Rosa Privacy Policy
Version 3.2 (6 July 2026)
Available in Dutch, English and French. The English PDF version of this Privacy Policy shall prevail in case of conflicts between the different versions.
At a glance
A quick summary before you read on.
What Rosa does with your data in plain terms
-
Rosa processes your personal data to help you book and manage health appointments, connect with your health professional, and access health-related services.
-
When your health professional uses Rosa's tools, your health professional is responsible for your data. If you have questions about that data, contact your health professional directly.
-
When Rosa uses your data for its own purposes (e.g. running its platform, communicating with you, improving its products) Rosa is responsible. If you have questions about that data, contact our Data Protection Officer at gdpr@rosa.be.
-
Rosa does not sell your data or use it for advertising.
-
You have the right to access, correct, or delete your data at any time. See Section 10 for how.
1. About this policy
“Rosa” is Rosa ASBL, a non-profit organization established at Cantersteen 12, 1000 Brussels, Belgium, with enterprise number 0745.832.604.
Rosa is committed to protecting your personal data and complies with the applicable data protection laws in force in Belgium, including the General Data Protection Regulation, 2016/679 (hereinafter “GDPR”).
This policy explains why and how Rosa processes your personal data. It applies to all individuals Rosa interacts with, including: patients (including parents or representatives acting on behalf of a patient); health professionals; visitors to our website and users of our applications; research participants; job applicants; and professional and organisational contacts (such as partners, vendors and collaborators).
If you have an agreement with Rosa as a health professional or as a patient with a Patient account, this Privacy Policy forms part of that agreement. In this Privacy Policy, the term “Services” has the meaning given to it in the Terms of Service that apply to you, as a health professional or visitor/user.
A note on the word "patient"
In this policy, unless the context requires otherwise, "patient" refers both to the “user”, ie - individual who uses Rosa (for example to make an appointment, join a teleconsultation, or receive an attestation) and to the “patient”, ie - the individual for whom the services are used. In most cases the user and the patient are the same person. In some cases, however, a user acts on behalf of a patient; for example, a parent making an appointment for their child. In that situation, the parent is the user and the child is the patient.
Age requirement
You must be over the age of 13 to use Rosa, unless you are authorised to do so by applicable law or, where required, with the authorisation of your legal representatives. If you are under 13, only an adult with parental authority may use Rosa on your behalf. If you use Rosa for a minor, you confirm that the minor has been given information about the processing of their personal data, appropriate to their level of maturity.
2. Our commitments
Rosa wants to strengthen health relationships
Rosa helps health professionals and their patients to exchange information in a confidential, secure and trusted environment. We have no other ambitions, and we do not use personal data for other purposes.
You are in control
Rosa has the ambition to give its users control over their information. Over time, we will add functionalities to our applications to let you access more information and decide what to do with it, with whom you want to share it, etc.
We tell you everything
This document describes everything Rosa does with the personal data it processes as part of its activities. There are no hidden uses.
3. Two roles Rosa plays and why it matters
When your health professional or healthcare organization is in charge.
For some activities (such as managing your patient record, sending you appointment reminders, or processing billing information), Rosa acts as a tool under your health professional's instructions. In those cases, the health professional (or, where applicable, the hospital, medical centre or other organisation they work for) is the “data controller”. They decide why and how your data is used, and Rosa processes it strictly on their behalf, as a “data processor”.
Unless the context requires otherwise, "health professional" in this policy refers to the health professional working solo, and/or the group practice, centre, hospital or organisation (such as mutualities or other software vendors) that has entered into an agreement, including a data processing agreement, with Rosa and their health professionals using Rosa.
When Rosa is in charge.
For other activities (such as managing your Patient account, publishing your Rosa Profile, sending you marketing communications, or improving Rosa's platform), Rosa acts as the “data controller”. Rosa determines why and how your data is used, and takes full responsibility for that processing.
The sections below describe all of Rosa's data processing activities in detail, organised by the audience they apply to. Each section indicates which role Rosa is playing.
4. If you are a patient
This section covers everything Rosa does with your data when you use Rosa as a patient or on behalf of a patient.
