Skip to content

Rosa Privacy Policy

V3.0 - 9 June 2025

What we do with your data is your matter

This document explains why and how Rosa processes personal data of data subjects. Please note that this document is available in Dutch, English and French. The English PDF version of this Privacy Policy shall prevail in case of conflicts between the different versions.

Rosa cares about the protection of your personal data and undertakes to comply with the provisions relating to the protection of personal data in force in Belgium, including the General Data Protection Regulation, 2016/679 (hereinafter GDPR).

If you have an agreement with Rosa as a health professional or as a registered patient, this privacy policy is part of that agreement. 

To communicate with Rosa about this Privacy Policy (including to provide feedback or ask questions), to discuss Rosa’s processing of your personal data, to notify Rosa of an actual or suspected data breach, or to exercise your rights concerning personal data, please send an email to our Data Protection Officer (DPO) at gdpr@rosa.be

Guiding Principles

Rosa wants to strengthen health relationships

Rosa helps health professionals and their patients to exchange information in a confidential, secure and trusted environment. We have no other ambitions, and we do not use personal data for other purposes.

You are in control

Rosa has the ambition to give its users control over their information. Over time, we will add functionalities to our applications to let you access more information and decide what to do with it, with whom you want to share it, etc.

There is nothing else

This document describes everything Rosa does with the personal data it processes as part of its activities

Categories of data subjects
Rosa has identified six different categories of data subjects:
  • Patients*;
  • Health professionals;
  • Research participants;
  • Prospective staff;
  • Visitors and users of Rosa’s website and applications; and
  • All other individuals dealing with Rosa in the course of its business.
This Privacy Policy is organized in a way that makes it easier for each of those categories to access the information that’s most relevant to them:
* In this Privacy Policy, unless the context requires otherwise, “patient” refers to both the individual using (e.g. making an appointment, joining a teleconsultation, receiving an attestation,...) Rosa (the “user” of Rosa’s application) and the individual for whom the Services are used (the actual patient seeing the health professional). In most instances, the user is also the patient. In some instances, however, a user can interact with Rosa on behalf of a patient (for instance, a parent making an appointment for their child; where the parent is the user and the child is the patient). 

You must be over the age of thirteen (13) to use Rosa, insofar as You are authorized to do so by applicable law, or, where applicable, with the authorization of Your legal representatives. If You are under the age of thirteen (13) only an adult with parental authority may use Rosa for You. If You use Rosa for a minor, You guarantee that the minor has been provided with information relating to the processing of his/her Personal Data, according to his/her level of maturity.

Categories of Personal Data Processing Activities

The personal data processing activities of Rosa are divided into two categories. This distinction has an important impact, because it determines who exercises the main control over, and is ultimately responsible for, the processing activity in question. This also determines who to contact if you have questions or requests about the processing of certain personal data.

  • Personal data that Rosa processes for health professionals. For the activities in this category, Rosa provides the tools and stores personal data on behalf of the health professionals who use the applications. Rosa does not determine the content of the information nor the purpose and the essential means of the processing. The health professionals are in control and the role and obligations of Rosa are strictly defined in the data processing agreement between them as data controller and Rosa as data processor. Health professionals working for a hospital can only use Rosa in relation to their hospital practice if that hospital has entered into an agreement with Rosa. In that case, where Rosa acts as a data processor, it is on behalf, and under the instructions, of the relevant hospital. That hospital is in control and the role and obligations of Rosa are strictly defined in the agreement between the hospital as data controller and Rosa as data processor. Unless the context requires otherwise, “health professional” refers to both the health professional working solo or in group practice and the hospital that entered into an agreement with Rosa.
  • Personal data that Rosa processes for its own needs. The activities in this category are determined by Rosa and undertaken to fulfill its own objectives or obligations. Rosa takes full responsibility for these activities and is acting as a data controller. 

All personal data processing activities carried out by Rosa are described in the next sections. 

Personal data that Rosa processes as a data processor on behalf, and under the instructions, of health professionals

The following is a list of data we collect, process or store, as a data processor on behalf, and under the instructions, of health professionals:

  • Patient Records Information
  • Strong Authentication and Identification of patients
  • Appointment Information
  • Prescriptions information
  • Confirmation and Reminder Emails/SMS/App notifications Sent to Patients
  • Use of Rosa eBilling by a Health Professional
  • Use of Rosa Teleconsultation by a Health Professional
  • Below, we describe what these terms mean and which personal data Rosa processes. 
About whom?
The data contains personal data about health professionals, patients and, where the Services were used by another individual on behalf of the patient (referred to as the ‘user’), about that user. 

For which purpose and on what legal basis?
Rosa processes personal data solely on behalf of, and under the instructions of, the relevant health professional, for the purpose of delivering health services to their patients. The legal basis for this processing is determined by the data controller (i.e. the health professional), in line with their specific context and obligations under applicable data protection laws.

Who has access?
The data is sensitive data that is only accessible to the relevant health professional and, where the health professional is part of a group practice or is acting as a member of a hospital, the data may also be accessible to the health professionals of their group practice or hospital for care continuity, their staff for health administration, and/or Rosa staff for technical support requests from the health professional 
In addition, the data is occasionally accessible to patients themselves (e.g. through confirmation emails or patient portals), or their mandataries.  

