Privacy Policies

Updated on: 
September 29, 2022

legal

Rover's Privacy Policies

Last updated May 29, 2024

Rover helps your employer shop for a better health plan. To do this, we will need some information from you. At Rover, we respect your privacy and the confidentiality of your protected health information, or PHI. This Privacy Policy describes how Rover collects and treats your information during this process.

The Rover Privacy Promise

We want you to have a very clear understanding of how we collect and treat the information you entrust to us. Here is a summary of our promise to you, as detailed in this Privacy Policy:

● Rover is a service provider to your employer or its benefits advisor, third-party administrator, or general administrator. We access and use your information with your consent, or automatically with your permission or other authorization and subject to our contract with your employer, benefits advisor, or insurance broker.

● We only access your PHI with authorization.

● Your employer will never see your individual health data (it’s anonymous, your employer is only interested in the data of all employees as a group).

● We will ensure the confidentiality of your information in a responsible and professional manner.

● When we work with organizations that are governed by HIPAA, we comply with all legal standards that apply to the services we provide to those organizations.

● You may have privacy rights based on where you live. We provide courtesy notices in Section 11. you can exercise your rights by contacting your employer.

● If we change our privacy practices, we will update this page and, if necessary, request updated consents and permissions from you. You may also request the new notice be mailed to you.

● If you have any questions, you can contact security@roverai.co or 888-503-1575.

We encourage you to read this Privacy Policy in full to understand in detail how we collect and use your information. This Privacy Policy and your use of our Services is governed by and part of our Rules for Employee Users. Any additional, separate notices about our privacy practices we provide to you will be considered part of this Privacy Policy.

1. About Rover.

In this Privacy Policy, Rover Innovation Labs, Inc., and our affiliates, corporate parent(s), and subsidiaries are collectively called “Rover,” “we” or “us.” Our healthcare software-as-a-service that uses secure and private automated technology to learn about the type of benefits that would be most useful to employees is called our “Services.”

This Privacy Policy describes how we collect and treat information through Rover. It does not apply to information collected through your employer, healthcare provider, or insurance company’s websites or other services, even if they use Rover.

2. Your Consent and Authorization.

By using or accessing the Services, you acknowledge and accept this Privacy Policy, and you consent to our collection, use, and disclosure of your information as described below. If you do not agree with this Privacy Policy, do not use the Services.

By giving us your health plan or insurance login credentials, you expressly authorize us to access and use the data maintained by that health plan or insurance on your behalf as your agent. You grant us a limited

power of attorney and appoint us as your attorney-in-fact and agent to collect, use, and store your login credentials, account data, and any other data you submit to us. We will only use your information in connection with our Services as we have described them. For details, see Section 2(b) of the Rules for Employee Users.

3. What counts as “Personal Information”?

When we say, “Personal Information,” we mean information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual consumer or household. Personal Information falls within these categories:

● Identifiers (e.g., name, email, telephone number, address, username);

● Sensitive Personal Information (e.g., health data, government identification number; racial or ethnic origin; religious beliefs; contents of messages when we are not the recipient; in some cases, information about a known child);

● Legally protected information (e.g., race, citizenship, marital status, sex);

● Employment-related information (e.g., current or past employment);

● Non-public educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99);

● Biometrics (e.g., DNA, face/voice prints, health data) and audio, electronic, visual, thermal, or olfactory information;

● Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);

● Internet or other similar activity (e.g., browsing history; content interactions); and

● Inferences drawn from Personal Information to create a profile about preferences, characteristics, trends, predispositions, behavior, attitudes, intelligence, and aptitudes.

Not all information about you is legally protected as Personal Information. For example, information that is publicly available, aggregated (data summaries or reports with Information Data removed), or anonymized information (data that cannot be linked back to an individual) is often not protected as Personal Information.