4.1 Data Rosa processes to support your health professional
Personal data that Rosa processes as a data processor on behalf, and under the instructions, of health professionals. The following activities are carried out by Rosa as a data processor, acting on behalf of and under the instructions of your health professional. Your health professional is the data controller for this data.
Purpose and legal basis
Rosa processes personal data solely on behalf of, and under the instructions of, the relevant health professional, for the purpose of delivering health services to their patients. The legal basis for this processing is determined by the data controller (i.e. the health professional), in line with their specific context and obligations under applicable data protection laws.
Who has access?
The data is sensitive data that is only accessible to the relevant health professional and, where the health professional is part of a group practice or is acting as a member of a hospital, the data may also be accessible to the health professionals of their group practice or hospital for care continuity, their staff for health administration, and/or Rosa staff for technical support requests from the health professional.
In addition, the data is occasionally accessible to patients themselves (e.g. through confirmation emails or patient portals), or their mandataries.
How to exercise your rights?
Patients can exercise their rights by contacting the relevant health professional. Health professionals can exercise their rights by contacting the relevant Rosa account owner.
Retention
Rosa retains the information only as long as necessary to comply with the instructions of the relevant health professional. After the Agreement between Rosa and the health professional ends, Rosa will retain the information for a maximum of 30 days, solely to allow for proper data deletion procedures.
Patient records
What is it?
Each time an event (e.g. an appointment, a teleconsultation, an attestation,...) at a specific health professional is created for a new patient, Rosa creates a “patient record” in relation to that patient for the benefit of the relevant health professional.
What data is involved?
Patient records may contain the following personal data of a patient:
- Contact details: First name, last name, phone numbers; e-mail addresses; postal addresses;
- Identity: date of birth; national registry number (SSIN/BIS); gender;
- Contact details of the person(s) of contact and first name and last name of family members;
- History of Rosa events (e.g. booking, teleconsultation, attestation,...);
- History of non-Rosa events (conditional to partner software integrations);
- Account status and restrictions; and
- Any other information about the patient or the person of contact that the health professional might have referred to in a note.
Where the Rosa Services are used on behalf of the patient, by an individual (referred to as a “user”) who is not the patient, patient records may also contain the following personal data of a user:
- First name, last name, date of birth, phone number; and e-mail address.
Strong Authentication and/or Identification of patients
What is it?
Some health professionals require patients to strongly authenticate and/or identify themselves for a given event (e.g. booking an appointment, accessing a patient portal, generating an attestation, joining a teleconsultation,...).
What data is involved?
Strong authentication and/or identification of patients may contain the following personal data of a patient:
- First name and last name
- Date of birth
- National registry number (SSIN/BIS)
- The language preference of the user's interface
- The existence of a mandate assigned to the user
- An identification number or similar reference provided by the relevant health professional for the purpose of confirming the patient’s eligibility for specific services.
Additional purpose and legal basis
Law of August 8, 1983, organizing a National Register of Natural Persons ("RN Law"). Healthcare institutions may be granted access to National Register data and the National Registry Number based on Article 5, §1, 2° of the RN Law, Article 8§3 of the RN Law, and Deliberation RN n°21/2009, for the purpose of managing the patient's medical record.
Based on Article 5, §1, 3° of the RN Law, healthcare institutions that have received this authorization (or are exempt from it) may engage a processor to carry out the aforementioned data processing activities.
As a result, Rosa may also receive the National Registry Number as a processor, acting on behalf of and under the instructions of healthcare institutions for the purpose of managing the patient's medical record and the sub-purpose of patient identification and authentication.
Additional information
National registry numbers (SSIN/BIS) are only stored temporarily on the user’s device and are deleted at the end of the session. Session duration varies by platform. When the data is incorrect, patients can exercise their rights with the relevant State authority.
Appointment Information
What is it?
Each time an appointment is booked or accessed through Rosa, Rosa collects and processes some information about that booking.
What data is involved?
