Privacy Policies

Rover Analytics Privacy Policy

Last updated June 9, 2022

Welcome to Rover! We are helping your employer shop for a better health plan. To do this, we will need some information from you. At Rover Analytics, we respect your privacy and the confidentiality of your protected health information, or PHI. This Privacy Policy describes how Rover collects and treats your information during this process. 

The Rover Analytics Privacy Promise

We want you to have a very clear understanding of how we collect and treat the information you entrust to us. Here is a summary of our promise to you, as detailed in this Privacy Policy:

• Rover is a service provider to your employer or its benefits advisor. We access and use your information with your consent or automatically with your permission and subject to our contract with your employer, benefits advisor, or insurance broker. 
• Rover only accesses your PHI with your authorization. 
• Your employer will never see your individual health data (it’s anonymous, your employer is just interested in the data of all employees as a group).
• We will ensure the confidentiality of your information in a responsible and professional manner. 
• Rover is not governed by HIPAA, but we work with organizations that are and we comply with all legal standards that apply to the services we provided to those organizations. 
• You may have privacy rights based on where you live. We provide courtesy notices in Section 11. you can exercise your rights by contacting your employer.
• If we change our privacy practices, we will update this page and, if necessary, request updated consents and permissions from you. You may also request the new notice be mailed to you.
• If you have any questions about Rover, you can contact support@roverai.co  or 888-503-1575. 

We encourage you to read this Privacy Policy in full to understand in detail how we collect and use your information. This Privacy Policy and your use of Rover is governed by and part of our Rules for Employee Users. Any additional, separate notices about our privacy practices we provide to you will be considered part of this Privacy Policy.

1. About Rover.

In this Privacy Policy, Rover Analytics, LLC and our affiliates, corporate parent(s), and subsidiaries are collectively called “Rover,” “we” or “us.” Our healthcare software-as-a-service that uses secure and private automated technology to learn about the type of benefits that would be most useful to employees is called “Retriever..” 

This Privacy Policy describes how we collect and treat information through Rover. It does not apply to information collected through your employer, healthcare provider, or insurance company’s websites or other services, even if they use Rover.

2. Your Consent and Authorization.

By using or accessing Rover, you acknowledge and accept this Privacy Policy, and you consent to our collection, use, and disclosure of your information as described below. If you do not agree with this Privacy Policy, do not use Rover.

By giving us your health plan or insurance login credentials, you expressly authorize us to access and use the data maintained by that health plan or insurance on your behalf as your agent. You grant us a limited power of attorney and appoint us as your attorney-in-fact and agent to collect, use, and store your login credentials, account data, and any other data you submit to us. We will only use your information in connection with our Services as we have described them. For details, see Section 2(b) of the Rules for Employee Users.

3. What counts as “Personal Information”?

When we say, “Personal Information,” we mean information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual consumer or household. Personal Information falls within these categories: 

• Identifiers (e.g., name, email address, address, telephone number, username);
• Sensitive Personal Information (e.g., state identification number, precise geolocation; racial or ethnic origin; biometrics; union membership; contents of messages when we are not the recipient; as well as protected health information, personal health information, PHI, EPHI, and similar terms of art, each as defined under applicable health privacy laws; and other health information generally);
• Protected classification information (e.g., race, citizenship, marital status, medical condition, sex, sexual orientation, veteran or military status);
• Biometric information (e.g., image, keystrokes, behavioral or biological characteristics);
• Internet or other similar activity (e.g., general location, content interactions, browsing history);
• Employment-related information (e.g., current or past employment);
• Non-public educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99); and
• Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies).

Not all of your information is protected as Personal Information. Specifically, Personal Information does not include (i) publicly available information (ii) aggregate information, meaning data about a group or category of services or users from which individual identities and other Personal Information has been removed; or (iii) deidentified information that cannot be easily linked back to the individual.

4. How does Rover collect and use Personal Information?

We only collect, use, retain, and disclose Personal Information as a service provider to your benefits advisor, insurance broker, or employer (to make this easy, we will call them your “Sponsor”). We limit our activities to what is reasonable and necessary and proportionate for Rover to function, or we might use it in other compatible ways that we would tell you about first.  During the last 12 months, we have collected (i) identifiers; (ii) employment-related information; (iii) sensitive Personal Information including health plan data; and (iv) internet activity. We collect this information from:

