ROSC.ai Privacy Policy

Last updated: November 2024

General

This Privacy Policy for Rosc.ai ("Rosc.ai," "we," "us," or "our") explains how and why we collect, store, use, disclose, and/or share your personal information when you use our services ("Services") or when you enter a business relationship with us, such as when you:

  • Visit our website at www.rosc.ai, and any pages or documents within this domain
  • Contact us at info@rosc.ai, or engage with us from the 'contact us' section of the website
  • Use the rosc.ai mobile app or webapp as a trial or paid member
  • Apply to work with us
  • Work with us as an employee, partner, contractor or vendor

What is personal information?

The term "personal information" in the context of this Privacy Policy means any information relating to an identified or identifiable individual (sometimes also called a "data subject" or a "consumer" in regulations).

Who are we?

Rosc.ai offers a platform designed to improve the efficiency, accuracy, and personalization of medical transcriptions, with the goal of supporting healthcare professionals in their clinical documentation and communication workflows. Its headquarters are located in Vancouver BC.

Questions or concerns?

This Privacy Policy will help you understand better our practices, your privacy rights, and the privacy choices you have in relation to our Services. If you do not agree with this Privacy Policy, do not use our Services. If after reading this Privacy Policy you still have questions or concerns, please contact our CEO via the info@rosc.ai email.

Sections

  1. Data we collect when you visit our website
  2. Data we collect when you contact us
  3. Data we collect when you use our Services
  4. Data we collect when you apply to work with us
  5. Data we collect when you work with us
  6. Special measures we take to protect confidentiality
  7. Data Breaches
  8. Usage of AI
  9. Personal information of minors
  10. Mergers and acquisitions
  11. Region-specific rights and regulations
  12. The legal bases we rely on to collect and process your data
  13. Your privacy rights
  14. How to contact us
  15. How to file a complaint
  16. Changes to our Privacy Policy

1. Data we collect when you visit our website

What data do we collect? (website)

When you visit our website, we need to automatically collect some information about the website's functionality. Additionally, we collect some information in order to improve the Services we offer to you and to better understand user engagement. This information helps us enhance the overall user experience and optimize our website's features.

  • IP Address
  • Browser type and version
  • Operating system
  • Location data
  • Clickstream data
  • Referring URL (the website you came from)
  • Pages visited and time spent on each page
  • Device information
  • Cookies

How do we collect this data? (website)

We collect this data automatically through the use of cookies, visitor logs, and other tracking technologies used by our website.

  • Cookies: Small text files stored on your device that help us remember your preferences, login information and activity during your visit.
  • Visitor Logs: Logs that track and record your IP address, browser type, device type and other essential information.
  • Tracking Technologies: Pixels, beacons and tags, which monitor how users interact with our website, including page views, link clicks, and session duration.
  • Google Analytics and traffic data.

What are cookies? (website)

Cookies are text files stored by a web browser on a computer (or other device) to collect information about website visitors. Cookies might be essential to some website's functionalities and features, or might help remembering visitors' preferences, saving login statuses, collecting analytics data, analyzing visitors' browsing behaviors, collecting or sharing advertising information, and more.

Why do we collect this data and how do we use cookies? (website)

  • Website functionality: We use cookies to ensure that basic website functions, such as user authentication, navigation, and language preferences, work smoothly.
  • User personalization: Cookies help personalize our experience by remembering your preferences and adjusting the content you see based on your previous visits or actions.
  • Performance and analytics: If you consent via our cookie banner, we use cookies to collect information about how users interact with our website. This helps us understand site performance, monitor traffic, and analyze user behavior.

Additionally, cookies may be used for advertising purposes, enabling us to display relevant ads based on your browsing behavior. These cookies collect data on your website activities, which we may share with third-party advertising partners.

If we need to use your information for any purposes different from the purposes previously described, we will ask for your consent again first. Unless otherwise required by law, we will use your information only once we have received your consent to use it for this new purpose.