For each appointment, Rosa may process the following personal data:
- First name and last name of the patient;
- First name and last name of the health professional;
- Contact details of the patient;
- Contact details of the health professional;
- Specialty and expertises of the health professional;
- Date and place of the appointment;
- Motive and/or visit reason for the appointment (as defined by the relevant health professional or resource);
- The status of the appointment and, when canceled, who canceled and when;
- Answers to medical questions (e.g. through a form);
- A note left by the patient at the time they completed their booking;
- A note added by the health professional.
Prescriptions information
What is it?
Some health professionals or resources (e.g. imagery exams) require a prescription to schedule an appointment.
What data is involved?
Rosa processes personal data related to prescriptions when a patient books an appointment online where the health professional requires the upload of a valid prescription.
Appointment confirmation and reminder messages
What is it?
Each time a patient books, modifies or cancels an appointment through Rosa, Rosa will send a confirmation email to that patient. Based on the health professional’s notification parameters, Rosa might also send to the patient (i) a confirmation email / SMS when a health professional makes, modifies or cancels a booking with that patient; and/or (ii) a reminder email(s) / SMS prior to the appointment. If the patient uses the Rosa mobile app and has consented to receiving push notifications, Rosa may also send push notifications for any appointment confirmation, cancellation, reminder or modification.
What data is involved?
Rosa may process the following personal data:
- First name, email address and mobile phone number of the patient;
- First name and last name and contact details of the health professional (or the contact details of the medical practice);
- Details of the appointment (which may include motive, date, time, and place of the appointment, as well as specific instructions from the relevant health professional); and
- Details of the notification (which may include delivery status and details).
Additional information
The content of the confirmation and reminder emails will also be transmitted to, and processed by, Rosa’s email service provider. Data related to push notifications may be processed by our mobile app distribution platforms. You can find more information about Rosa’s service providers on the page Data Processors.
Use of Rosa eBilling by a Health Professional
What is it?
Health professionals have the option to use Rosa to (i) consult information about the insurability (and derived rights) of a patient in order to carry out an invoice or to deliver products or services; (ii) generate an electronic attestation or an electronic invoice; and (iii) encode payment methods and track payments.
These features are referred to as ‘Rosa eBilling’.
What data is involved?
When a health professional uses Rosa eBilling, they need to log in to their Rosa account and they need to authenticate with their eHealth certificate. Rosa may therefore process the health professional account management data and data from the eHealth certificate.
The health professional shall process patient data, including relevant appointment information, patient record information, payment information (whether the payment has been made or not and the payment method), and patient data made available to them by, or on behalf of, the NIHII (INAMI/RIZIV) (such as, for example, the nomenclature of health services performed by the health professional for that patient).
Additional information
Rosa eBilling information is only accessible to the relevant health professional, the patient involved and their Mutuality, the inter-mutuality (CIN-NIC) and social security services.
Rosa Teleconsultation
What is it?
Some health professionals offer remote consultations via secure video calls.
What data is involved?
Rosa processes personal data related to teleconsultations:
- First name and last name of the patient;
- First name and last name of the health professional;
- Contact details of the patient;
- Contact details of the health professional;
- Date of the appointment;
- The status of the teleconsultation (e.g. if the patient is in the virtual waiting room);
- Answers to medical questions (e.g. through a form);
- Any relevant document exchanged on the platform; and
- Chat messages exchanged during the teleconsultation.
Additional information
Secure video calls are facilitated through Rosa’s video streaming service provider. Specifically, Rosa uses the services of Whereby (Norway) for this purpose. More information about how Whereby processes your personal data and how you can exercise Your personal data protection rights is available in Whereby’s Privacy Policy. Additional details about Rosa’s service providers can be found on Rosa’s Data Processors page.
Invoice management
What is it?
Health professionals have the option to use Rosa to simplify health administration for their patients, including by allowing patients to access and understand their invoices more easily.
What data is involved?
Rosa may process personal data of the patients related to their invoice:
- First and last name of the patient;
- Phone numbers; e-mail addresses; and postal addresses;
- Invoice number and amount;
- Details of medical services provided with associated nomencodes; and
- Date, time, and place of the appointment.
