Privacy Policy

1. Introduction

Roony ("we," "our," or "us") operates the Roony platform, an AI-powered claims resolution service for healthcare providers. This Privacy Policy explains how we collect, use, disclose, and protect your information, including Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).

With respect to PHI, Roony acts as a Business Associate under HIPAA. Our use and disclosure of PHI is governed by the Business Associate Agreement ("BAA") between Roony and our customers. In the event of a conflict between this Privacy Policy and an executed BAA, the BAA shall control with respect to PHI. For all other personal information, Roony acts as the data controller.

2. Information We Collect

Account Data

When you create an account, we collect your name, email address, and organization name. This information is used to authenticate you and manage your subscription.

Provider and Billing Data

When you set up billing clients within your organization, we collect provider identifiers including National Provider Identifiers (NPIs) and Tax Identification Numbers (TINs). This information is necessary for claim resolution and payer communication on your behalf.

Claim Data (Protected Health Information)

When you upload claims, we process patient names, dates of birth, subscriber IDs, diagnosis codes, CPT codes, payer information, and other data necessary to resolve claims on your behalf. This data constitutes PHI and is handled in accordance with HIPAA requirements and the terms of our BAA.

Call Data and Recordings

When our AI agents place calls to insurance payers on your behalf, we collect and store call transcripts, call summaries, extracted claim data, and audio recordings of each call. Call recordings may contain PHI spoken during the call, such as patient names, dates of birth, and member IDs. Recordings are hosted by our HIPAA-compliant voice telephony provider and are accessible within the platform. Call data is subject to the same retention policies and security controls as other PHI.

Inbound Call Data

If you call our inbound phone line, we may collect your name, phone number, email address, reason for calling, and a transcript and recording of the call. Inbound calls are handled by an AI voice agent. By calling our inbound number, you consent to the recording and processing of the call for the purpose of responding to your inquiry.

Usage Data

We automatically collect information about how you use the platform, including pages visited, features used, call volumes, and performance metrics. This data does not include PHI.

Information Collected Automatically

When you access the Service, we may automatically collect device information (such as browser type, operating system, and device identifiers), IP address, referring URLs, and information about your interactions with the platform. This information is collected through cookies and similar technologies as described in Section 6 below.

3. How We Use Your Information

• To provide and operate the claims resolution service on your behalf, including placing and recording calls to insurance payers.
• To generate call strategies and extract insights from completed calls using AI models.
• To process payments and manage your subscription.
• To communicate with you about your account, service updates, and support requests.
• To monitor and improve the security and performance of the Service.
• To comply with legal obligations, including HIPAA requirements.
• To improve our knowledge base and service quality. When we extract general billing insights from calls (such as payer policies and denial resolution patterns), we instruct our AI models to exclude patient-specific information. However, these insights are stored within your organization's account and are not shared across organizations.

4. How We Share Your Information

We do not sell your personal information or PHI. We may share your information in the following circumstances:

• Service providers: We use third-party providers to deliver the Service, including providers for cloud infrastructure and hosting, database management, payment processing, user authentication, voice telephony and call recording, and AI model inference. These providers access only the data necessary to perform their functions and are contractually obligated to protect it. Where service providers process, store, or transmit PHI, we maintain Business Associate Agreements as required by HIPAA.
• Analytics providers: We use third-party analytics services to understand how users interact with the Service. These providers may set cookies and collect usage data as described in Section 6. Analytics data does not include PHI.
• Legal requirements: We may disclose your information when required to do so by law, regulation, subpoena, court order, or other governmental request.
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.
• With your consent: We may share your information for purposes not described in this policy with your prior consent.

5. Data Security

We implement administrative, physical, and technical safeguards to protect your information in accordance with HIPAA Security Rule requirements and industry best practices. These measures include:

• Encryption: Data is encrypted in transit using TLS. At rest, all database storage is encrypted at the infrastructure level. High-sensitivity PHI fields (such as patient names, dates of birth, member IDs, and call transcripts) receive additional application-level encryption using AES-256-GCM.
• Audit logging: We maintain comprehensive audit logs of all access to PHI.
• Data isolation: Your data is logically separated from other customers. Each organization's data is isolated to prevent unauthorized cross-tenant access.
• Access controls: Role-based access controls limit data access to authorized personnel, and authentication is enforced on all protected resources.

While we take reasonable measures to protect your information, no method of transmission or storage is completely secure. If you become aware of a security incident, please contact us immediately.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service. These include:

• Essential cookies: Required for authentication, security, and core platform functionality. These cannot be disabled.
• Analytics cookies: We use third-party analytics services to understand how users interact with the Service. These services may set cookies and collect information such as pages visited, session duration, and interaction patterns. No PHI is shared with analytics providers.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service. We do not sell your personal information and do not use tracking technologies for cross-site advertising.

7. Data Retention

We retain claim data, call records (including transcripts and recordings), and related PHI for seven (7) years from the date of last activity, in accordance with HIPAA retention requirements. After the retention period expires, data is permanently deleted from our systems unless a legal hold is in effect. When a legal hold applies, data is preserved until the hold is released regardless of the standard retention period. You may request earlier deletion of your data, subject to our legal and regulatory obligations.

Inbound call data (including caller information, transcripts, and recordings) is subject to the same retention period.

Upon account termination, you may request an export of your data. Following the export window, your data will continue to be retained only as required by applicable law and our retention policies, after which it will be securely deleted.

8. Your Rights

You have the following rights regarding your data:

• Access: You may request a copy of the data we hold about you and your organization.
• Correction: You may request correction of inaccurate data.
• Deletion: You may request deletion of your data, subject to our legal retention obligations.
• Portability: You may request an export of your claim and call data in a machine-readable format.

In addition, under HIPAA you may have the right to request an accounting of disclosures of your PHI, and to request restrictions on certain uses and disclosures. To exercise any of these rights, please contact us using the information provided below.

9. Business Associate Agreement

As a service provider that processes PHI on behalf of covered entities, we enter into Business Associate Agreements (BAAs) with our customers as required by HIPAA. If you require a BAA, please contact us prior to uploading any PHI to the platform.

10. Children's Privacy

The Service is designed for use by healthcare providers and revenue cycle management professionals. It is not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Your continued use of the platform after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, you may contact our Privacy Officer at privacy@roonyai.com or contact us.