What types of cookies do we use? (website)

  • Functionality Cookies: Rosc.ai uses functionality cookies so that our website recognizes you and remembers your preferences. These preferences might include the language you prefer, your location, or the interface preferences you previously selected.
  • Authentication Cookies: Rosc.ai uses authentication cookies to detect if you are logged in your account, and in which account you are logged into.
  • Analytics Cookies: Rosc.ai uses analytics cookies to track your activity while you browse our website and to analyze how our website is utilized by our visitors.
  • Advertising Cookies: Rosc.ai uses advertising cookies to collect information about your website visit, your IP address, your browser and device, the content you viewed, and the links you clicked on.
  • Performance Cookies: Rosc.ai uses performance cookies to monitor our website's performance and track visitors' activities anonymously.
  • Social Media Cookies: Rosc.ai uses social media cookies to facilitate our website visitors sharing content from our website on their social media account(s).

How to manage cookies

You can reject all non-essential cookies from our website cookie banner. If you select this option, only cookies that are necessary for the website's functionality will be enabled.

Additionally, you can set your browser to block cookies, or you can delete cookies from your browser after a session. Keep in mind however that consequently, some of our website features might not function as intended.

Do we share this data? (website)

We do not share the personal information collected from our website with any third party without seeking your consent first, except in limited circumstances, such as:

  • Analytics: We share your information with third-party platforms, such as Google Analytics, for analytics purposes.
  • Obligations: On rare occasions, we may be obligated to share your personal information to comply with applicable laws, court orders, regulations, or other legal processes.

Where and how do we store this data? (website)

At ROSC AI, we store the data we collect from our website using industry-standard security practices. Data storage is managed in secure cloud environments provided by trusted third-party providers such as Amazon Web Services (AWS) and Google Cloud.

  • Data Storage Location: Stored on secure servers located in geographically distributed data centers within Canada managed by AWS & Google Cloud.
  • Data Encryption: All personal information and any sensitive data are encrypted both in transit and at rest using industry-standard encryption protocols.
  • Access Control: Access to the data stored in our systems is restricted and managed through role-based access control (RBAC).
  • Data Backup and Retention: We regularly perform automated backups of the stored data to ensure data integrity and availability.
  • Compliance: Our data storage practices comply with all relevant data protection laws and regulations, including PIPEDA, GDPR, and HIPAA where applicable.

How to opt-out of direct marketing communication? (website)

You may opt-out of direct marketing communications or the profiling we carry out for marketing purposes at any time by:

  • Unsubscribe via Email: Click the "unsubscribe" link located at the bottom of any marketing email we send.
  • Account Settings: If you have a ROSC AI account, you can log in and update your communication preferences.
  • Contact Us: You can also opt-out by directly contacting our support team at support@rosc.ai.
  • Cookies and Profiling: If you wish to opt-out of personalized marketing and profiling based on cookies, you can adjust your cookie preferences.

How do we secure this data? (website)

  • Encryption: All data transmitted between your device and our servers is encrypted using Secure Socket Layer (SSL) technology.
  • Data Anonymization: Where possible, we anonymize or pseudonymize personal information.
  • Access Control: We limit access to your personal data to only those employees, contractors, and partners who need it.
  • Regular Security Audits: We conduct regular security reviews and audits of our systems.
  • Secure Storage: Data at rest is stored securely using encryption techniques such as AES-256.
  • Monitoring: We use monitoring tools to track access to our systems.
  • Two-Factor Authentication (2FA): We enforce 2FA for access to critical systems.

Privacy policies of other websites (website)

The Rosc.ai website might contain links to third-party websites, products, or services that are not operated by us. This Privacy Policy does not address the practices of any third-party websites, products, or services. Rosc.ai assumes no responsibility for the content, the privacy policies, or the practices of any third-party websites, products, or services.

For how long do we keep this data? (website)

  • Website Analytics Data: We typically retain website analytics and usage data for a period of 12 to 24 months.
  • Contact Information: If you contact us through our website, we retain your contact information for up to 2 years.
  • Cookies: Session cookies are deleted when you close your browser, while persistent cookies may remain for up to 2 years.

How do we respond to Do Not Track requests? (website)

ROSC AI does not respond to DNT signals or similar mechanisms sent by web browsers. This means that we may continue to collect information about your browsing activities on our website even if DNT is enabled in your browser settings.

We prioritize user privacy, and while we do not respond to DNT signals, we offer other privacy controls, such as cookie management, where users can choose to accept or decline non-essential cookies via our cookie consent banner.

