in and update your communication preferences within your account settings under the "Notifications" or "Marketing Preferences" section.
  • Contact Us: You can also opt-out by directly contacting our support team at support@rosc.ai , providing them with your email address and a request to stop receiving marketing communications.
  • Cookies and Profiling: If you wish to opt-out of personalized marketing and profiling based on cookies, you can adjust your cookie preferences through the cookie banner on our website or manage cookies via your browser settings.

How do we secure this data? (website)

  • Encryption:All data transmitted between your device and our servers is encrypted using Secure Socket Layer (SSL) technology, ensuring that your information is secure during transmission.
  • Data Anonymization: Where possible, we anonymize or pseudonymize personal information to limit exposure of identifiable information.
  • Access Control: We limit access to your personal data to only those employees, contractors, and partners who need it for specific tasks. These individuals are bound by strict confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
  • Regular Security Audits: We conduct regular security reviews and audits of our systems and infrastructure to identify and address potential vulnerabilities.
  • Secure Storage: Data at rest is stored securely using encryption techniques such as AES-256, both in databases and backup systems.
  • Monitoring: We use monitoring tools to track access to our systems, detect unauthorized attempts, and respond swiftly to any potential threats.
  • Two-Factor Authentication (2FA):We enforce 2FA for access to critical systems, ensuring an additional layer of security for sensitive data.

Privacy policies of other websites (website)

The Rosc.ai website might contain links to third-party websites, products, or services that are not operated by us. This Privacy Policy does not address the practices of any third-party websites, products, or services, including any websites, products, or services that may be accessible via a link from our website. Rosc.ai assumes no responsibility for the content, the privacy policies, or the practices of any third-party websites, products, or services.

For how long do we keep this data? (website)

  • Website Analytics Data: We typically retain website analytics and usage data for a period of 12 to 24 months for analysis and reporting purposes.
  • Contact Information: If you contact us through our website, we retain your contact information for as long as necessary to respond to your inquiry and maintain records of our communication, usually for a period of 2 years, unless required otherwise by law.
  • Cookies: The duration of cookie data storage varies depending on the type of cookie. Session cookies are deleted when you close your browser, while persistent cookies may remain on your device for up to 2 years unless you delete them manually.

How do we respond to Do Not Track requests? (website)

Do Not Track (DNT) is a feature that most web browsers offer and can be enabled to request that websites do not track a user’s browsing activities on a website. Once enabled, the feature sends a signal to the website to inform it of the user’s preference. The website can choose to honor this request or not.

ROSC AI does not respond to DNT signals or similar mechanisms sent by web browsers. This means that we may continue to collect information about your browsing activities on our website even if DNT is enabled in your browser settings.

We prioritize user privacy, and while we do not respond to DNT signals, we offer other privacy controls, such as cookie management, where users can choose to accept or decline non-essential cookies via our cookie consent banner. Additionally, users may manually disable tracking by adjusting their browser settings to block or delete cookies.

Do we allow cross-site tracking from third parties? (website)

ROSC AI does not permit cross-site tracking from third parties by default without user consent. Cross-site tracking occurs when third-party cookies or tracking technologies are used to follow a user's activities across multiple websites. We take user privacy seriously, and any such tracking will only occur if the user consents through our cookie banner or other explicit opt-in processes.

Additionally, ROSC AI employs measures to minimize third-party tracking, ensuring that user information is not shared with external entities for tracking purposes unless necessary for services such as analytics or advertising, and only with the user's permission. Users can also manage or block tracking cookies through their browser settings or by adjusting their preferences in our cookie management tools.

2. Data we collect when you contact us

What data do we collect? (contacting us)

If you contact us by email, we will collect the information you provide to us. We collect this information to be able to contact you back, to answer your requests or questions, or to provide service to you. We never share or sell the information you provide when contacting us without your prior consent. However, we may store this data securely for future reference to improve our services or to fulfill your ongoing service needs. The information you provide might include:

  • Your name
  • Email address
  • Phone number
  • Company/organization name
  • The content of your message (including any additional personal or sensitive data you voluntarily provide)
  • Communication preferences (if specified)

How do we collect this data? (contacting us)

We collect this data when you provide it to us either by emailing us, calling us, using our website’s chatbot, filling one of our online forms, meeting with us through a video call or video event, meeting with us through an in-person meeting, meeting with us during an event.