1. Your health plan’s portal, with your authorization and consent and as a service provider to your Sponsor. Rover’s technology uses your health plan login credentials to retrieve your health plan data and run repots. Your data is always kept anonymous on those reports. Your Sponsor may send you an email with a link to Rover, where we will ask you to verify your identity and health plan(s) and use your health plan credentials to directly connect to the health plan website. 
2. Your employer or its benefits advisor, with a legitimate interest as a service provider. Your employer may provide Rover with your identifiers and health plan login credentials on your behalf to streamline its use of Rover. We receive this information subject to your grant of consent and authorization of your Sponsor and their privacy practices. We use this information to fulfill our contractual obligations as a service provider to your Sponsor. Please contact your employer if you have questions about any information your Sponsor has provided. 
3. From you, with your consent. Directly from your communications, with consent. If you contact us by email, phone or through Rover, you voluntarily provide us with your contact information and any other information related to your inquiry. We use this information to respond to your inquiry, and we may relay your message to your employer for follow-up. 
4. Automatically from your use of Rover, with a legitimate interest. Rover automatically collects technical data from your use of Rover to run analytics and statistics. We collect this information to achieve our legitimate interest to analyze usage, maintain and improve security, and manage and improve Rover. 

In addition to the specific uses above, we might also use your Personal Information to: (i) provide services to or communicate with your Sponsor; (ii) send you support and administrative messages; (iii) monitor compliance with our agreements; (iv) protect your privacy and enforce this Privacy Policy; (v) identify, contact, or bring legal action against persons or entities who may be causing injury to you, to us, or to others if we believe it is necessary; (vi) comply with a law, regulation, legal process, or court order; or (vii) fulfill any other purpose to which you consent.

We will update this Privacy Policy or otherwise notify you through your Sponsor or obtain further consent where required under applicable law before we collect additional categories of Personal Information or use your Personal Information for purposes that are incompatible with the purpose stated at the time of collection.

5. What about children’s privacy?

Rover is designed for use by adults, not children. We never knowingly collect Personal Information directly from children through Rover or elsewhere online. When you use Rover, you will be prompted to input Personal Information on behalf of your children. Any information you submit about your child is provided by you voluntarily and you consent to us collecting and processing your child’s Personal Information as part of your participation in your employer’s use of Rover. 

If we discover that a child has provided us with Personal Information online without parent or guardian consent, we will delete their information from our systems. If you become aware of any unauthorized submission of information to us, please contact us at support@roverai.co.  

Note that we cannot control and are not responsible for the privacy practices of your employer, benefits advisor, health plan, or healthcare provider, even if they access your child’s Personal Information through or in relation to Rover. Please contact that party directly if you have questions about their privacy practices. 

6. What about HIPAA? 

Rover is not a covered entity or business associate subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). As such, Rover is not subject to HIPAA controls. Rather, we provide an automated method for you to exercise your legal rights and access and share your own account data. Rover is not responsible for misuse or misinterpretation of account data by you or any other party. You agree that you will use Rover in accordance with all applicable laws and regulations.

7. How long do we keep your information?

We only retain your Personal Information for the minimum period necessary to fulfil the purpose for which it was collected. Generally, we retain the data we retrieve from your health plan for up to 12 months. If you contact us with questions or concerns, we will retain your message and other information until the matter is resolved, or for a longer period if needed for our internal business purposes. We retain data collected via cookies for up to 12 months.. Other types of data are retained and disposed of according to our company policies. We may retain Personal Information for longer if it may be the subject of a legal claim or may otherwise be relevant for future litigation. We periodically review and delete or deidentify unnecessary data. Note that your Sponsor may retain your Personal Information for different retention periods. Please contact them for details.

8. Who can see your information?

We only disclose your Personal Information in limited circumstances and for specific purposes. Rest assured, we never disclose your individual health data to your employer. Any disclosures to your employer will keep your health plan data anonymous and will report it as part of a group.

1. Categories and Sources Disclosed. In the last 12 months, we have disclosed all categories of Personal Information that we collected for a business purpose to:

• Your Sponsor’s Recipients. As a service provider, we may be directed to disclose information to recipients as requested by your Sponsor. For example, we may be instructed to disclose information to the benefits advisor engaged by your employer to select a health plan for employees. The benefits advisor must agree to our terms and conditions, which include contractual obligations to protect your information. Disclosures to third parties at the direction of your Sponsor are subject to their privacy practices, not ours. Please contact your employer if you have questions.
• Our Service Providers. We use a variety of service providers such as data hosting companies, analytics services, email hosting services, and payment processors. The type of information that we share with our service providers will depend on the service that they provide to us. Our service providers are subject to contractual agreements that protect your Personal Information, and we require all service providers to maintain confidentiality standards that are commercially reasonable to ensure the security of your Personal Information. 
• Law Enforcement or Other Governmental Agencies as permitted or required by law. We are subject to certain federal and state laws that may require us to disclose your Personal Information to law enforcement or government agencies. For example, we must disclose information as needed to comply with our own reporting requirements, if we believe there is a serious health or safety threat, to comply with workers compensation laws, or to comply with mandated reporting laws.
• Other Third Parties. Under specific circumstances, we may disclose Personal Information to certain third parties as permitted by applicable law, for example: if we go through a business transition (e.g., merger, acquisition, or asset sale); to law enforcement as required by enforcement or judicial authorities; to comply with a legal requirement or a court order; when we believe it is appropriate to take action regarding illegal activities or prevent fraud or harm to any person; to exercise or defend our legal claims; or for any other reason with your consent.
• To Anyone Else, with Your Permission. We may disclose your information to any party or person with your permission. Please note that if we do so, the disclosed information may be re-disclosed by the receiving party and may no longer be protected by state and federal privacy rules.