How can a data subject exercise their rights in relation to this data processing? 
Patients can exercise their rights by contacting the relevant health professional. Health professionals can exercise their rights by contacting the relevant Rosa account owner. 

How long does Rosa keep that information? 
Rosa retains the information only as long as necessary to comply with the instructions of the relevant health professional. After the Agreement between Rosa and the health professional ends, Rosa will retain the information for a maximum of 30 days, solely to allow for proper data deletion procedures. 
Patient Records Information

What is it?

Each time an event (e.g. an appointment, a teleconsultation, an attestation,...) at a specific health professional is created for a new patient, Rosa creates a “patient record” in relation to that patient for the benefit of the relevant health professional. 

What personal data does Rosa process?

Patient records may contain the following personal data of a patient:

  • First name  
  • Last name;
  • Date of birth;
  • National registry number (SSIN/BIS);
  • Phone numbers;
  • E-mail addresses;
  • Postal addresses;
  • Gender;
  • Contact details of the person(s) of contact;
  • First name and last name of family members;
  • History of Rosa events (e.g. booking, teleconsultation, attestation,...);
  • History of non-Rosa events (conditional to partner software integrations);
  • Account status and restrictions; and
  • Any other information about the patient that the health professional might have referred to in a note.

Where the Rosa Services are used on behalf of the patient, by an individual (referred to as a “user”) who is not the patient, patient records may also contain the following personal data of a user: 

  • First name  
  • Last name;
  • Date of birth;
  • Phone numbers; and 
  • E-mail addresses.
Strong Authentication and Identification of patients

What is it? 

Some health professionals require patients to strongly authenticate and identify themselves for a given event (e.g. booking an appointment, accessing a patient portal, generating an attestation, joining a teleconsultation,...).

What personal data does Rosa process? 

Strong authentication and identification of patients may contain the following personal data of a patient:

  • First name and last name
  • Date of birth
  • National registry number (SSIN/BIS)
  • The language preference of the user's interface
  • The existence of a mandate assigned to the user

Additional purpose and legal basis 

Law of August 8, 1983, organizing a National Register of Natural Persons ("RN Law"). Healthcare institutions may be granted access to National Register data and the National Registry Number based on Article 5, §1, 2° of the RN Law, Article 8§3 of the RN Law, and Deliberation RN n°21/2009, for the purpose of managing the patient's medical record.

Based on Article 5, §1, 3° of the RN Law, healthcare institutions that have received this authorization (or are exempt from it) may engage a processor to carry out the aforementioned data processing activities.

As a result, Rosa may also receive the National Registry Number as a processor, acting on behalf of and under the instructions of healthcare institutions for the purpose of managing the patient's medical record and the sub-purpose of patient identification and authentication.

Additional information 

National registry numbers (SSIN/BIS) are only stored temporarily on the user’s device and are deleted at the end of the session. Session duration varies by platform. When the data is incorrect, patients can exercise their rights with the relevant State authority. 

Appointment Information

What is it?

Each time an appointment is booked or accessed through Rosa, Rosa collects and processes some information about that booking.

What personal data does Rosa process?

Rosa processes personal data related to appointments when a patient books an appointment online or when a health professional creates an appointment in their calendar. For each appointment, Rosa may process the following personal data:

  • First name and last name of the patient;
  • First name and last name of the health professional;
  • Contact details of the patient;
  • Contact details of the health professional;
  • Specialty and expertises of the health professional;
  • Date and place of the appointment;
  • Motive and/or visit reason for the appointment (as defined by the relevant health professional or resource);
  • The status of the appointment and, when canceled, who canceled and when;
  • Answers to medical questions (e.g. through a form);
  • A note left by the patient at the time they completed their booking;
  • A note added by the health professional.
Prescriptions information

What is it?

Some health professionals or resources (e.g. imagery exams) require a prescription to schedule an appointment. 

What personal data does Rosa process?

Rosa processes personal data related to prescriptions when a patient books an appointment online where the health professional requires the upload of a valid prescription. 

  • First name and last name of the patient;
  • First name and last name of the health professional;
  • Contact details of the patient;
  • Contact details of the health professional;
  • Specialty and expertises of the health professional;
  • Date and place of the appointment;
  • Motive and/or visit reason for the appointment (as defined by the relevant health professional or resource);
  • The status of the appointment and, when canceled, who canceled and when;
  • Answers to medical questions (e.g. through a form);
  • A note left by the patient at the time they completed their booking;
  • A note added by the health professional.
Confirmation and Reminder Emails/SMS/App Notifications Sent to Patients

What is it?

Each time a patient books, modifies or cancels an appointment through Rosa, Rosa will send a confirmation email to that patient. Based on the health professional’s notification parameters, Rosa might also send to the patient (i) a confirmation email / SMS when a health professional makes, modifies or cancels a booking with that patient; and/or (ii) a reminder email(s) / SMS prior to the appointment. If the patient uses the Rosa mobile app and has consented to receiving push notifications, Rosa may also send push notifications for any appointment confirmation, cancellation, reminder or modification.

What personal data does Rosa process?