Why do we collect this data? (contacting us)

We collect this data to be able to contact you back and provide the services you have requested, such as responding to inquiries, fulfilling requests, or resolving issues. This information helps us deliver a personalized experience and ensures efficient communication. Additionally, we may use this data to follow up on your inquiries, ensure customer satisfaction, and improve our services based on your feedback or concerns.

Do we share this data? (contacting us)

We do not share the personal information collected when contacting us with any third parties without your prior consent, except in limited circumstances such as:

  1. Service Providers: We may share the data with trusted service providers who help us manage our services, such as customer support platforms or email service providers, solely to facilitate communication or resolve issues.
  2. Legal Obligations: We may disclose the data if required by law, such as in response to a court order, or to comply with legal regulations.
  3. Business Transfers: In the case of a merger, acquisition, or sale of our company, your information may be transferred as part of the transaction, with proper notice provided.

In all cases, we ensure that the third parties adhere to strict confidentiality and data security measures.

Marketing Communication:

With your prior consent, Rosc.ai might occasionally send information to you that we think you might find interesting about our services or about our partner companies. For this purpose, we might share your contact information (such as your email address) with some of our partners.

Once you have agreed to receive marketing communications from us, you can always opt out at a later date. You have the right to request that Rosc.ai stops contacting you for marketing purposes and/or stops sharing your data with our partners at any time. If you no longer wish to receive marketing communication from us or our partners, please email us at: help@rosc.ai

Where and how do we store this data? (contacting us)

The information you provide when contacting us is stored within Canadian datacenters, encrypted and protected by industry security standards and best practices including RBAC & MFA.

Data retention is managed by Legal Compliance: Retained for the duration of regulatory obligations (such as audit or tax requirements).
Customer Support: Retained for the length of time needed to resolve any queries or issues related to your contact.

3. Data we collect when you use our Services

Audio recordings Raw audio recordings are processed for transcription and automatically deleted immediately after the transcription is generated (typically within minutes). Temporary copies may be retained for up to 30 days solely for quality assurance and model improvement, after which they are permanently and irreversibly deleted. We never store raw audio long-term.

Transcripts and Summarized Notes These are retained by ROSC AI as long as your account is active, or as needed to provide the Services and improve our models. You (or your healthcare provider) may delete them at any time via the app. Healthcare practitioners are responsible for complying with their own statutory retention requirements in their electronic medical record systems.

Storage & Security Data is stored on secure AWS and Google Cloud servers in Canada with encryption at rest (AES-256) and in transit (TLS). Access is strictly controlled via role-based access control (RBAC) and multi-factor authentication.

Subprocessors We use the following key subprocessors (full list available on our Trust Center):

  • Amazon Web Services (AWS) – hosting & storage
  • Google Firebase – authentication
  • Stripe – payment processing
  • Vanta – compliance monitoring

All subprocessors are bound by contracts that require them to maintain equivalent security and privacy protections.

The information we collect for these purposes includes:

  • Contact Information: We collect your name, email address, and phone number to set up your account and communicate with you about your services.
  • Payment Information: Your payment details, such as credit card information or billing address, are collected to process transactions securely.
  • Account Information: Data related to your account creation, such as username and password, is stored to enable you to log in and use our services.
  • Service Usage Information: We collect data on how you interact with our services, including transaction history, support requests, and your usage patterns within the service.
  • Additional Information: If necessary, we may collect additional details such as your organization name, preferred subscription plan, or any specific preferences regarding service usage.

How do we collect this data? (using our Services)

  • Direct Input: You provide data directly when you sign up for our services, create an account, or make a purchase. This includes filling in forms, updating your account details, and submitting payment information.
  • Automatic Collection: Some data, such as your usage activity (e.g., interactions with our platform, preferences, and settings), is automatically collected when you use our services. This data may be gathered using cookies, tracking pixels, or other technology tools to ensure service efficiency and to enhance user experience.
  • Third-Party Integrations: We collect information through third-party platforms integrated with our services, such as payment processors or authentication providers. These platforms securely pass the necessary data to us to fulfill our services.

Why do we collect this data? (using our Services)

  • Service Provision: We need this data to provide the services you have requested. This includes creating your account, authenticating your identity, and delivering the product or service you purchased. For example, we may collect payment details to process your transactions securely.
  • Personalization: We use your data to customize your experience with our services, including saving your preferences, providing personalized recommendations, and improving the interface for easier use.
  • Communication: We collect contact information to communicate important updates related to the services, such as changes to our policies, new features, or issues that may affect your usage.
  • Security and Compliance: Data is collected to monitor for suspicious activity and to secure your account from unauthorized access. Additionally, some data is necessary for compliance with legal, financial, or regulatory obligations.
  • Improvement and Development: We collect data on how our services are used to identify trends, improve existing features, and develop new features that better meet the needs of users.