Do we allow cross-site tracking from third parties? (website)

ROSC AI does not permit cross-site tracking from third parties by default without user consent. Cross-site tracking occurs when third-party cookies or tracking technologies are used to follow a user's activities across multiple websites. We take user privacy seriously, and any such tracking will only occur if the user consents through our cookie banner or other explicit opt-in processes.

2. Data we collect when you contact us

What data do we collect? (contacting us)

If you contact us by email, we will collect the information you provide to us. We collect this information to be able to contact you back, to answer your requests or questions, or to provide service to you. The information you provide might include:

  • Your name
  • Email address
  • Phone number
  • Company/organization name
  • The content of your message
  • Communication preferences (if specified)

How do we collect this data? (contacting us)

We collect this data when you provide it to us either by emailing us, calling us, using our website's chatbot, filling one of our online forms, meeting with us through a video call or video event, meeting with us through an in-person meeting, or meeting with us during an event.

Why do we collect this data? (contacting us)

We collect this data to be able to contact you back and provide the services you have requested, such as responding to inquiries, fulfilling requests, or resolving issues. This information helps us deliver a personalized experience and ensures efficient communication.

Do we share this data? (contacting us)

We do not share the personal information collected when contacting us with any third parties without your prior consent, except in limited circumstances such as:

  • Service Providers: We may share the data with trusted service providers who help us manage our services.
  • Legal Obligations: We may disclose the data if required by law.
  • Business Transfers: In the case of a merger, acquisition, or sale of our company.

Marketing Communication

With your prior consent, Rosc.ai might occasionally send information to you that we think you might find interesting about our services or about our partner companies. Once you have agreed to receive marketing communications from us, you can always opt out at a later date. If you no longer wish to receive marketing communication from us or our partners, please email us at: help@rosc.ai

Where and how do we store this data? (contacting us)

The information you provide when contacting us is stored within Canadian datacenters, encrypted and protected by industry security standards and best practices including RBAC & MFA.

3. Data we collect when you use our Services

What data do we collect? (using our Services)

When you purchase our Services, we need to collect some information in order to contact you, to provide to you the service you purchased, to process your payment information, and to create your account. The information we collect for these purposes includes:

  • Contact Information: We collect your name, email address, and phone number to set up your account and communicate with you.
  • Payment Information: Your payment details, such as credit card information or billing address.
  • Account Information: Data related to your account creation, such as username and password.
  • Service Usage Information: We collect data on how you interact with our services.
  • Additional Information: If necessary, we may collect additional details such as your organization name.

How do we collect this data? (using our Services)

  • Direct Input: You provide data directly when you sign up for our services, create an account, or make a purchase.
  • Automatic Collection: Some data, such as your usage activity, is automatically collected when you use our services.
  • Third-Party Integrations: We collect information through third-party platforms integrated with our services.

Why do we collect this data? (using our Services)

  • Service Provision: We need this data to provide the services you have requested.
  • Personalization: We use your data to customize your experience with our services.
  • Communication: We collect contact information to communicate important updates.
  • Security and Compliance: Data is collected to monitor for suspicious activity and secure your account.
  • Improvement and Development: We collect data on how our services are used to improve existing features.

Do we share this data? (using our Services)

  • Service Providers: We may share your data with trusted third-party service providers such as payment processing (e.g., Stripe), data storage (e.g., AWS).
  • Legal Compliance: In some cases, we may share data if required by law.
  • Security and Fraud Prevention: To ensure the security and integrity of our services.
  • With Your Consent: We may share your data with third parties if you have explicitly provided your consent.

Where and how do we store this data? (using our Services)

  • AWS (Amazon Web Services): Data such as audio recordings, transcriptions, and user activity logs are stored in encrypted Amazon S3 and Amazon RDS instances.
  • Google Firebase: User authentication data, including email and password credentials, is stored in Firebase's encrypted databases.
  • Stripe: Payment data is stored securely with Stripe, which is PCI-DSS Level 1 compliant.