When a confirmation or a reminder email / SMS / push notification is sent, Rosa processes the following personal data:

  • First name of the patient;
  • Email address of the patient;
  • Mobile phone number of the patient;
  • First name and last name and contact details of the health professional (or the contact details of the medical practice);
  • Details of the appointment (which may include motive, date, time, and place of the appointment, as well as specific instructions from the relevant health professional); and 
  • Details of the notification (which may include delivery status and details)

Additional information

The content of the confirmation and reminder emails will also be transmitted to, and processed by, Rosa’s email service provider. Data related to push notifications may be processed by our mobile app distribution platforms. You can find more information about Rosa’s service providers on the page Data Processors.  

 

Use of Rosa eBilling by a Health Professional

What is it? 

Health professionals have the option to use Rosa to (i) consult information about the insurability (and derived rights) of a patient in order to carry out an invoice or to deliver products or services; (ii) generate an electronic attestation or an electronic invoice; and (iii) encode payment methods and track payments.

These features are referred to as ‘Rosa eBilling’. 


What personal data does Rosa process?

When a health professional uses Rosa eBilling, they need to log in to their Rosa account and they need to authenticate with their eHealth certificate. Rosa may therefore process the health professional account management data and data from the eHealth certificate. 

The health professional shall process patient data, including  relevant appointment information, patient record information, payment information (whether the payment has been made or not and the payment method), and patient data made available to them by, or on behalf of, the NIHII (INAMI/RIZIV) (such as, for example, the nomenclature of health services performed by the health professional for that patient).

Additional information

Rosa eBilling information is only accessible to the relevant health professional, the patient involved and their Mutuality, the inter-mutuality (CIN-NIC) and social security services.

Use of Rosa Teleconsultation by a Health Professional

What is it? 

Some health professionals offer remote consultations via secure video calls. 

What personal data does Rosa process? 

Rosa processes personal data related to teleconsultations: 

  • First name and last name of the patient;
  • First name and last name of the health professional;
  • Contact details of the patient;
  • Contact details of the health professional;
  • Date of the appointment;
  • The status of the teleconsultation (e.g. if the patient is in the virtual waiting room);
  • Answers to medical questions (e.g. through a form);
  • Any relevant document exchanged on the platform; and
  • Chat messages exchanged during the teleconsultation.

Additional information

The secure video call can also be processed by Rosa’s video streaming service provider. You can find more information about Rosa’s service providers on the page Data Processors.

Personal data that Rosa processes for its own needs, as a data controller

Health Professionals Account Management

What is it?

When a health professional wishes to use Rosa, they need to create an account. They will need to connect to their account to access Rosa’s various Services or to get technical support from Rosa.
Rosa may also temporarily log in to a health professional’s account to provide support and assistance with technical issues.
 

What personal data does Rosa process?

When a health professional creates an account or wishes to get Rosa’s support in relation to their account, Rosa may collect, access, use or generate the following personal data in relation to that health professional:

  • First name and last name;
  • Mobile phone number;
  • Email address;
  • Password created by the user to set up their account;
  • Postal address;
  • Spoken language;
  • INAMI/RIZIV or VISUM number and associated profession; 
  • Health visa validity;
  • Enterprise/VAT number;
  • Electronic payment details;
  • Payment history; and 
  • Any other information from, or related to, a health professional’s account or that the health professional may share with, or send to Rosa for support purposes.

About whom?

Health professionals account management information contains personal data about all health professionals who have created an account with Rosa. 

For which purpose and on what legal  basis?

Purposes

Legal Bases
  1. To fulfill its obligations under the contract between Rosa and the health professional; 
  2. To process payments, including invoices (if applicable); and
  3. To offer support to, and communicate with, the health professional.

Performance of a contract (art. 6.1(b) GDPR)

 

Who has access to the user and account management information?

Customer account management information is only accessible to the relevant customer and/or Rosa. Rosa uses the services of Mollie B.V. (Mollie), a regulated payment service provider located in The Netherlands, to manage online payments. Payments methods available include Bancontact. You can find more information on how Mollie and its affiliates process your personal data and how to exercise your personal data protection rights here.

How can a health professional exercise their rights in relation to their account management information?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. You can find more information on how Mollie and its affiliates process your personal data and how to exercise your personal data protection rights here.

How long does Rosa keep the account management information?

Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.  To protect against litigation or comply with its legal obligations, Rosa might keep some data for up to 10 years after the end of the agreement. 

Strong Authentication and Identification of Health Professionals

What is it?

To increase the trust and security of its platform, Rosa requires health professionals to strongly authenticate and identify themselves when creating an account. 
 
 

What personal data does Rosa process?

Strong authentication and identification of health professionals may contain the following personal data of a health professional:

  • First name and last name;
  • National registry number (NISS/BIS);
  • NIHII (INAMI/RIZIV) or VISUM number and associated profession;
  • Health visa validity.

About whom?

Strong authentication and identifications of health professionals contains personal data about all health professionals who have created an account with Rosa. 

For which purpose and on what legal  basis?

Purposes

Legal Bases

To enable strong authentication of Health Professionals in accordance with Rosa’s service agreement. This authentication enhances trust and security and reduces the risk of erroneous or fraudulent identification. 