4. How do the Services collect and use Personal Information?

We only collect, use, retain, and disclose Personal Information as a service provider to your employer or its benefits advisor, insurance broker, third-party administrator, or general administrator (to make this easy, we will call them your “Sponsor”). We limit our activities to what is reasonable and necessary and proportionate for Rover to function, or we might use it in other compatible ways that we would tell you about first. During the last 12 months, we have collected (i) identifiers; (ii) employment-related information; (iii) sensitive Personal Information including health data; and (iv) internet activity. We collect this information:

a. Your health plan’s portal, with your authorization and consent and as a service provider to your Sponsor. The Services use your health plan login credentials to retrieve your health plan data and run reports. Your data is always kept anonymous on those reports. Your Sponsor may send you an email with a link to the Services, where we will ask you to verify your identity and health plan(s) and use your health plan credentials to directly connect to the health plan website.

b. Your employer or its benefits advisor, with a legitimate interest as a service provider. Your employer may provide the Services with your identifiers and health plan login credentials on your behalf to streamline its use of the Services. We receive this information subject to your grant of

consent and authorization to your of your Sponsor and their privacy practices. We use this information to fulfill our contractual obligations as a service provider to your Sponsor. Please contact your employer if you have questions about any information your Sponsor.

c. From you, with your consent. Directly from your communications, with consent. If you contact us by email, phone or through the Services, you voluntarily provide us with your contact information and any other information related to your inquiry. We use this information to respond to your inquiry, and we may relay your message to your employer for follow-up.

d. Automatically from your use of the Services, with a legitimate interest. The Services automatically collect technical data from your use of the Services to run analytics and statistics. We collect this information to achieve our legitimate interest to analyze usage, maintain and improve security, and manage and improve the Services.

In addition to the specific uses above, we might also use your Personal Information to: (i) provide services to or communicate with your Sponsor; (ii) send you support and administrative messages; (iii) monitor compliance with our agreements; (iv) protect your privacy and enforce this Privacy Policy; (v) identify, contact, or bring legal action against persons or entities who may be causing injury to you, to us, or to others if we believe it is necessary; (vi) comply with a law, regulation, legal process, or court order; or (vii) fulfill any other purpose to which you consent.

We will update this Privacy Policy or otherwise notify you through your Sponsor or obtain further consent where required under applicable law before we collect additional categories of Personal Information or use your Personal Information for purposes that are incompatible with the purpose stated at the time of collection.

5. What about children’s privacy?

Our Services are designed for use by adults, not children. We never knowingly collect Personal Information children through the Services or elsewhere online. When you use the Services, you will be prompted to input Personal Information on behalf of your children. Any information you submit about your child is provided by you voluntarily and you consent to us collecting and processing your child’s Personal Information as part of your participation in your employer’s use of the Services.

If we discover that a child has provided us with Personal Information online without parent or guardian consent, we will delete their information from our systems. If you become aware of any unauthorized submission of information to us, please contact us at security@roverai.co.

Note that we cannot control and are not responsible for the privacy practices of your Sponsor, health plan, or healthcare provider, even if they access your child’s Personal Information through or in relation to the Services. Please contact that party directly if you have questions about their privacy practices.

6. What about HIPAA?

If a Sponsor or other tenant contracting to use the Services is a covered entity or business associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Rover provides the Services to that Sponsor or other tenant as a business associate subject to a HIPAA business associate agreement. Each Sponsor or other User of the Services is responsible for determining its status under the HIPAA and similar laws and regulations governing health data privacy for the purposes of using the Services. Rover is not responsible for misuse or misinterpretation of account data by you, your Sponsor, or any other party. Please contact your Sponsor if you have questions about HIPAA or health data privacy.

7. How long do we keep your information?

We only retain your Personal Information for the minimum period necessary to fulfil the purpose for which it was collected. Generally, we retain the data we retrieve from your health plan for 3 years. If you contact us with questions or concerns, we will retain your message and other information until the matter

is resolved, or for a longer period if needed for our internal business purposes. We retain data collected via cookies for 3 months. Other types of data are retained and disposed of according to our company policies. We may retain Personal Information for longer if it may be the subject of a legal claim or may otherwise be relevant for future litigation. We periodically review and delete or deidentify unnecessary data. Note that your Sponsor may retain your Personal Information for different retention periods. Please contact them for details.