2. Aggregated and Deidentified Information. We reserve the right to disclose aggregated, anonymized, or deidentified information about any individuals with affiliated or nonaffiliated entities for marketing, advertising, research, or other purposes, without restriction. For example, we may share reports showing trends about the general use of our Services without identifying an individual. 

9. Is Rover offered outside of the U.S.?

Rover is owned and operated in the United States and is designed for use by employee users in the United States. We do not market Rover outside of the United States. If you do not reside in the U.S., please do not submit any Personal Information to Rover. 

10. How does Rover keep your information secure?

Rover implements reasonable and appropriate technical, organizational, and physical security measures to help protect your Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. We employ a series of security measures, including secure login and encryption in transit and at rest. We ensure that Rover employees, contractors, and agents responsible for handling Personal Information and privacy matters are informed of applicable privacy law requirements. 

Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Information for improper purposes. It is your responsibility to keep your online accounts secure from unauthorized access. We encourage you to take steps to protect against unauthorized access, such as choosing a robust password, keeping the password private, and signing off after using a shared computer or other device. Rover is not responsible for any lost, stolen, or compromised passwords, or any unauthorized activity on your account. We also have no control over the security measures used by your employer, health plan, or healthcare providers, and we make no representations or guarantees that your Personal Information is secure once transmitted or stored on their systems.

11. What does the law say?

Health privacy and consumer privacy laws provide you with certain rights depending on the type of information and where you live. This section provides information about those rights as a courtesy. Various factors may impact the applicability of certain rights or your ability to exercise those rights. 

You must contact your employer to exercise your privacy rights, or if you want to express concerns, lodge a complaint, or request information. For general inquiries, please email support@roverai.co or call 888-503-1575. If you submit a privacy request directly to us, we will forward your request to your employer or the appropriate party for further processing and fulfillment. 

1. Protected Health Information. You have certain rights over your protected health information. These include:

• The right to ask us to restrict how we use or disclose your information for treatment, or health care operations. You also have the right to ask us to restrict information we may give to persons involved in your care. While we may honor your request for restrictions, we are not required to agree to these restrictions.
• The right to submit special instructions to us regarding how we send plan information to you that contains protected health information. For example, you may request that we send your information by a specific means (for example, U.S. mail only) or to a specified address. We will accommodate reasonable requests by you as explained above. We may require that you make your request in writing.
• The right to inspect and obtain a copy of information that we maintain about you in a designated record set. However, you may not be permitted to inspect or obtain a copy of information that is: (i) contained in psychotherapy notes; or (ii) compiled in reasonable anticipation of, or for use in a civil criminal or administrative action or proceeding. 

In certain situations, we may deny your request to inspect or obtain a copy of your information. If we deny your request, we will notify you in writing and will provide you with a right to have the denial reviewed. We may require that your request be made in writing. We will respond to your request no later then 30 days after we receive it. If the information you request is not maintained or accessible to us on-site, we will respond to your request no later than 60 days after we receive it. If we need additional time, we will inform you of the reasons for the delay and the date that we will be able to complete action on your request. If you request a copy, we will charge you a reasonable fee based on copying and postage costs.

• The right to ask us to amend information we maintain about you in a designated record set. We may require that your request be in writing and that you provide a reason for your request. We will respond to your request no later than 60 days after we receive it. If we are unable to act within 60 days, we may extend that time by no more than an additional 30 days. If we need to extend this time, we will notify you of the delay and the date by which we will complete action on your request.

If we make the amendment, we will notify you that it was made, and we will obtain your agreement to have us notify the relevant persons you have identified with whom the amendment needs to be shared. We will notify these persons, including their business associates, of the amendment.

If we deny your request to amend, we will notify you in writing of the reason for the denial. The denial will explain your right to file a written statement of disagreement.

2. Residents of California and Certain Other U.S. States. This section provides disclosures and notices under the California Consumer Privacy Act of 2018 (“CCPA”) and notices to residents of Virginia, Colorado, Utah, Nevada, and other U.S. states with laws providing similar protections. The following paragraphs apply solely to residents of the State of California and other states to the extent the same legal protections apply (each a “Consumer”). These notices are offered as a courtesy only. You must contact your employer to exercise your privacy rights. 