The legal basis for this processing is the necessity for the performance of a contract (Art. 6.1, (b) GDPR). 

 

Who has access to the strong authentication and identification of health professionals?

Strong authentication and identification data of health professionals is only accessible to Rosa.

How can a health professional exercise their rights in relation to this data processing?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep that information?

The authentication and identification data is received and stored temporarily on the user’s device and is deleted at the end of the session. Session duration varies by platform. 
Rosa will further store the data strictly necessary for the health professional account management on its servers, see the section “Health professionals account management”:

  • First name and last name
  • NIHII (INAMI/RIZIV) or VISUM number and associated profession
  • Health visa validity

Health Professional Public Profile Information (‘Rosa Profile’)

What is it?

Rosa offers health professionals using its online calendar and/or booking application the possibility to publish some information about themselves and the services they offer.

What personal data does Rosa process?

When a health professional chooses to create, fill in and publish their Rosa Profile, Rosa may process the following personal data about that health professional:
Photo;

  • First and last name;
  • INAMI/RIZIV number;
  • Gender;
  • Spoken language;
  • Speciality and expertises;
  • Professional address(es);
  • Contact details;
  • Education and background;
  • Availabilities for appointments;
  • Health costs such as contracted status, accepted payment methods and fees; and
  • Any other personal information that the health professional wishes to publicly share on their profile. 

About whom?

Rosa Profile contains personal data about health professionals.

For which purpose and on what legal basis?

Purpose

Legal Basis

Online communication of health professionals’ details to the public and allowing current or new patients to book appointments with those health professionals.

Performance of a contract (i.e. - the contract the health professional or hospital has entered into with Rosa) (art. 6.1(b) GDPR).

 

Who has access to your Rosa Profile?

Once activated, Rosa Profile is accessible to anyone online and may appear in search engine results. To increase health professionals’ online visibility and facilitate online booking appointments, Rosa may communicate limited information from a Rosa Profile (e.g. the URL of your Rosa Profile page) to its partners (e.g. online medical registries) to allow them to create a referral link from their platform or website to your Rosa Profile page on Rosa. For the sake of clarity, Rosa will always ensure that its partners guarantee that they already have information about you in compliance with applicable laws, including GDPR, and Rosa will only allow them to create a referral link to your existing Rosa Profile (not to create a new profile on their platform without your consent). 

How can a health professional exercise their rights in relation to their Rosa Profile?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. Health professionals working for a hospital that has entered into an agreement with Rosa shall contact their hospital to exercise their right in relation to their hospital-related Rosa Profile. 

How long does Rosa keep the Rosa Profile?

Upon termination of the agreement between you (or the relevant hospital) and Rosa, Rosa will remove your Rosa Profile from its online applications. Rosa will delete your Rosa Profile within 30 days from the end of the agreement between Rosa and the health professional or the relevant hospital.

Notifications Emails Sent to Health Professionals

What is it?

Health professionals have the option to receive a notification email from Rosa when (i) an existing and/or new patient makes a booking; and/or (ii) a patient leaves a note at the time of the booking; and/or (iii) a patient cancels a booking.

What personal data does Rosa process?

When a notification email is sent, Rosa processes the following personal data:

  • First name and last name of the patient and whether it is a new patient;
  • Contact details of the patient;
  • Email address of the health professional; and
  • Date, time, motive and place of the appointment.

About whom?

Notification emails contain personal data about the relevant health professional and the patient involved (where the appointment has been taken by a user who is not the patient, no personal data about the user is shared with the health professional in that notification email).

For which purpose and on what legal basis?

Purpose

Legal Bases

To fulfill its obligations under the contract between Rosa and the health professional.

Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).

 

Who has access to the notification emails?

The content of notification emails is only accessible to the health professional involved. The content of the notification emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a health professional exercise their rights in relation to this data processing?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep that information?

After the Agreement between Rosa and the health professional ends, Rosa will retain the information for a maximum of 30 days, solely to allow for proper data deletion procedures.

Marketing Emails Sent to Health Professionals

What is it? 

Rosa may occasionally send personalized marketing emails to health professionals to share updates on relevant product launches, offers and updates from Rosa. 

What personal data does Rosa process?

Rosa use following personal data in relation to that health professional:

  • First name and last name;
  • Email address; 
  • Medical specialty;
  • Spoken language;
  • Practice information (e.g. location, group type,...); and
  • Product activity.

For which purpose and on what legal basis? 

Purposes

Legal Bases

To send marketing communications. 

Legitimate interest  (art. 6.1(f) GDPR) 

 

Who has access to the marketing emails?

The content of marketing emails is accessible to the health professional involved and Rosa. The content of the marketing emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data Processors.  

How can a health professional exercise their rights in relation to this data processing? 

If you receive marketing emails from us, you can opt out at any time by clicking the “unsubscribe” link at the bottom of the email. Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.  

How long does Rosa keep that information? 

After the Agreement between Rosa and the health professional ends, Rosa will retain the information for a maximum of 30 days, solely to allow for proper data deletion procedures.

Patient Account management

What is it? 

Individuals may create a patient account on Rosa to access certain Services (for instance, to book an appointment with a health professional, access a patient portal, join a teleconsultation or receive an attestation) and update their contact details.