4.2 Data Rosa processes to support and improve your experience
Personal data that Rosa processes for its own needs, as a data controller - The following activities are carried out by Rosa as a data controller to support you and enable us to improve your experience with our Services.
Patient Account Management
What is it?
Individuals may create a patient account on Rosa to access certain Services (for instance, to book an appointment with a health professional, access a patient portal, join a teleconsultation or receive an attestation) and update their contact details.
What data is involved?
When creating an account for an individual, Rosa may collect or generate the following personal data in relation to that individual:
- First name and last name;
- Mobile phone number;
- Email address;
- Spoken language;
- Date of birth;
- Account status and restrictions;
- History of Rosa events (e.g. booking, teleconsultation, attestation,...); and
- History of non-Rosa events (conditional to software integrations).
Where the individual creating the account is not the patient, Rosa may also collect the following personal data in relation to the patient:
- First name and last name; and
- Date of birth.
For which purpose and on what legal basis?
Purpose: To manage the Patient account and allow patients to access the relevant health-related services from health professionals.
Legal basis: Performance of a contract (art. 6.1(b) GDPR).
Who has access to the patient account management information?
Patient account management information is accessible to the individual creating the account, the health professional with whom they have booked an appointment, and/or Rosa.
More specifically, the data provided to the health professional includes the following:
- In the case where a patient makes an appointment for themselves: first name, last name and date of birth. This data is minimal and strictly necessary for the correct identification of the person making the appointment, in order to avoid administrative errors.
- In the case where a patient makes an appointment for a third party: first name and last name. This data is also limited to what is strictly necessary for the correct identification of the person making the appointment, in order to avoid administrative errors.
How to exercise your rights?
Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. Where the individual creating the account is not the patient, the patient can exercise their rights by contacting the user who made the appointment on their behalf.
Retention
After the Agreement between Rosa and the patient ends, Rosa will retain the information for a maximum of 30 days, solely to allow for proper data deletion procedures. Rosa will delete the patient account 5 years after the patient has last interacted with Rosa.
Strong Authentication and Identification of patients
What is it?
To increase the platform security and trust, Rosa requires patients to strongly authenticate to verify their identity when creating an account and when authenticating to their account.
What data is involved?
The patient authentication and identification data may contain the following personal data of a patient:
- First name and last name
- Date of birth
- National registry number (SSIN/BIS)
- The language preference of the user's interface
- The existence of a mandate assigned to the user
For which purpose and on what legal basis?
Purpose: To enable strong authentication of patients in accordance with Rosa’s service agreement. This authentication enhances trust and security and reduces the risk of erroneous or fraudulent identification.
Legal basis: performance of a contract (Art. 6.1, (b) GDPR).
Who has access to the patient identification data?
The identification data is received and stored on the patient’s device and cannot be accessed directly by anyone. The patient’s first name, last name and birthdate is transferred to Rosa, stored in the Patient Account and is accessible to Rosa staff and the health professionals with whom the patient interacts through Rosa, and their organizations.
How to exercise your rights?
Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. When the data is incorrect, patients can exercise their rights with the relevant State authority.
Retention
The authentication and identification data is received and stored temporarily on the user’s device and is deleted at the end of the session. Session duration varies by platform. Rosa will further store the data strictly necessary for the Patient Account management (first name, last name, date of birth) on its servers, see the section “Patient Account Management” above.
Financial Transparency and Insurance Information
What is it?
Rosa offers patients the option to view insurance-related data such as a more accurate prediction of mandatory health insurance coverage. It will also allow patients to link their Patient Account with their health insurance fund account, thereby enhancing their understanding of supplementary coverage and promoting greater financial transparency.
What data is involved?
When creating this functionality/feature for patients, Rosa may collect or generate the following personal data in relation to that individual:
- Health insurer;
- Status of compulsory insurance;
- Increased reimbursement status;
- Medical house membership;
- Global medical file;
- Third-party payment obligation;
- Maximum invoice ceiling reached.
For which purpose and on what legal basis?
Purpose:To provide patient transparent financial information regarding their insurance-related data.