Do we share this data? (using our Services)

  • Service Providers: We may share your data with trusted third-party service providers to facilitate services such as payment processing (e.g., Stripe), data storage (e.g., AWS), and communication. These service providers are obligated to protect your data and use it only for the purposes we’ve contracted with them.
  • Legal Compliance: In some cases, we may share data if required by law, such as in response to a subpoena, court order, or regulatory requirement.
  • Security and Fraud Prevention: To ensure the security and integrity of our services, we may share data with third parties involved in fraud detection and prevention or cyber security efforts.
  • With Your Consent: We may share your data with third parties if you have explicitly provided your consent for us to do so, for purposes such as integrating third-party tools or services.

Where and how do we store this data? (using our Services)

  1. AWS (Amazon Web Services): Data such as audio recordings, transcriptions, and user activity logs are stored in encrypted Amazon S3 and Amazon RDS instances. Encryption at rest ensures that data is unreadable without the proper keys, and encryption in transit protects it from unauthorized access as it moves through the network.
  2. Google Firebase: User authentication data, including email and password credentials, is stored in Firebase's encrypted databases. Firebase ensures the logical isolation of customer data, and sensitive information is stored with industry-standard encryption.
  3. Stripe: Payment data is stored securely with Stripe, which is PCI-DSS Level 1 compliant, meaning that your payment information is handled in accordance with the highest security standards.

How do we secure this data? (using our Services)

  1. Encryption:All data, whether stored or transmitted, is encrypted using industry-standard encryption protocols. We use 256-bit AES encryption for data at rest and TLS (Transport Layer Security) for data in transit between our platform and client devices or third-party integrations.
  2. Access Control:Access to data is restricted based on user roles and the principles of need-to-know and least privilege. Only authorized personnel are granted access, and permissions are assigned based on the specific tasks required. Role-based access control (RBAC) is enforced for all systems handling data.
  3. Multi-Factor Authentication (MFA): We require multi-factor authentication (MFA) for accessing sensitive areas of our services, ensuring that even if login credentials are compromised, unauthorized access is prevented through an additional verification layer.
  4. Regular Audits and Monitoring: We conduct regular security audits and continuously monitor our systems for any unusual or suspicious activities. Logs are kept and reviewed to detect and respond to potential security incidents quickly.
  5. Data Anonymization and Minimization: Where applicable, we anonymize data to minimize the exposure of personally identifiable information (PII). This process ensures that data cannot be easily traced back to individual users.
  6. Secure API Access: All API endpoints are protected using strong authentication mechanisms, and API keys are rotated regularly. Additionally, usage quotas and throttling are applied to prevent abuse or unauthorized access to the services.
  7. Firewall and Intrusion Detection Systems: We employ advanced firewall protection and intrusion detection systems to prevent unauthorized access or cyber-attacks from external threats. These systems are continuously updated to mitigate the latest risks.
  8. Backup and Recovery: Regular backups of critical data are conducted to ensure that in the case of a data loss event, we can recover quickly with minimal disruption. These backups are also encrypted and securely stored.
  9. Compliance with Standards: We adhere to industry best practices and standards, such as GDPR, HIPAA, and PIPEDA, ensuring that our data handling and security practices are in line with regulatory requirements.

4. Data we collect when you apply to work with us

What data do we collect? (job applicants)

If you apply to work at Rosc.ai, we collect the information you provide to us to process your application. We might collect additional information to evaluate your candidature later in the process, with your prior consent. The information we collect to process and evaluate your candidature includes:

Personal Identification Information:

  • Full Name
  • Contact Details (Email Address, Phone Number, Home Address)

Employment and Professional Information:

  • Current Employment Status
  • Previous Work History (including roles, companies, and dates of employment)
  • Education History (Degrees, Certifications)
  • Professional References (Names and Contact Information)
  • Professional Certifications or Licenses

Recruitment-Related Information:

  • Cover Letter and Resume/CV
  • Skills, Experiences, and Qualifications
  • Portfolio or Work Samples (if applicable)
  • Responses to Interview Questions
  • LinkedIn Profile or Other Publicly Available Work Information

Background Information (if required for certain roles):

  • Criminal Record Checks (with your consent)
  • Credit Checks (if relevant to the role)
  • Eligibility to Work in Relevant Jurisdiction (such as visa status)

Other Information:

  • Any other information you provide during interviews, assessments, or through other communications with us.