What personal data does Rosa process?

When creating an account for an individual, Rosa may collect or generate the following personal data in relation to that individual:

  • First name and last name;
  • Mobile phone number;
  • Email address;
  • Spoken language; 
  • Date of birth;
  • Account status and restrictions;
  • History of Rosa events (e.g. booking, teleconsultation, attestation,...); and
  • History of non-Rosa events (conditional to software integrations). 

Where the individual creating the account is not the patient, Rosa may also collect the following personal data in relation to the patient:

  • First name and last name; and
  • Date of birth.

About whom?

Patient account management information contains personal data about all individuals who have made a booking on Rosa and, where relevant, about patients for whom an appointment is made by a user. 

For which purpose and on what legal  basis?

Purposes

Legal Bases
To manage the Patient account and allow patients to access the relevant health-related services from health professionals Performance of a contract (art. 6.1(b) GDPR); Where the history of events may involve health data, the legal basis under Art. 9 GDPR is the provision of health care (Art. 9.2, (h) GDPR).

 

Who has access to the patient account management information?

Patient account management information is accessible to the individual creating the account, the health professional with whom they have booked an appointment, and/or Rosa. 

More specifically, the data provided to the health professional includes the following: 

  • In the case where a patient makes an appointment for themselves: first name, last name and date of birth. This data is minimal and strictly necessary for the correct identification of the person making the appointment, in order to avoid administrative errors. 
  • In the case where a patient makes an appointment for a third party: first name and last name. This data is also limited to what is strictly necessary for the correct identification of the person making the appointment, in order to avoid administrative errors.  

How can a patient exercise their rights in relation to their patient account management information? 

Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. Where the individual creating the account is not the patient, the patient can exercise their rights by contacting the user who made the appointment on their behalf. 

How long does Rosa keep the patient account management information?

After the Agreement between Rosa and the patient ends, Rosa will retain the information for a maximum of 30 days, solely to allow for proper data deletion procedures. Rosa will delete the patient account 5 years after the patient has last interacted with Rosa.

Strong Authentication and Identification of patients

What is it? 

To increase the platform security and trust, Rosa requires patients to strongly authenticate to verify their identity when creating an account and when authenticating to their account.

What personal data does Rosa process? 

The patient authentication and identification data may contain the following personal data of a patient:

  • First name and last name
  • Date of birth
  • National registry number (SSIN/BIS)
  • The language preference of the user's interface
  • The existence of a mandate assigned to the user

For which purpose and on what legal basis? 

Purposes

Legal Bases

To enable strong authentication of patients in accordance with Rosa’s service agreement. This authentication enhances trust and security and reduces the risk of erroneous or fraudulent identification. 

The legal basis for this processing is the necessity for the performance of a contract (Art. 6.1, (b) GDPR). 

 

Who has access to the patient identification data? 

The identification data is received and stored on the patient’s device and cannot be accessed directly by anyone. The patient’s first name, last name and birthdate is transferred to Rosa, stored in the Patient Account and is accessible to Rosa staff and the health professionals with whom the patient interacts through Rosa, and their organizations. 

How can a patient exercise their rights in relation to this data processing? 

Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. When the data is incorrect, patients can exercise their rights with the relevant State authority.

How long does Rosa keep that information? 

The authentication and identification data is received and stored temporarily on the user’s device and is deleted at the end of the session. Session duration varies by platform. 

Rosa will further store the data strictly necessary for the Patient Account management on its servers, see the section “Patient Account Management”:

  • First name
  • Last name
  • Date of birth
Financial Transparency and Insurance Information

What is it? 

Rosa offers patients the option to view insurance-related data such as a more accurate prediction of mandatory health insurance coverage. It will also allow patients to link their Patient Account with their health insurance fund account, thereby enhancing their understanding of supplementary coverage and promoting greater financial transparency.

What personal data does Rosa process?

When creating this functionality/feature for patients, Rosa may collect or generate the following personal data in relation to that individual:

  • Health insurer;
  • Status of compulsory insurance;
  • Increased reimbursement status;
  • Medical house membership; 
  • Global medical file;
  • Third-party payment obligation;
  • Maximum invoice ceiling reached. 

About whom?

Financial transparency and insurance information contains personal data about all individuals who have chosen to make use of this functionality/feature. 

For which purpose and on what legal basis?

Purposes

Legal Bases

To provide patient transparent financial information regarding their insurance-related data. 

Explicit consent (i.e. the patient’s consent to make use of this functionality) (art. 6.1(a) GDPR and art. 9.2 (a) GDPR). If consent is withdrawn, access to this functionality/feature is disabled.

 

Who has access to the financial transparency and insurance information?

The information is only accessible to the authenticated patient through their own device. Access is locally secured using encryption mechanisms such as device PINs or biometric authentication. No third parties or Rosa staff can access this data unless explicitly shared by the user. 

How can a patient exercise their rights in relation to financial transparency and insurance information? 

Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be

How long does Rosa keep the financial transparency and insurance information? 

Rosa does not store this data on its servers. 

Marketing Emails Sent to patients

What is it? 

Rosa may occasionally send marketing emails to patients to share updates on relevant product launches, offers and updates from Rosa. 

What personal data does Rosa process?