8. Who can see your information?

We only disclose your Personal Information in limited circumstances and for specific purposes. Rest assured, we never disclose your individual health data to your employer. Any disclosures to your employer will keep your health plan data anonymous and will report it as part of a group.

a. Categories and Sources Disclosed. In the last 12 months, we have disclosed all categories of Personal Information that we collected for a business purpose to:

Your Sponsor’s Recipients. As a service provider, we may be directed to disclose information to recipients as requested by your Sponsor. For example, we may be instructed to disclose information to the benefits advisor engaged by your employer to select a health plan for employees. The benefits advisor must agree to our terms and conditions, which include contractual obligations to protect your information. Disclosures to third parties at the direction of your Sponsor are subject to their privacy practices, not ours. Please contact your employer if you have questions.

Our Service Providers. We use a variety of service providers such as data hosting companies, analytics services, email hosting services, and payment processors. The type of information that we share with our service providers will depend on the service that they provide to us. Our service providers are subject to contractual agreements that protect your Personal Information, and we require all service providers to maintain confidentiality standards that are commercially reasonable to ensure the security of your Personal Information.

Law Enforcement or Other Governmental Agencies as permitted or required by law. We are subject to certain federal and state laws that may require us to disclose your Personal Information to law enforcement or government agencies. For example, we must disclose information as needed to comply with our own reporting requirements, if we believe there is a serious health or safety threat, to comply with workers compensation laws, or to comply with mandated reporting laws.

Other Third Parties. Under specific circumstances, we may disclose Personal Information to certain third parties as permitted by applicable law, for example: if we go through a business transition (e.g., merger, acquisition, or asset sale); to law enforcement as required by enforcement or judicial authorities; to comply with a legal requirement or a court order; when we believe it is appropriate to take action regarding illegal activities or prevent fraud or harm to any person; to exercise or defend our legal claims; or for any other reason with your consent.

To Anyone Else, with Your Permission. We may disclose your information to any party or person with your permission. Please note that if we do so, the disclosed information may be re-disclosed by the receiving party and may no longer be protected by state and federal privacy rules.

b. Aggregated and Deidentified Information. We reserve the right to disclose aggregated, anonymized, or deidentified information about any individuals with affiliated or nonaffiliated entities for marketing, advertising, research, or other purposes, without restriction. For example, we may share reports showing trends about the general use of our Services without identifying an individual.

9. Will your information ever leave the U.S.?

No. Rover is owned and operated in the United States and is designed for use in the United States. We do not market the Services outside of the United States. If you do not reside in the U.S., please do not submit any Personal Information to Rover or the Services.

10. How does Rover keep your information secure?

We implement and maintain reasonable and appropriate technical, organizational, and physical security measures to help protect your Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. We employ a series of security measures, including secure login and encryption in transit and at rest. We ensure that Rover employees, contractors, and agents responsible for handling Personal Information and privacy matters are informed of applicable privacy law requirements.

Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Information for improper purposes. It is your responsibility to keep your online accounts secure from unauthorized access. We encourage you to take steps to protect against unauthorized access, such as choosing a robust password, keeping the password private, and signing off after using a shared computer or other device. Rover is not responsible for any lost, stolen, or compromised passwords, or any unauthorized activity on your account. We also have no control over the security measures used by your employer, health plan, or healthcare providers, and we make no representations or guarantees that your Personal Information is secure once transmitted or stored on their systems.

11. What does the law say?

Health privacy and consumer privacy laws provide you with certain rights depending on the type of information and where you live. This section provides information about those rights as a courtesy. Various factors may impact the applicability of certain rights or your ability to exercise those rights.