How do we collect this data? (job applicants)

  • Direct Collection: We collect the data directly from you through online application forms, email submissions, or interviews.
  • Third-Party Sources: In certain cases, we may obtain information from third-party sources, such as references or background check providers, always with your prior consent.
  • Publicly Available Information: We may also collect publicly available information (e.g., LinkedIn profiles) that is relevant to the role.

Why do we collect this data? (job applicants)

  • Evaluation of Candidacy: We collect this information to assess your qualifications, skills, and fit for the role you applied for.
  • Communication: We use your contact information to communicate with you during the recruitment process (e.g., to schedule interviews or update you on your application status).
  • Legal and Compliance: In some cases, we collect data to comply with legal requirements, such as verifying your right to work or conducting background checks.

Do we share this data? (job applicants)

We may share your data with third-party service providers (e.g., for background checks) but only with your prior consent. We do not sell or share your data with third parties for marketing purposes.

Where and how do we store this data? (job applicants)

All candidate application data is stored in Rosc.ai’ corporate collaboration platform, which uses at-rest encryption, and access is restricted to authorized personnel involved in the recruitment process.

For how long do we keep this data? (job applicants)

  1. Unsuccessful Applicants:
    If your application is not successful, we will retain your personal data for a period of 12 months from the date of the conclusion of the recruitment process. This allows us to consider you for future opportunities and comply with any legal obligations regarding applicants tracking.
  2. Successful Applicants:
    If you are hired, your application data will be retained as part of your employee file for the duration of your employment and for a further period as required by employment and data protection laws, typically 7 years following the termination of employment.
  3. Legal and Compliance Obligations:
    In some cases, we may be required to retain certain data for a longer period to comply with legal obligations, such as tax or employment law, or to resolve any disputes or enforce our agreements. This period is typically 7 years in accordance with legal compliance.
  4. Deletion or Anonymization:
    Once the retention period has expired, we will securely delete or anonymize your data, ensuring that it can no longer be linked back to you.
  5. Withdrawal of Consent:
    If at any time you wish to withdraw your application or request the deletion of your data, you can contact us to have your data removed, provided it does not conflict with legal obligations.

Information used to make a decision about you:

Rosc.ai will retain any personal information about an individual that was used to make a decision that directly affects the individual for at least one year after using it, so that the individual has a reasonable opportunity to obtain access to it. After this period, Rosc.ai will securely destroy any personal information about an individual as soon as it is no longer necessary to fulfill the identified purposes or any other legal or business purposes.

5. Data we collect when you work with us

What data do we collect? (employees & partners)

If you enter an employment, contractor, or partnership agreement with us, we collect the following information for the purpose of establishing, carrying out, managing, or terminating your contractual relationship with Rosc.ai. We may collect additional information about you but only with your prior consent. The personal information we collect to perform this contract includes:

  • Personal Identification Data: Full name, date of birth, nationality, and copies of identification documents (such as passport, driver’s license, etc.)
  • Contact Information: Email address, phone number, mailing address, emergency contact details.
  • Employment and Role Information: Job title, job description, work location, department, and employment/contract start and end dates.
  • Financial Information: Bank account details for salary or payment processing, social insurance numbers, and any other financial information relevant to payroll or tax purposes.
  • Performance and Professional Data: Work performance reports, feedback from managers or partners, training certifications, and any professional qualifications or degrees.
  • Contract Information: Details of your contract, terms of employment or engagement, compensation details, and benefits.
  • Security and Compliance Data: Records of access to company systems, audit trails, and information related to security and confidentiality.
  • Health and Leave Information: Information about sick leave, parental leave, or disability accommodations where necessary, in compliance with applicable labor laws.

Additional information may be collected with your consent, depending on the specific requirements of your role.

How do we collect this data? (employees & partners)

We collect this data directly from you when you:

  • Apply for a position or enter a contractual relationship with us.
  • Fill out forms required by human resources (e.g., payroll or tax forms).
  • Use our internal systems for job-related tasks (such as submitting performance reports or applying for leave).
  • Communicate with us through official company channels or systems (e.g., email, HR portal, etc.).

Data may also be collected through third parties with your consent (e.g., background checks, references) or as required by law.

Why do we collect this data? (employees & partners)

We collect and retain information for the purpose of establishing, carrying out, managing, or terminating your contractual relationship with Rosc.ai. We also collect and retain information in order to perform our contract with you and to fulfill our legal obligations.