Rosa use following personal data in relation to that patient:

  • First name and last name;
  • Email address; and
  • Product activity.

For which purpose and on what legal basis? 

Purposes

Legal Bases

To send marketing communications. 

Legitimate interest  (art. 6.1(f) GDPR) 

 

Who has access to the notification emails?

The content of marketing emails is accessible to the patient involved and Rosa. The content of the marketing emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data Processors.  

How can a patient exercise their rights in relation to this data processing? 

If you receive marketing emails from us, you can opt out at any time by clicking the “unsubscribe” link at the bottom of the email. Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.  

How long does Rosa keep that information? 

After the Agreement between Rosa and the patient ends, Rosa will retain the information for a maximum of 30 days, solely to allow for proper data deletion procedures. Rosa will delete the patient account 5 years after the patient has last interacted with Rosa.

Personal Data Collected When Anyone Visits Our Website

What is it? 

Each time someone visits Rosa’s website (without using Rosa’s services), Rosa may process your personal data, including using cookies and/or other tracking technologies. 

Rosa may use social media services such as Facebook, Instagram, LinkedIn and Twitter. If you use these services, you should review their privacy policy for more information on how they deal with your personal data.

Visitors can also contact us spontaneously (for instance via our ‘Contact Us’ online form). 

What personal data does Rosa process?

When you visit our website or a (hospital) registry powered by Rosa, we may process the following usage and connection data relating to your use of our website, including 

  • technical data which may include personal data, such as your IP address, OS and browser version;
  • your preferences (e.g. language preferences);
  • data about your usage of Rosa’s website (as a health professional or as a patient) (including data about the searches made and the appointments booked - with your consent, such data is linked to a UserID which does not allow us to identify you by your name or email address but it allows us to better understand how you use our services, how a feature is used, and to measure the impact of (new) features).

When you get in touch with us via our website (including via email), we may collect the following data:

  • First name and last name, 
  • Email address,
  • Reason why you contact us, 
  • Content of your message, as well as 
  • Technical data which may include personal data, such as your IP address, OS and browser version, basic user details about usage of Rosa’s website or application(s). 

To find out more about how Rosa collects personal data on its website and applications, and how to manage your cookie preferences, please read the page Data Processors as well as our Cookie Policy

About whom?

This information is collected about visitors to our website.

For which purpose and on what legal basis?

Purposes

Legal Bases
  1. To operate Rosa’s website and enable visitors to use their features;
  2. To check if cookies can be placed;
  3. To improve Rosa’s services, ensure the security of Rosa’s website and enhance the visitor’s experience on Rosa’s website;

Legitimate interest of Rosa (art. 6.1 (f) GDPR).
  1. For statistical and analytical purposes; and 
  2. To respond to questions or feedback voluntarily provided

Consent (art. 6.1 (a) GDPR);

 

Who has access to that information?

That information might be accessed by Rosa and its data processors, as described on the Data Processors page and in our Cookie Policy.

How can a visitor to our website exercise their rights? 

Visitors can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.  

How long does Rosa keep the website visitor’s information? 

This depends on the type of information collected. Data received via the ‘Contact Us’ form is kept 12 months from the date the last correspondence was sent or received by Rosa.  For technical data, please read our Cookie Policy and Data Processors page for more information.

Personal Data Collected When Anyone Uses Our Applications

What is it? 

Each time someone downloads and uses Rosa’s mobile application, creates an account with Rosa, books an appointment or otherwise uses Rosa’s services, Rosa may process your personal data, including using cookies and/or other tracking technologies. 

What personal data does Rosa process?

When you use our applications, we may process the following data: 

  • Usage and connection data relating to your use of our applications or services, including 
    • technical data which may include personal data, such as your IP address, OS and browser version;
    • your preferences (e.g. language preferences);
    • data about your usage of Rosa’s application(s) (as a health professional or as a patient) (including data about the searches made and the appointments booked - with your consent, such data is linked to a UserID which does not allow us to identify you by your name or email address but it allows us to better understand how you use our services, how a feature is used, and to measure the impact of (new) features).
  • User (patient or health professional) account data.

When you get in touch with us via our applications (including via email), we may collect the following data:

  • First name and last name, 
  • Email address,
  • Reason why you contact us, 
  • Content of your message, as well as 
  • Technical data which may include personal data, such as your IP address, OS and browser version, basic user details about usage of Rosa’s website or application(s). 

To find out more about how Rosa collects personal data on its applications, and how to manage your cookie preferences, please read the page Data Processors as well as our Cookie Policy

About whom?

This information is collected about users of our application(s).

For which purpose and on what legal basis?

Purposes

Legal Bases
  1. To operate Rosa’s applications and enable users to use their features;
  2. To check if cookies can be placed;
  3. To improve Rosa’s services, ensure the security of Rosa’s website and applications and enhance the user’s experience on Rosa’s applications;

Necessity for the performance of a contract (Art. 6.1, (b) GDPR). 
  1. For statistical and analytical purposes; and
  2. To respond to questions or feedback voluntarily provided

Consent (art. 6.1 (a) GDPR);

 

Who has access to that information?

That information might be accessed by Rosa and its data processors, as described on the Data Processors page and in our Cookie Policy.