Legal basis: Explicit consent (i.e. the patient’s consent to make use of this functionality) (art. 6.1(a) GDPR and art. 9.2 (a) GDPR). If consent is withdrawn, access to this functionality/feature is disabled.
Who has access to the financial transparency and insurance information?
The information is only accessible to the authenticated patient through their own device. Access is locally secured using encryption mechanisms such as device PINs or biometric authentication. No third parties or Rosa staff can access this data unless explicitly shared by the user.
How to exercise your rights?
Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Retention
Rosa does not store this data on its servers.
Marketing Emails Sent to patients
What is it?
Rosa may occasionally send marketing emails to patients to share updates on relevant product launches, offers and updates from Rosa.
What data is involved?
Rosa use following personal data in relation to that patient:
- First name and last name;
- Email address; and
- Use of Rosa.
For which purpose and on what legal basis?
Purpose: To send marketing communications.
Legal basis: Legitimate interest (art. 6.1(f) GDPR).
Who has access to the marketing emails information?
The content of marketing emails is accessible to the patient involved and Rosa. The content of the marketing emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data Processors.
How to exercise your rights?
If you receive marketing emails from us, you can opt out at any time by clicking the “unsubscribe” link at the bottom of the email. Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Retention
After the Agreement between Rosa and the patient ends, Rosa will retain the information for a maximum of 30 days, solely to allow for proper data deletion procedures. Rosa will delete the patient account (and associated data) 5 years after the patient has last interacted with Rosa.
History of appointments
What is it?
Individuals may authorize Rosa to keep a record of the history of their past appointments.
What data is involved?
Data related to Rosa past events. This data typically includes: name of the patient, appointment dates, times, motives, details of the health professional consulted, appointment status (completed/cancelled/no-show).
For which purpose and on what legal basis?
Purpose: To allow patients to view the appointment history, including to facilitating rebooking and continuity of care.
Legal basis: Explicit consent (art. 6.1(a) and art 9.2(a) GDPR).
Who has access to the history of appointments?
History of appointments data is accessible to the individual creating the account.
How to exercise your rights?
Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. Where the individual creating the account is not the patient, the patient can exercise their rights by contacting the user who made the appointment on their behalf.
Retention
Rosa retains the history of appointments for as long as the patient's consent remains valid (maximum 10 years). After that period, Rosa will either request renewed consent or delete the data. Rosa will delete the data sooner if the patient does not interact with Rosa for 5 years, or within 30 days after the Agreement between Rosa and the patient ends, whichever occurs first.
Research, analytics and platform safety
See Sections 6 and 7 below.
5. If you are a health professional
This section covers everything Rosa does with your data when you use Rosa as a health professional. The following activities are carried out by Rosa as a data controller to support you and enable us to improve your experience with our Services.
Health Professionals Account Management
What is it?
When a health professional wishes to use Rosa, they need to create an account. They will need to connect to their account to access Rosa’s various Services or to get technical support from Rosa. Rosa may also temporarily log in to a health professional’s account to provide support and assistance with technical issues.
What data is involved?
When a health professional creates an account or wishes to get Rosa’s support in relation to their account, Rosa may collect, access, use or generate the following personal data in relation to that health professional:
- First name and last name;
- Mobile phone number;
- Email address;
- Password created by the user to set up their account;
- Postal address;
- Spoken language;
- INAMI/RIZIV or VISUM number and associated profession;
- Health visa validity;
- Enterprise/VAT number;
- Electronic payment details;
- Payment history; and
- Any other information from, or related to, a health professional’s account or that the health professional may share with, or send to Rosa for support purposes.
For which purpose and on what legal basis?
Purposes: To fulfill its obligations under the contract between Rosa and the health professional; To process payments, including invoices (for Rosa's own services and, where applicable, on behalf of third-party providers whose products you choose to integrate with or access through Rosa); and To offer support to, and communicate with, the health professional.
Legal basis: Performance of a contract (art. 6.1(b) GDPR)
Who has access to the user and account management information?