We collect this data to:

  1. Fulfill contractual obligations: This includes processing payments, managing employee records, or performing tasks outlined in your contract.
  2. Manage employment or contractor relationship: Monitoring work performance, managing benefits, and handling promotions or role changes.
  3. Ensure legal and regulatory compliance: Compliance with tax, labor, and health and safety laws.
  4. Enhance security: Ensuring that company systems and sensitive data are accessed only by authorized personnel.
  5. Support employee well-being: Offering relevant benefits, health accommodations, or work-life balance initiatives.

Do we share this data? (employees & partners)

Our employees and partners personal data is shared in very limited circumstances:

  • Third-Party Service Providers: For payroll processing, benefits administration, or IT support.
  • Legal and Regulatory Authorities: To comply with legal requirements, such as tax reporting.

We do not sell or share your personal data with other unlisted third parties or for marketing purposes.

All data is protected by strict access controls and encrypted both in transit and at rest, ensuring compliance with PIPEDA.

6. Special measures we take to protect confidentiality

  • NDA and DPA/BAA Agreements
  • Role-Based Access Control (RBAC)
  • Data Encryption (AES-256 at rest, TLS in transit)
  • Secure Remote Workstations
  • Data Minimization
  • Audit Logs and Continuous Monitoring
  • Compliance with PIPEDA, HIPAA, GDPR, and provincial health privacy laws

7. Data Breaches

ROSC AI implements robust measures to safeguard your personal information in accordance with applicable data protection frameworks. In the unlikely event of a data breach affecting your personal information, ROSC AI will promptly notify affected individuals and the relevant supervisory authorities as required by the following region-specific regulations:

  • Ontario PHIPA: Notify the Information and Privacy Commissioner of Ontario (IPC) and affected individuals within 7 days.
  • Quebec Law 25: Notify the Commission d’accès à l’information (CAI) and affected individuals as soon as possible.
  • British Columbia PIPA / Alberta PIPA: Notify the Office of the Information and Privacy Commissioner (OIPC) and affected individuals when there is a reasonable likelihood of significant harm.
  • Manitoba PHIA: Notify the Manitoba Ombudsman and affected individuals for suspected misuse of personal health information.
  • New Brunswick PHIPAA / Newfoundland PHIA / Nova Scotia PHIA: Notify the respective Commissioners for breaches posing a risk of harm.
  • Brazil LGPD: Notify the Autoridade Nacional de Proteção de Dados (ANPD) and affected individuals promptly.
  • Japan APPI: Notify the Personal Information Protection Commission (PPC) and affected individuals within 3–5 days.
  • California CCPA: Notify affected consumers promptly.
  • Australia Privacy Act: Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.

For all breaches, ROSC AI will provide details of the incident and guidance on protective actions you may take. We will report breaches likely to result in a risk to your rights to the relevant supervisory authority within the required timeframe, typically not later than 72 hours where applicable (e.g., PIPEDA, GDPR-aligned frameworks). ROSC AI maintains a comprehensive record of all data breach incidents, including descriptions, affected information, risk assessments, and remedial actions, which is available to supervisory authorities upon request.

8. Usage of AI

We use AI to transcribe audio and generate draft clinical notes/summaries. These outputs are always subject to review and approval by the licensed healthcare provider. No clinical decisions are made solely by AI.

How to Object to AI Usage

You have the right to request a manual (non-AI) review of transcriptions or summaries. Contact our Data Protection Officer at privacy@rosc.ai.

9. Personal information of minors

We do not knowingly collect or store data from children. By using our Services, you confirm that you are over the age of majority in your jurisdiction, or that you are the parent/guardian of such a minor and that you consent to their use of our Services.

If it comes to our knowledge that any personal information has been inadvertently collected by us from a minor, we will take all measures within our power to thoroughly delete such data from our records and/or any third-party software where it might have been stored. If you learn that any data we might have collected is from a minor, please contact us promptly at: info@rosc.ai

10. Mergers and acquisitions

In the eventuality of an organization merger or acquisition, we may share or transfer some of your personal information if it is related to the merger, financing, sale of organization assets, or acquisition of our organization in full or in part by another organization.

Should this situation arise, we would notify you prior to any transfer and provide you with additional information on the processes involved, as well as inform you of your rights and choices under such circumstances.

11. Region-specific rights and regulations

Your privacy and data privacy rights are very important to us, no matter where you are in the world.