If you download Rosa’s mobile application from an app store (such as Apple’s App Store or Google Play store), your data might be collected and processed by that online mobile app store for their own purposes. For more information, we encourage you to read their Privacy Policy. 

How can a user of our applications exercise their rights? 

Users can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.  

How long does Rosa keep the application users’ information? 

This depends on the type of information collected. Data received via the ‘Contact Us’ form is kept for 10 years following termination of their agreement with Rosa. For technical data (including those collected via cookies or similar technologies), please read our Cookie Policy and Data Processors page for more information.

Personal data of research participants

What is it? 

Rosa conducts research and collects feedback in order to improve its existing product and services and create new ones. For instance,  Rosa might collect feedback from (potential) customers or other individuals. 

What personal data does Rosa process?

Rosa might collect personal data such as your name, email address and/or feedback, or any other personal data, as explained by Rosa at the time of collection. Whenever possible, Rosa will collect pseudonymized or anonymized data. 

About whom?

This information is collected about any research participant. 

For which purpose and on what legal basis?

Purposes

Legal Basis
  1. To improve Rosa’s products and/or services (including analytics and security purposes); or
  2. As otherwise explained by Rosa at the time of collection.

Legitimate interest (art. 6.1 (f) GDPR) 

 

Who has access to that information?

That information is only accessed by Rosa, or as otherwise explained by Rosa at the time of collection. If you participate in interviews via a video conferencing tool, your name and email address may also be collected by the tool’s provider as part of its service.

How can an individual exercise their rights in relation to this data processing? 

Individuals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.  

How long does Rosa keep the individual’s information in relation to this data processing? 

Rosa keeps the data for 5 years from the time of collection, unless otherwise explained by Rosa at the time of collection.

Personal Data of Prospective Staff

What is it?

This section refers to all the personal data that Rosa collects and processes as part of considering an individual for a role or position at Rosa.

What information does Rosa process?

Rosa may collect and process the following personal data in relation to a  prospective staff: 

  • Personal contact details, including name, postal address, email address, and phone number;
  • Date of birth and gender;
  • Employment and education history and qualifications;
  • Details relating to the right to work in Belgium (where applicable);
  • Any other information provided to Rosa (as part of a curriculum vitae, letter of support, reference checks, during an interview or otherwise) or that Rosa receives from a referee.

About whom?

This personal data is about prospective staff (such as prospective employees, contractors, volunteers or students). 

For which purpose and on what legal basis?

Purposes

Legal Bases
  1. To process an application for a position at Rosa;
  2. To assess a candidate’s suitability for a specific role or position and to decide whether to hire that candidate;
  3. To communicate with candidates about their application and the application process; and
  4. To check that the candidate is legally entitled to work in Belgium.
  5. To audit the performance and fairness of its recruitment process
  6. To communicate with candidates about future opportunities
  1. Performance of a contract (i.e. - the contract Rosa will enter into with the candidate as a staff member) (art. 6.1(b) GDPR);
  2. Where the personal data processed includes special categories of personal data, such as information on racial or ethnic origin, or data concerning a disability, the processing either relates to personal data which is made public by the candidate (art. 9.2 (e) GDPR) or is necessary for the assessment of the working capacity of the candidate (art. 9.2 (h) GDPR); and
  3. If the applicant is unsuccessful, Rosa may keep a copy of the application data with the applicant consent (art. 6.1 (a) GDPR).

 

With whom does Rosa share that personal data?

Rosa mainly processes such personal data internally but it may also share part of that information with referees, legal representatives, consultants and professional advisers.

How can a prospective staff exercise their rights in relation to this data processing? 

Prospective staff can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.  

How long does Rosa keep that information? 

If the applicant is successful, Rosa will keep that information for 5 years after termination of the employment agreement with Rosa. If the applicant is not successful, Rosa will keep that information until completion of the recruitment process and a further 3 years if the applicant gives their consent. 

Personal Data of Individuals Rosa Deals With in the Course of Running Our Business (Including Potential New Customers, Partners, Collaborators, and/or Vendors)

What is it?

This section refers to the personal data that Rosa collects and processes as part of running its business, including when prospecting for, or communicating with, potential new customers, partners, collaborators, and/or vendors.

What information does Rosa process?

Rosa may collect and process the following personal data: 

  • Personal contact details, including first name and last name, postal address, email address, and phone number;
  • Occupation or job title;
  • Any other information sent or disclosed to Rosa, including Rosa’s records of any communications or interactions with you.

About whom?

This personal data is about any individual Rosa deals with in the course of running its business, including potential new customers, partners, collaborators, and/or vendors. 

For which purpose and on what legal basis?

Purposes

Legal Bases
  1. To communicate with individuals in the course of running Rosa’s business;
  2. To identify and assess potential new customers, partners, collaborators, and/or vendors and to decide whether to further collaborate with them;
  3. For statistical and analytical purposes.

Legitimate interest of Rosa (art. 6.1 (f) GDPR).

 

With whom does Rosa share that personal data?

Rosa mainly processes such personal data internally but it may also share part of that information with referees, legal representatives, consultants and professional advisers.

How can those individuals exercise their rights in relation to this data processing? 