• Right to Disclosure. You have the right to request that disclosure of information about our collection and use of your Personal Information, such as (i) the categories of Personal Information collected about you; (ii) the categories of sources for the Personal Information collected about you; (iii) the business purpose for collecting or selling that Personal Information; (iv) the categories of third parties with whom that Personal Information is shared; and (v) if your Personal Information was sold or disclosed for a business purpose, two separate lists stating (a) sales, identifying the Personal Information categories that each category of recipient purchased; and (b) disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained. Depending on the laws that apply to you, we may only be required to respond to a certain number of disclosure requests within a 12-month period.
• Right to Correct. You have the right to request that your inaccurate Personal Information is corrected on our systems. If you become aware that the Personal Information that we hold about you is incorrect, or if your situation changes (e.g., you change address), please inform us and we will update our records.
• Right to Access. You have the right to request access to specific pieces of Personal Information collected about you (also called a data portability request). If you submit a right to access request, you will receive copies of the requested pieces of Personal Information in a portable and readily usable format. Please note that businesses are prohibited by law from disclosing copies of certain pieces of Personal Information (e.g., government identification numbers, financial account information, and passwords or security questions and answers) because the disclosure would create a substantial, articulable, and unreasonable risk to the security of the information, business systems, or your account. If you are a resident of the State of California, your request is limited to specific pieces of Personal Information collected about you over the past 12 months, and businesses are only required to respond to two such requests within a 12-month period.
• Right to Deletion. You have the right to request deletion of any of your Personal Information collected from you and retained, with certain exceptions. A business may permanently delete, deidentify, or aggregate the Personal Information in response to a request for deletion. 
• No Selling or Sharing Personal Information. We do not, and will not, sell the Personal Information we collect about you from your use of Rover or share your Personal Information with third parties for cross-contextual behavioral advertising purposes. If our practices change, we will update this Privacy Policy and provide opt-out methods.
• Limited Use and Disclosure of Sensitive Personal Information. Rover collects sensitive Personal Information in the form of health plan data, but we will never use or disclose your sensitive Personal Information for the purpose of inferring characteristics about you. If this ever changes in the future, we will update this Privacy Policy and provide methods to limit use and disclosure of sensitive Personal Information.
• Right to Opt-Out of Profiling. We do not use any form of automated processing of Personal Information to evaluate, analyze, or predict your performance, preferences, choices, or behavior. If this changes in the future, we will update this Privacy Policy to describe our use of profiling and options to opt-out.  
• Right to Nondiscrimination. California Consumers are entitled to exercise their CCPA rights without being subject to discrimination. Unless permitted by law, a business must not: (a) deny you goods or services, (b) charge you different prices or rates for goods or services, (c) provide you a different level or quality of goods or services, (iv) retaliate against you as an employee, applicant for employment, or independent contractor for exercising your privacy rights; or (d) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under the CCPA.
• Right to Disclosure of Marketing Information. California’s Shine the Light Act (Civil Code sections 1798.83-1798.84) entitles California Consumers to request certain disclosures regarding Personal Information sharing with affiliates and/or third parties for marketing purposes.

Please be aware that, in many cases, Rover collects Personal Information about you in a business-to-business context or as part of your employment. Please note that Personal Information collected and used in this context is not protected under the CCPA and certain other US privacy laws. 

12. What about links to other websites?

We may provide links to other websites whose privacy practices may differ from ours. If you submit Personal Information to any of those websites, your information is governed by the privacy policies of those other websites. You should carefully review the privacy policy of any website you visit.

13. What if things change?

If our privacy practices change or we amend this Privacy Policy, we will update this page. If necessary, request updated consents and permissions from you. You may also request the new notice be mailed to you. You are responsible for periodically checking this page for changes. Your continued use of Rover following an update will be subject to the new Privacy Policy.

14. Call Rover!

If you have questions about our privacy practices or would like to make a complaint, please contact us at support@roverai.co or by calling 888-503-1575.

If you believe your privacy rights have been violated, you may file a complaint with us by writing Appeals & Grievances at:

‍

Rover Analytics

Attn: Appeals and Grievance 

745 NW Hoyt St #28114

Portland, OR 97228

You may also notify the Office of Civil Rights, U.S. Department of Health and Human Services of your complaint. We will not take any action against you for filing a complaint. You may contact the Office of Civil Rights at:

Office for Civil Rights

U.S. Department of Health and Human Services 

200 Independence Avenue, S.W.
Washington, D.C. 20201

OCR Hotlines-Voice: 1-800-368-1019
Web site: Office For Civil Rights

‍