How do we secure this data? (using our Services)

  • Encryption: All data is encrypted using 256-bit AES encryption for data at rest and TLS for data in transit.
  • Access Control: Access to data is restricted based on user roles and the principles of need-to-know and least privilege.
  • Multi-Factor Authentication (MFA): We require MFA for accessing sensitive areas of our services.
  • Regular Audits and Monitoring: We conduct regular security audits and continuously monitor our systems.
  • Data Anonymization and Minimization: Where applicable, we anonymize data to minimize the exposure of PII.
  • Secure API Access: All API endpoints are protected using strong authentication mechanisms.
  • Firewall and Intrusion Detection Systems: We employ advanced firewall protection and intrusion detection systems.
  • Backup and Recovery: Regular backups of critical data are conducted.
  • Compliance with Standards: We adhere to industry best practices and standards, such as GDPR, HIPAA, and PIPEDA.

For how long do we keep this data? (using our Services)

We retain personal information for as long as required to provide the services for which it was collected, otherwise, in accordance with applicable legal and regulatory requirements.

  • The audio is not stored.
  • Dictation and other Voice-enabled features: The Audio File may be kept for up to 30 days.
  • Transcripts and the Summarized Note are retained by the Company indefinitely to help us improve our product.
  • The rosc.ai app users may retain a copy of all Transcripts and the Summarized Notes until the user chooses to delete them.

4. Data we collect when you apply to work with us

What data do we collect? (job applicants)

If you apply to work at Rosc.ai, we collect the information you provide to us to process your application. The information we collect includes:

  • Personal Identification Information: Full Name, Contact Details (Email Address, Phone Number, Home Address)
  • Employment and Professional Information: Current Employment Status, Previous Work History, Education History, Professional References
  • Recruitment-Related Information: Cover Letter and Resume/CV, Skills, Portfolio or Work Samples
  • Background Information: Criminal Record Checks (with your consent), Eligibility to Work

How do we collect this data? (job applicants)

  • Direct Collection: We collect the data directly from you through online application forms, email submissions, or interviews.
  • Third-Party Sources: In certain cases, we may obtain information from third-party sources, always with your prior consent.
  • Publicly Available Information: We may also collect publicly available information (e.g., LinkedIn profiles).

Why do we collect this data? (job applicants)

  • Evaluation of Candidacy: We collect this information to assess your qualifications, skills, and fit for the role.
  • Communication: We use your contact information to communicate with you during the recruitment process.
  • Legal and Compliance: In some cases, we collect data to comply with legal requirements.

Do we share this data? (job applicants)

We may share your data with third-party service providers (e.g., for background checks) but only with your prior consent. We do not sell or share your data with third parties for marketing purposes.

Where and how do we store this data? (job applicants)

All candidate application data is stored in Rosc.ai's corporate collaboration platform, which uses at-rest encryption, and access is restricted to authorized personnel involved in the recruitment process.

For how long do we keep this data? (job applicants)

  • Unsuccessful Applicants: We will retain your personal data for a period of 12 months from the date of the conclusion of the recruitment process.
  • Successful Applicants: If you are hired, your application data will be retained as part of your employee file for the duration of your employment and for a further period as required by employment and data protection laws, typically 7 years.
  • Legal and Compliance Obligations: In some cases, we may be required to retain certain data for a longer period to comply with legal obligations.
  • Deletion or Anonymization: Once the retention period has expired, we will securely delete or anonymize your data.
  • Withdrawal of Consent: If at any time you wish to withdraw your application or request the deletion of your data, you can contact us.

Information used to make a decision about you

Rosc.ai will retain any personal information about an individual that was used to make a decision that directly affects the individual for at least one year after using it, so that the individual has a reasonable opportunity to obtain access to it.

5. Data we collect when you work with us

What data do we collect? (employees & partners)

If you enter an employment, contractor, or partnership agreement with us, we collect the following information:

  • Personal Identification Data: Full name, date of birth, nationality, and copies of identification documents
  • Contact Information: Email address, phone number, mailing address, emergency contact details
  • Employment and Role Information: Job title, job description, work location, department
  • Financial Information: Bank account details for salary or payment processing, social insurance numbers
  • Performance and Professional Data: Work performance reports, feedback, training certifications
  • Contract Information: Details of your contract, terms of employment, compensation details
  • Security and Compliance Data: Records of access to company systems, audit trails
  • Health and Leave Information: Information about sick leave, parental leave, or disability accommodations

How do we collect this data? (employees & partners)

We collect this data directly from you when you:

  • Apply for a position or enter a contractual relationship with us
  • Fill out forms required by human resources
  • Use our internal systems for job-related tasks
  • Communicate with us through official company channels

Why do we collect this data? (employees & partners)

We collect this data to:

  • Fulfill contractual obligations: Processing payments, managing employee records
  • Manage employment or contractor relationship: Monitoring work performance, managing benefits
  • Ensure legal and regulatory compliance: Compliance with tax, labor, and health and safety laws
  • Enhance security: Ensuring that company systems are accessed only by authorized personnel
  • Support employee well-being: Offering relevant benefits and work-life balance initiatives

Do we share this data? (employees & partners)

Our employees and partners personal data is shared in very limited circumstances:

  • Third-Party Service Providers: For payroll processing, benefits administration, or IT support
  • Legal and Regulatory Authorities: To comply with legal requirements, such as tax reporting

We do not sell or share your personal data with other unlisted third parties or for marketing purposes. All data is protected by strict access controls and encrypted both in transit and at rest, ensuring compliance with PIPEDA.

6. Special measures we take to protect confidentiality

  • NDA and DPA Agreements
  • Role-Based Access Control (RBAC)
  • Data Encryption
  • Secure Remote Workstations
  • Data Minimization
  • Audit Logs and Monitoring
  • Compliance with Privacy Laws (PIPEDA, GDPR, HIPAA and Provincial regulations where applicable)
  • Confidential Communication Channels

7. Data Breaches

ROSC AI implements robust measures to safeguard your personal information in accordance with applicable data protection frameworks. In the unlikely event of a data breach affecting your personal information, ROSC AI will promptly notify affected individuals and the relevant supervisory authorities as required by the following region-specific regulations:

  • Ontario PHIPA: Notify the Information and Privacy Commissioner of Ontario (IPC) and affected individuals within 7 days.
  • Quebec Law 25: Notify the Commission d'accès à l'information (CAI) and affected individuals as soon as possible.
  • British Columbia PIPA / Alberta PIPA: Notify the Office of the Information and Privacy Commissioner (OIPC) and affected individuals when there is a reasonable likelihood of significant harm.
  • Manitoba PHIA: Notify the Manitoba Ombudsman and affected individuals for suspected misuse of personal health information.
  • New Brunswick PHIPAA / Newfoundland PHIA / Nova Scotia PHIA: Notify the respective Commissioners for breaches posing a risk of harm.
  • Brazil LGPD: Notify the Autoridade Nacional de Proteção de Dados (ANPD) and affected individuals promptly.
  • Japan APPI: Notify the Personal Information Protection Commission (PPC) and affected individuals within 3–5 days.
  • California CCPA: Notify affected consumers promptly.
  • Australia Privacy Act: Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.

For all breaches, ROSC AI will provide details of the incident and guidance on protective actions you may take. We will report breaches likely to result in a risk to your rights to the relevant supervisory authority within the required timeframe, typically not later than 72 hours where applicable (e.g., PIPEDA, GDPR-aligned frameworks).

8. Usage of AI

How to Object to AI Usage

You have the right to object to the use of AI systems in the processing of your personal data. If you prefer not to have your data processed by AI, you can request a manual review of transcriptions or summaries. To exercise this right, please contact our Data Protection Officer at support@rosc.ai

10. Personal information of minors

We do not knowingly collect or store data from children. By using our Services, you confirm that you are over the age of majority in your jurisdiction, or that you are the parent/guardian of such a minor and that you consent to their use of our Services.

If it comes to our knowledge that any personal information has been inadvertently collected by us from a minor, we will take all measures within our power to thoroughly delete such data from our records and/or any third-party software where it might have been stored. If you learn that any data we might have collected is from a minor, please contact us promptly at: info@rosc.ai

11. Mergers and acquisitions

In the eventuality of an organization merger or acquisition, we may share or transfer some of your personal information if it is related to the merger, financing, sale of organization assets, or acquisition of our organization in full or in part by another organization.

Should this situation arise, we would notify you prior to any transfer and provide you with additional information on the processes involved, as well as inform you of your rights and choices under such circumstances.

12. Region-specific rights and regulations

Your privacy and data privacy rights are very important to us, no matter where you are in the world.