This global Privacy Policy was created to cover a group of worldwide privacy regulations with the highest requirements, including the European Union’s General Data Protection Regulation (EU GDPR), United Kingdom’s General Data Protection Regulation (UK GDPR), United States’ California Consumer Privacy Act (CCPA), California Online Privacy Protection Act (CalOPPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and more.

The rights described in this Privacy Policy address the highest level of data privacy rights. This global approach aims to facilitate the implementation of individuals’ rights within our organization, as well as to increase compliance’s levels in a fast-changing worldwide data privacy regulation landscape.

If you believe your local data privacy rights are missing from this global Privacy Policy and should have been mentioned, please contact our Data Privacy Officer at: info@rosc.ai

13. Your privacy rights

Rosc.ai respects your privacy rights and we want to make sure you are fully informed about your rights.

We will reply to each request we receive related to your privacy rights within a 30-day timeframe. For some especially complex requests, we might ask for a time extension in order to fulfill your request thoroughly, when allowed by law. If your request cannot be honored or fully honored, for example, because it is in conflict with other legal obligations (such as financial mandatory data retention periods or the privacy rights of other individuals), we will inform you of the reason we cannot fulfill your request.

If you would like to exercise any of these rights, please contact Rosc.ai’s Data Protection Officer at: info@rosc.ai

Every person we collect personal information about is entitled to the following:

The right to access (to know)

You have the right to contact Rosc.ai to request a copy of your personal data or to know which information we have about you.

The right to rectification (to correct)

You have the right to contact Rosc.ai to request that we correct any information you believe is inaccurate, or that we complete any information you believe is incomplete.

The right to erasure (to delete)

You have the right to contact Rosc.ai to request that we permanently delete the personal information we have about you that we obtained directly and indirectly, subject to certain conditions.

The right to de-index

You have the right to contact Rosc.ai to request that we stop disclosing your personal information or that we de-index (remove) any hyperlinks linking to it, subject to certain conditions.

The right to withdraw consent

You have the right to contact Rosc.ai at any time to withdraw consent you had given us previously.

The right to object to processing

You have the right to contact Rosc.ai to request that we stop the processing of your personal information, subject to certain conditions.

The right to restrict processing (to limit)

You have the right to contact Rosc.ai to request that we restrict the processing of all or some of your personal information, subject to certain conditions.

The right to opt-out of sale or sharing

You have the right to contact Rosc.ai to request that we stop selling your personal information, or stop sharing it for the purpose of cross-context behavioral advertising.

The right to refuse the collection of biometric data

You have the right to refuse the collection of your biometric data (facial print, voice print, iris print, hand print, fingerprint, keystroke pattern, behavioral data, biological data, etc) by Rosc.ai and request that we use an alternative system to fulfill the same purpose, subject to certain conditions.

The right against automated decision-making

You have the right to be informed if any decisions we made about you used automated decision-making systems. You have the right not to be subject to a decision that was based only on automated processes (including profiling) if this decision impacts you in a significant way, subject to certain conditions. Additionally, if an automated decision was made about you, you have the right to contact Rosc.ai to request that this decision be re-evaluated by a human.

The right to data portability

You have the right to contact Rosc.ai to request that we transfer the data we have collected about you in a machine-readable format to another organization or directly to you, subject to certain conditions.

The right to grieve

You have the right to contact Rosc.ai to request access to the personal information of a deceased person who is a partner, spouse, or a close family member, subject to certain conditions.

The right to non-discrimination

You have the right to contact Rosc.ai to request any of these rights, without this action impacting negatively our relationship with you. Rosc.ai honors a strict non-discrimination policy. If you exercise your privacy rights with us, you can be assured that you will not be discriminated against and that you will receive the same quality of services or products from us.

14. How to contact us

If you have any questions or concerns about our Privacy Policy, our privacy practices, the personal information we have about you, or if you would like to exercise your privacy rights, please contact Rosc.ai’s Data Privacy Officer:

By email: info@rosc.ai

15. How to file a complaint

If you feel that Rosc.ai, unfortunately, has not addressed your concern in a manner that is satisfactory to you and you wish to make a complaint, you may contact your own regional Data Protection Authority if it is different from Rosc.ai’s location, or Rosc.ai’s regional Data Protection Authority, which for British Columbia, Canada is the Office of the Information and Privacy Commissioner for British Columbia (OIPC).

16. Changes to our Privacy Policy

Rosc.ai revises its Privacy Policy on a regular basis to ensure it represents our current practices, and updates this web page when there are any changes. Please make sure to revisit our Privacy Policy regularly for the latest version.

Last Updated – February 2026.