Rosy Health App - Privacy Policy

1. Introduction

Welcome to Rosy, a health tracking application designed to help you monitor and understand your wellness journey. This Privacy Policy and Terms of Use explain how we collect, use, protect, and share your information when you use our mobile application.

Important: Rosy aims solely to promote healthy living and wellbeing through wellness tracking and informational purposes only. It is not intended to diagnose, treat, cure, or prevent any medical condition. Rosy does not take responsibility for any injuries, damage, or adverse health outcomes. Always consult with qualified healthcare professionals for medical advice.

By using Rosy, you agree to the collection and use of information in accordance with this policy and our Terms of Use.

2. Data We Collect

2.1 Health and Wellness Data

• Symptoms, medications, and daily health observations you manually enter
• Vital signs and biometric data (blood pressure, heart rate, weight, etc.)
• Laboratory test results and health metrics you choose to input
• Sleep patterns, mood tracking, and exercise data
• Photos of health-related documents (if you choose to upload them)

2.2 Location Data (Optional)

• Precise location when using our healthcare facility finder feature
• Approximate location for regional health insights and emergency services
• You can disable location services at any time through your device settings

2.3 Device and Usage Information

• Device type, operating system, and app version
• App usage patterns and feature interactions (anonymized)
• Crash reports and performance data
• Push notification preferences

2.4 Account Information

• Email address (for account creation and communication)
• Profile information you choose to provide
• Communication preferences

2.5 Third-Party Integrations (With Your Consent)

• Apple Health/HealthKit data (iOS only)
• Google Fit data (Android only)
• Wearable device data from connected fitness trackers

3. How We Use Your Data

3.1 Primary Purposes

• Health Tracking: Enable you to log, track, and analyze your health data
• Insights and Trends: Provide personalized health insights and pattern recognition
• Healthcare Facility Finder: Help you locate nearby medical facilities using GPS
• Report Generation: Create shareable health reports for healthcare providers
• App Improvement: Enhance app functionality and user experience

3.2 Secondary Purposes (With Consent)

• Research: Anonymized, aggregated data for health research (opt-in only)
• Personalized Recommendations: Health tips and suggestions based on your data
• Communication: Send you app updates, health reminders, and support messages

3.3 Legal Basis for Processing (GDPR)

• Consent: For optional features and data sharing
• Contract Performance: To provide the core app functionality
• Legitimate Interest: For app improvement and security
• Legal Obligation: When required by applicable law

4. Data Sharing and Disclosure

4.1 We DO NOT Sell Your Personal Health Data

Your health information is never sold to third parties for commercial purposes.

4.2 Limited Sharing Circumstances

We may share your data only in these specific situations:

4.2.1 With Your Explicit Consent

• Healthcare providers you choose to share reports with
• Research studies you explicitly opt into
• Third-party health apps you connect to Rosy

4.2.2 Service Providers (Data Processors)

• Cloud storage providers (AWS, Google Cloud) - encrypted data only
• Analytics providers - anonymized usage data only
• Customer support services - limited to resolving your issues

4.2.3 Legal Requirements

• When required by law, court order, or government request
• To protect our legal rights or prevent harm
• In case of merger, acquisition, or business transfer (with notice)

4.2.4 Emergency Situations

• If you use emergency features, we may share location with emergency services
• Only with your explicit activation of emergency functions

5. Your Rights and Controls

5.1 GDPR Rights (EU Users)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Export your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interest
• Withdraw Consent: Revoke consent for optional data processing

5.2 CCPA Rights (California Users)

• Know: What personal information we collect and how it's used
• Delete: Request deletion of your personal information
• Opt-Out: Opt out of sale of personal information (note: we don't sell data)
• Non-Discrimination: Equal service regardless of privacy choices

5.3 Universal Controls

• Data Export: Download all your health data at any time
• Account Deletion: Permanently delete your account and associated data
• Privacy Settings: Control what data is collected and how it's used
• Communication Preferences: Manage notifications and emails

5.4 How to Exercise Your Rights

• In-App: Use Privacy Settings in the app
• Email: Contact admin@rosyroot.com
• Response Time: We respond within 30 days

6. Data Security

6.1 Technical Safeguards

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Authentication: Multi-factor authentication available
• Access Controls: Role-based access with principle of least privilege
• Regular Security Audits: Third-party security assessments
• Secure Development: Security-by-design development practices

6.2 Organizational Safeguards

• Staff Training: Regular privacy and security training for all employees
• Background Checks: Security clearance for employees accessing user data
• Incident Response: Documented procedures for security breaches
• Data Minimization: We collect only necessary data for app functionality

6.3 Device-Level Security

• Local Storage: Sensitive data encrypted on your device
• Biometric Protection: Optional fingerprint/Face ID protection
• Automatic Logout: Configurable session timeouts
• Offline Capability: Core features work without internet connection

7. International Data Transfers

7.1 Cross-Border Data Transfers

Data may be transferred to countries outside your residence. We use appropriate safeguards for international transfers:

• EU Standard Contractual Clauses for GDPR compliance
• Adequacy Decisions where available
• Binding Corporate Rules for internal transfers

8. Data Retention

8.1 Retention Periods

• Active Account Data: Retained while your account is active
• Health Data: Retained for 7 years after account deletion (for medical record purposes)
• Usage Analytics: Anonymized data retained for 2 years
• Communication Records: Customer support records kept for 3 years

8.2 Deletion Process

• Account Deletion: Immediate removal of identifiable information
• Health Data Anonymization: Personal identifiers removed after account deletion
• Backup Purging: Complete removal from all systems within 90 days
• Third-Party Data: Coordinated deletion from service providers

9. Children's Privacy

9.1 Age Restrictions

• Rosy is not intended for users under 13 years old (under 16 in EU)
• We do not knowingly collect data from children under these age limits
• If we learn we have collected such data, we will delete it immediately

9.2 Parental Rights

• Parents can request access to their child's data
• Parents can request deletion of their child's data
• Contact us at admin@rosyroot.com for child data concerns

10. Contact Us

If you have any questions or concerns about this Privacy Policy or your data, contact us at:
Email: admin@rosyroot.com