You must contact your employer to exercise your privacy rights, or if you want to express concerns, lodge a complaint, or request information. For general inquiries, please email security@roverai.co or call 888-503-1575. If you submit a privacy request directly to us, we will forward your request to your employer or the appropriate party for further processing and fulfillment.

a. Protected Health Information. You have certain rights over your protected health information. These include:

● The right to ask us to restrict how we use or disclose your information for treatment, or health care operations. You also have the right to ask us to restrict information we may give to persons involved in your care. While we may honor your request for restrictions, we are not required to agree to these restrictions.

● The right to submit special instructions to us regarding how we send plan information to you that contains protected health information. For example, you may request that we send your information by a specific means (for example, U.S. mail only) or to a specified address. We will accommodate reasonable requests by you as explained above. We may require that you make your request in writing.

● The right to inspect and obtain a copy of information that we maintain about you in a designated record set. However, you may not be permitted to inspect or obtain a copy of information that is: (i) contained in psychotherapy notes; or (ii) compiled in reasonable anticipation of, or for use in a civil criminal or administrative action or proceeding.

In certain situations, we may deny your request to inspect or obtain a copy of your information. If we deny your request, we will notify you in writing and will provide you with a right to have the denial reviewed. We may require that your request be made in writing. We will respond to your request no later than 30 days after we receive it. If the information you request is not maintained or accessible to us onsite, we will respond to your request no later than 60 days after we receive

it. If we need additional time, we will inform you of the reasons for the delay and the date that we will be able to act on your request. If you request a copy, we will charge you a reasonable fee based on copying and postage costs.

● The right to ask us to amend information we maintain about you in a designated record set. We may require that your request be in writing and that you provide a reason for your request. We will respond to your request no later than 60 days after we receive it. If we are unable to act within 60 days, we may extend that time by no more than an additional 30 days. If we need to extend this time, we will notify you of the delay and the date by which we will complete action on your request.

If we make the amendment, we will notify you that it was made, and we will obtain your agreement to have us notify the relevant persons you have identified with whom the amendment needs to be shared. We will notify these persons, including their business associates, of the amendment.

If we deny your request to amend, we will notify you in writing of the reason for the denial. The denial will explain your right to file a written statement of disagreement.

b. United States Consumer Privacy Rights. In the United States, consumer privacy rights are provided under state laws and industry-specific privacy rights are provided under federal laws. This section provides informational notices related to privacy laws for states that have comprehensive consumer privacy laws (e.g., California, Colorado, Connecticut, Nevada, Oregon, Tennessee, Tex as, Utah, Virginia, and other states that require companies to inform consumers about their privacy rights and provide a method to exercise those rights). Residents of states offering privacy protections (each a “Consumer”) may be entitled to some or all of the privacy rights listed in this section.

Please note that some privacy laws do not apply to Rover or the Services. Rover will support your exercise of privacy rights to the extent required of us under applicable law. THESE NOTICES ARE OFFERED AS A COURTESY ONLY. CONTACT YOUR SPONSOR TO EXERCISE YOUR PRIVACY RIGHTS.

Right to Correct. You may have the right to request that we correct inaccurate Personal Information about you on our systems. If you become aware that the Personal Information that we hold about you is incorrect, or if your information changes, please inform us and we will update our records.

Right to Deletion. You may have the right to request that we delete your Personal Information that we collected and retained, with certain exceptions. We may permanently delete, deidentify, or aggregate the Personal Information in response to a request for deletion.

Right to Access. Some states give Consumers the right to request confirmation that we have collected Personal Information about you and that we provide you with access to that Personal Information. If you submit an access request, we will provide you with copies of the requested pieces of Personal Information in a portable and readily usable format. Please note that we may be prohibited by law from disclosing certain pieces of Personal Information, and we may be limited in the number or frequency of requests we must fulfill.