Customer account management information is only accessible to the relevant customer and/or Rosa. Where Rosa invoices a fee on behalf of a third-party provider, limited payment and account data may also be shared with that provider for the purpose of confirming and reconciling payment. Rosa uses the services of Mollie B.V. (Mollie), a regulated payment service provider located in The Netherlands, to manage online payments. Payments methods available include Bancontact. You can find more information on how Mollie and its affiliates process your personal data and how to exercise your personal data protection rights here.
How to exercise your rights?
Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. You can find more information on how Mollie and its affiliates process your personal data and how to exercise your personal data protection rights here.
Retention
Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional. To protect against litigation or comply with its legal obligations, Rosa might keep some data for up to 10 years after the end of the agreement.
Strong Authentication and Identification of Health Professionals
What is it?
To increase the trust and security of its platform, Rosa requires health professionals to strongly authenticate and identify themselves when creating an account.
What personal data does Rosa process?
Strong authentication and identification of health professionals may contain the following personal data of a health professional:
- First name and last name;
- National registry number (NISS/BIS);
- NIHII (INAMI/RIZIV) or VISUM number and associated profession;
- Health visa validity.
For which purpose and on what legal basis?
Purpose: To enable strong authentication of Health Professionals in accordance with Rosa’s service agreement. This authentication enhances trust and security and reduces the risk of erroneous or fraudulent identification.
Legal basis: Performance of a contract (Art. 6.1, (b) GDPR).
Who has access to the strong authentication and identification of health professionals?
Strong authentication and identification data of health professionals is only accessible to Rosa.
How to exercise your rights?
Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Retention
The authentication and identification data is received and stored temporarily on the user’s device and is deleted at the end of the session. Session duration varies by platform.
Rosa will further store the data strictly necessary for the health professional account management on its servers, see the section “Health professionals account management”:
- First name and last name
- NIHII (INAMI/RIZIV) or VISUM number and associated profession
- Health visa validity
Health Professional Public Profile Information (‘Rosa Profile’)
What is it?
Rosa offers health professionals using its online calendar and/or booking application the possibility to publish some information about themselves and the services they offer.
What personal data does Rosa process?
When a health professional chooses to create, fill in and publish their Rosa Profile, Rosa may process the following personal data about that health professional:
- Photo;
- First and last name;
- INAMI/RIZIV number;
- Gender;
- Spoken language;
- Speciality and expertises;
- Professional address(es);
- Contact details;
- Education and background;
- Availabilities for appointments;
- Health costs such as contracted status, accepted payment methods and fees; and
- Any other personal information that the health professional wishes to publicly share on their profile.
For which purpose and on what legal basis?
Purpose: Online communication of health professionals’ details to the public and allowing current or new patients to book appointments with those health professionals.
Legal basis: Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).
Who has access to your Rosa Profile?
Once activated, Rosa Profile is accessible to anyone online and may appear in search engine results. To increase health professionals’ online visibility and facilitate online booking appointments, Rosa may (i) unless you object, reproduce, display and publish all or part of the information from your Rosa Profile on other websites or applications that it operates or controls (including under different brands), and/or (ii) communicate limited information from a Rosa Profile (e.g. the URL of your Rosa Profile page) to its partners (e.g. online medical registries) to allow them to create a referral link from their platform or website to your Rosa Profile page on Rosa. For the sake of clarity, Rosa will always ensure that its partners guarantee that they already have information about you in compliance with applicable laws, including GDPR, and Rosa will only allow them to create a referral link to your existing Rosa Profile (not to create a new profile on their platform without your consent).
How to exercise your rights?
Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. Health professionals working for a hospital that has entered into an agreement with Rosa shall contact their hospital to exercise their right in relation to their hospital-related Rosa Profile.
Retention
Upon termination of the agreement between the health professional and Rosa, Rosa will remove your Rosa Profile from its website and/or applications. Rosa will delete your Rosa Profile within 30 days from the end of the agreement between Rosa and the health professional.
Notification Emails Sent to Health Professionals
What is it?
Health professionals have the option to receive a notification email from Rosa when (i) an existing and/or new patient makes a booking; and/or (ii) a patient leaves a note at the time of the booking; and/or (iii) a patient cancels a booking.