This global Privacy Policy was created to cover a group of worldwide privacy regulations with the highest requirements, including the European Union's General Data Protection Regulation (EU GDPR), United Kingdom's General Data Protection Regulation (UK GDPR), United States' California Consumer Privacy Act (CCPA), California Online Privacy Protection Act (CalOPPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and more.

The rights described in this Privacy Policy address the highest level of data privacy rights. This global approach aims to facilitate the implementation of individuals' rights within our organization, as well as to increase compliance's levels in a fast-changing worldwide data privacy regulation landscape.

If you believe your local data privacy rights are missing from this global Privacy Policy and should have been mentioned, please contact our Data Privacy Officer at: info@rosc.ai

14. Your privacy rights

Rosc.ai respects your privacy rights and we want to make sure you are fully informed about your rights.

We will reply to each request we receive related to your privacy rights within a 30-day timeframe. For some especially complex requests, we might ask for a time extension in order to fulfill your request thoroughly, when allowed by law.

If you would like to exercise any of these rights, please contact Rosc.ai's Data Protection Officer at: info@rosc.ai

Every person we collect personal information about is entitled to the following:

The right to access (to know)

You have the right to contact Rosc.ai to request a copy of your personal data or to know which information we have about you.

The right to rectification (to correct)

You have the right to contact Rosc.ai to request that we correct any information you believe is inaccurate, or that we complete any information you believe is incomplete.

The right to erasure (to delete)

You have the right to contact Rosc.ai to request that we permanently delete the personal information we have about you that we obtained directly and indirectly, subject to certain conditions.

The right to de-index

You have the right to contact Rosc.ai to request that we stop disclosing your personal information or that we de-index (remove) any hyperlinks linking to it, subject to certain conditions.

The right to withdraw consent

You have the right to contact Rosc.ai at any time to withdraw consent you had given us previously.

The right to object to processing

You have the right to contact Rosc.ai to request that we stop the processing of your personal information, subject to certain conditions.

The right to restrict processing (to limit)

You have the right to contact Rosc.ai to request that we restrict the processing of all or some of your personal information, subject to certain conditions.

The right to opt-out of sale or sharing

You have the right to contact Rosc.ai to request that we stop selling your personal information, or stop sharing it for the purpose of cross-context behavioral advertising.

The right to refuse the collection of biometric data

You have the right to refuse the collection of your biometric data (facial print, voice print, iris print, hand print, fingerprint, keystroke pattern, behavioral data, biological data, etc) by Rosc.ai and request that we use an alternative system to fulfill the same purpose, subject to certain conditions.

The right against automated decision-making

You have the right to be informed if any decisions we made about you used automated decision-making systems. You have the right not to be subject to a decision that was based only on automated processes (including profiling) if this decision impacts you in a significant way, subject to certain conditions.

The right to data portability

You have the right to contact Rosc.ai to request that we transfer the data we have collected about you in a machine-readable format to another organization or directly to you, subject to certain conditions.

The right to grieve

You have the right to contact Rosc.ai to request access to the personal information of a deceased person who is a partner, spouse, or a close family member, subject to certain conditions.

The right to non-discrimination

You have the right to contact Rosc.ai to request any of these rights, without this action impacting negatively our relationship with you. Rosc.ai honors a strict non-discrimination policy. If you exercise your privacy rights with us, you can be assured that you will not be discriminated against and that you will receive the same quality of services or products from us.

15. How to contact us

If you have any questions or concerns about our Privacy Policy, our privacy practices, the personal information we have about you, or if you would like to exercise your privacy rights, please contact Rosc.ai's Data Privacy Officer:

By email: info@rosc.ai

16. How to file a complaint

If you feel that Rosc.ai, unfortunately, has not addressed your concern in a manner that is satisfactory to you and you wish to make a complaint, you may contact your own regional Data Protection Authority if it is different from Rosc.ai's location, or Rosc.ai's regional Data Protection Authority, which for British Columbia, Canada is the Office of the Information and Privacy Commissioner for British Columbia (OIPC).

17. Changes to our Privacy Policy

Rosc.ai revises its Privacy Policy on a regular basis to ensure it represents our current practices, and updates this web page when there are any changes. Please make sure to revisit our Privacy Policy regularly for the latest version.