Roony

Legal

Privacy Policy

Effective date: January 30, 2026

1. Introduction

Roony ("we," "our," or "us") operates the Roony platform, an AI-powered claims resolution service for healthcare providers. This Privacy Policy explains how we collect, use, disclose, and protect your information, including Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).

With respect to PHI, Roony acts as a Business Associate under HIPAA. Our use and disclosure of PHI is governed by the Business Associate Agreement ("BAA") between Roony and our customers. In the event of a conflict between this Privacy Policy and an executed BAA, the BAA shall control with respect to PHI. For all other personal information, Roony acts as the data controller.

2. Information We Collect

Account Data

When you create an account, we collect your name, email address, organization name, and National Provider Identifier (NPI). This information is used to authenticate you and manage your subscription.

Claim Data (Protected Health Information)

When you upload claims, we process patient names, dates of birth, subscriber IDs, diagnosis codes, CPT codes, payer information, and other data necessary to resolve claims on your behalf. This data constitutes PHI and is handled in accordance with HIPAA requirements and the terms of our BAA.

Usage Data

We automatically collect information about how you use the platform, including pages visited, features used, call volumes, and performance metrics. This data does not include PHI.

Information Collected Automatically

When you access the Service, we may automatically collect device information (such as browser type, operating system, and device identifiers), IP address, referring URLs, and information about your interactions with the platform. This information is collected through cookies and similar technologies as described in Section 6 below.

3. How We Use Your Information

  • To provide and operate the claims resolution service on your behalf.
  • To generate call strategies and extract insights from completed calls.
  • To process payments and manage your subscription.
  • To communicate with you about your account, service updates, and support requests.
  • To monitor and improve the security and performance of the Service.
  • To comply with legal obligations, including HIPAA requirements.
  • To improve our AI models and knowledge base using de-identified, aggregated data that cannot reasonably be used to identify any individual patient or organization.

4. How We Share Your Information

We do not sell your personal information or PHI. We may share your information in the following circumstances:

  • Service providers: We use third-party providers for infrastructure hosting, payment processing, authentication, voice telephony, and AI processing. These providers access only the data necessary to perform their functions and are contractually obligated to protect it. Where service providers access PHI, we maintain Business Associate Agreements as required by HIPAA.
  • Legal requirements: We may disclose your information when required to do so by law, regulation, subpoena, court order, or other governmental request.
  • Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.
  • With your consent: We may share your information for purposes not described in this policy with your prior consent.
  • De-identified data: We may share aggregated, de-identified data that cannot reasonably be used to identify you, your organization, or any individual patient.

5. Data Security

We implement administrative, physical, and technical safeguards to protect your information in accordance with HIPAA Security Rule requirements and industry best practices. These measures include:

  • Encryption: All PHI and sensitive data is encrypted at rest and in transit.
  • Audit logging: We maintain comprehensive audit logs of all access to PHI.
  • Data isolation: Your data is logically separated from other customers. Each organization's data is isolated to prevent unauthorized cross-tenant access.
  • Access controls: Role-based access controls limit data access to authorized personnel, and authentication is enforced on all protected resources.

While we take reasonable measures to protect your information, no method of transmission or storage is completely secure. If you become aware of a security incident, please contact us immediately.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service. These include:

  • Essential cookies: Required for authentication, security, and core platform functionality. These cannot be disabled.
  • Analytics cookies: Help us understand how users interact with the Service so we can improve the experience.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service. We do not sell your personal information and do not use tracking technologies for cross-site advertising.

7. Data Retention

We retain claim data and call records for seven (7) years in accordance with HIPAA retention requirements. After the retention period expires, data is permanently deleted unless a legal hold is in effect. You may request earlier deletion of your data, subject to our legal and regulatory obligations.

Upon account termination, you may request an export of your data. Following the export window, your data will continue to be retained only as required by applicable law and our retention policies, after which it will be securely deleted.

8. Your Rights

You have the following rights regarding your data:

  • Access: You may request a copy of the data we hold about you and your organization.
  • Correction: You may request correction of inaccurate data.
  • Deletion: You may request deletion of your data, subject to our legal retention obligations.
  • Portability: You may request an export of your claim and call data in a machine-readable format.

In addition, under HIPAA you may have the right to request an accounting of disclosures of your PHI, and to request restrictions on certain uses and disclosures. To exercise any of these rights, please contact us using the information provided below.

9. Business Associate Agreement

As a service provider that processes PHI on behalf of covered entities, we enter into Business Associate Agreements (BAAs) with our customers as required by HIPAA. If you require a BAA, please contact us prior to uploading any PHI to the platform.

10. Children's Privacy

The Service is designed for use by healthcare providers and revenue cycle management professionals. It is not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Your continued use of the platform after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, you may contact our Privacy Officer at privacy@roony.com or contact us.