You can exercise your rights by contacting Rosa’s DPO at gdpr@rosa.be.  

How long does Rosa keep that information? 

Correspondence for prospection, sales and support and commercial agreements, including negotiation documents and relevant correspondence, are kept permanently.

Personal Data of research participants

What is it?

Rosa conducts research and collects feedback in order to improve its existing product and services and create new ones. For instance,  Rosa might collect feedback from (potential) customers or other individuals. 

What personal data does Rosa process?

Rosa might collect personal data such as your name, email address and/or feedback, or any other personal data, as explained by Rosa at the time of collection. Whenever possible, Rosa will collect pseudonymized or anonymized data. 

About whom?

This information is collected about any research participant.

Who has access to that information?

That information is only accessed by Rosa, or as otherwise explained by Rosa at the time of collection.

How can an individual exercise their rights in relation to this data processing?

Individuals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep the individual’s information in relation to this data processing?

Rosa keeps the data for 3 months from the time of collection, unless otherwise explained by Rosa at the time of collection.

Purposes

  1. To improve Rosa’s products and/or services (including analytics and security purposes); or
  2. As otherwise explained by Rosa at the time of collection.

Legal bases

  1. Legitimate interest (art. 6.1 (f) GDPR)
  2. Where the conditions to rely on legitimate interest are not met, Rosa relies on consent (art. 6.1 (a) GDPR)

Your Rights Regarding Personal Data Processed by Rosa

All individuals have the right to:

  • know if Rosa processes personal data about them, what categories of personal data are being processed and for what purpose;
  • request the rectification of inaccurate personal data about them;
  • request the erasure of personal data about them, or oppose the further processing of personal data about them, for a legitimate reason;
  • object at any time to the use of their personal data for marketing purposes;
  • for certain personal data and in certain circumstances, obtain a copy of the personal data about them in a structured and interoperable format.

To exercise these rights, the individuals should contact the following person(s):

  • The relevant health professional, if the request concerns personal data that Rosa processes on behalf of that health professional;
  • Rosa (at gdpr@rosa.be) if the request concerns personal data that Rosa processes for its own needs. 

Please refer to each category of data processing to know who to contact to exercise your rights. 

The Belgian Data Protection Authority is the regulatory agency in charge of data protection in Belgium. It is competent to handle individual complaints about the processing of personal data. More information about data protection regulations and how to file a complaint can be found on their website

Recipients and Data Processors

Rosa relies on services provided by other companies to perform its activities. In that context, Rosa may share personal data with service providers, including hosting and other information technology service providers, email communication software providers, customer relationship management services, web analytics services, etc. These companies may be considered as “data processors” under the applicable privacy laws. 

You can find more information about these companies on the page Data Processors.  

In addition, Rosa may have to share your personal data with limited third-parties if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a judicial or regulatory request, (ii) protect and defend our rights or property, or (iii) prevent fraud and address security risks.

Cross-border transfers: In order to provide its services, Rosa may use service providers located outside the European Economic Area. If the transfer takes place to a third country which has not been recognized as offering an adequate level of protection for personal data by the Commission, Rosa ensures that the necessary measures are put in place in accordance with Articles 46 and 49 of the GDPR, and in particular, where necessary, that (i) the recipient is covered by a suitable framework recognized by the Commission as providing an adequate level of protection for personal data, including the EU-US Data Privacy Framework; or (ii) that the European Union standard contractual clauses or equivalent ad hoc clauses are incorporated into the contract concluded between Rosa and those service providers.

Security Measures

Rosa must implement appropriate security measures to protect the personal data it processes against unauthorized access, modification, or destruction. Rosa relies on technologies or services of its subcontractors for parts of these measures. 

Rosa must evaluate these security measures regularly and adapt them if required, to take into account the evolutions of the risks, the technology, and the costs associated with these measures. 

You can find more information about the security measures currently in place on the page Technical and Organizational Security Measures.  

Retention Period

Rosa does not retain your personal data longer than strictly necessary for the purposes for which the personal data was collected or otherwise processed, or for the execution of a contract or for fulfilling a legal obligation, always in accordance with applicable laws and as set out in this privacy policy (for more details, please refer to each category of processing activity). 

In all cases, Rosa may retain your personal data for a longer period if there is a legal or regulatory reason to do so, or for a shorter period if you object to the processing of your personal data and if there is no other legitimate reason to retain that personal data.

Changes to the Privacy Policy

This is version 3.0 of our privacy policy and it is current as of 9 June 2025. We keep this privacy policy under regular review to ensure it is current and we may change this privacy policy over time to reflect the changes in our services and data processing activities. If we do so, we will post the updated privacy policy on this webpage. Please refer back to this privacy policy to review any amendments as any revised privacy policy will apply to all personal data we process. 

Changes that we have made since the previous version (v 2.7): we have updated this Policy to include new personal data processed on behalf of health professionals: strong authentication and identification of patients, prescriptions and using teleconsultations. We have also clarified the data processing activities relating to strong authentication and identification of health professionals and patients, financial transparency and insurance information, marketing emails sent to health professionals or patients, and distinguished the usage data from visitors and users. Finally, we have simplified the legal bases of the data processing activities that Rosa controls and clarified the retention policies.