Right to Disclosure. You may request that we disclose information to you about our collection and use of your Personal Information, such as: (a) the categories of Personal Information we have collected about you; (b) the categories of sources for the Personal Information we have collected about you; (c) our business purpose for collecting, using, processing, sharing or selling that Personal Information, as applicable; (d) the categories of third parties with whom we share that Personal Information; and (e) if we “sold” or “shared” your Personal Information (as defined under privacy laws), two separate lists stating: (i) sales or sharing, identifying the Personal

Information categories that each category of recipient purchased; and (ii) disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained. Certain laws may limit the number or frequency of requests we must fulfill.

Limited Use and Disclosure of Sensitive Personal Information. Some states offer Consumers the right to opt-out or limit the use of sensitive Personal Information. Rover does not collect sensitive Personal Information from our customers or potential customers, and we never use sensitive Personal Information for any purpose without consent. If a customer uses our Services to collect sensitive Personal Information of their end users, that customer does so according to its own privacy practices, not ours.

No Selling and Sharing. Some states entitle Consumers to opt-out of the sale or sharing of their Personal Information for targeted advertising practices. Rover does not sell your Personal Information, nor do we share your Personal Information with third parties for cross-contextual behavioral advertising purposes. If this changes in the future, we will update this Privacy Statement and provide you with a method to opt-out.

No Profiling. Some privacy laws provide the right to opt-out of automated profiling. The Services use automated processing and profiling to generate analytics to better match the group of participants in your Sponsor’s health plan to health insurance and health care products and services available through the Services. Your Sponsor will ultimately determine which health plan and related products and services to offer. The Services do not use automated processing to predict your interests and there is always a human intervention component when the Services might produce a significant effect that concerns you. Please contact your Sponsor with any questions.

Right to Nondiscrimination. We will not discriminate against you for exercising your privacy rights. For example, unless permitted by law we will not: (a) deny you goods or services; (b) charge you different prices or rates for goods or services; (c) provide you a different level or quality of goods or services; (d) retaliate against you as an employee, applicant for employment, or independent contractor for exercising your privacy rights; or (e) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under applicable privacy laws.

Right to Disclosure of Marketing Information. California’s Shine the Light Act (Civil Code sections 1798.83-1798.84) entitles California residents to request certain disclosures regarding Personal Information sharing with affiliates and/or third parties for marketing purposes.

Consumers whose Personal Information is included in Project data should contact the applicable customer. Otherwise, Consumers may exercise these rights by submitting a Privacy Request to security@roverai.co. Only you or someone legally authorized to act on your behalf may make a verifiable Privacy Request related to your Personal Information. You may also make a verifiable Privacy Request on behalf of your minor child. You may designate a third party to exercise your rights – an authorized agent – however we will require written proof of the authorization and potentially proof of your identity.

Please be aware that, in many cases, the Services collect Personal Information about you in a business-to-business context or as part of your employment. Please note that Personal Information collected and used in this context is not protected under the CCPA and certain other US privacy laws.

12. What about links to other websites?

We may provide links to other websites whose privacy practices may differ from ours. If you submit Personal Information to any of those websites, your information is governed by the privacy policies of those other websites. You should carefully review the privacy policy of any website you visit.

13. What if things change?

If our privacy practices change or we amend this Privacy Policy, we will update this page. If necessary, request updated consents and permissions from you. You may also request the new notice be mailed to you. You are responsible for periodically checking this page for changes. Your continued use of the Services following an update will be subject to the new Privacy Policy.

14. Call Rover!

If you have questions about our privacy practices or would like to make a complaint, please contact us at security@roverai.co or by calling 888-503-1575.

If you believe your privacy rights have been violated, you may file a complaint with us by writing Appeals & Grievances at:

Rover Innovation Labs, Inc.
Attn: Appeals and Grievance
745 NW Hoyt St #28114
Portland, OR 97228

You may also notify the Office of Civil Rights, U.S. Department of Health and Human Services of your complaint. We will not take any action against you for filing a complaint. You may contact the Office of Civil Rights at:

Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W. Washington, D.C. 20201
OCR Hotlines-Voice: 1-800-368-1019 Web site: Office For Civil Rights

Treat your inbox to delicious, bacon-flavored insights, updates and exciting news.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.