What personal data does Rosa process?
When a notification email is sent, Rosa processes the following personal data:
- First name and last name of the patient and whether it is a new patient;
- Contact details of the patient;
- Email address of the health professional; and
- Date, time, motive and place of the appointment.
For which purpose and on what legal basis?
Purpose: To fulfill its obligations under the contract between Rosa and the health professional.
Legal basis: Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).
Who has access to the notification emails?
The content of notification emails is only accessible to the health professional involved. The content of the notification emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data Processors.
How to exercise your rights?
Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Retention
After the Agreement between Rosa and the health professional ends, Rosa will retain the information for a maximum of 30 days, solely to allow for proper data deletion procedures.
Marketing Emails Sent to Health Professionals
What is it?
Rosa may occasionally send personalized marketing emails to health professionals to share updates on relevant product launches, offers and updates from Rosa.
What personal data does Rosa process?
Rosa use following personal data in relation to that health professional:
- First name and last name;
- Email address;
- Medical specialty;
- Spoken language;
- Practice information (e.g. location, group type,...); and
- Product activity.
For which purpose and on what legal basis?
Purpose: To send marketing communications.
Legal basis: Legitimate interest (art. 6.1(f) GDPR).
Who has access to the marketing emails?
The content of marketing emails is accessible to the health professional involved and Rosa. The content of the marketing emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data Processors.
How to exercise your rights?
If you receive marketing emails from us, you can opt out at any time by clicking the “unsubscribe” link at the bottom of the email. Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Retention
After the Agreement between Rosa and the health professional ends, Rosa will retain the information for a maximum of 30 days, solely to allow for proper data deletion procedures.
Research, analytics and platform safety
See Sections 6 and 7 below.
6. If you are a visitor or a user of our website or application
This section covers everything Rosa does with your data when you visit or use our website(s) or web/mobile application(s). The following activities are carried out by Rosa as a data controller to support you and enable us to improve your experience with our Services.
Personal data processed when anyone visits our website
What is it?
Each time someone visits Rosa’s website (without using Rosa’s services), Rosa may process your personal data, including using cookies and/or other tracking technologies.
Rosa may use social media services such as Facebook, Instagram, LinkedIn and Twitter. If you use these services, you should review their privacy policy for more information on how they deal with your personal data.
Visitors can also contact us spontaneously (for instance via our ‘Contact Us’ online form).
What personal data does Rosa process?
When you visit our website or a (hospital) registry powered by Rosa, we may process the following usage and connection data relating to your use of our website, including
- technical data which may include personal data, such as your IP address, OS and browser version;
- your preferences (e.g. language preferences);
- data about your usage of Rosa’s website (as a health professional or as a patient) (including data about the searches made and the appointments booked - with your consent, such data is linked to a UserID which does not allow us to identify you by your name or email address but it allows us to better understand how you use our services, how a feature is used, and to measure the impact of (new) features).
When you get in touch with us via our website (including via email), we may collect the following data:
- First name and last name,
- Email address,
- Reason why you contact us,
- Content of your message, as well as
- Technical data which may include personal data, such as your IP address, OS and browser version, basic user details about usage of Rosa’s website or application(s).
To find out more about how Rosa collects personal data on its website and applications, and how to manage your cookie preferences, please read the page Data Processors as well as our Cookie Policy.
For which purpose and on what legal basis?
Purposes: To operate Rosa’s website and enable visitors to use their features; To check if cookies can be placed; To improve Rosa’s services, ensure the security of Rosa’s website and enhance the visitor’s experience on Rosa’s website.
Legal basis: Legitimate interest of Rosa (art. 6.1 (f) GDPR).
Purposes: For statistical and analytical purposes; and To respond to questions or feedback voluntarily provided.
Legal basis: Consent (art. 6.1 (a) GDPR).
Who has access to that information?
That information might be accessed by Rosa and its data processors, as described on the Data Processors page and in our Cookie Policy.
How to exercise your rights?
Visitors can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Retention
This depends on the type of information collected. Data received via the ‘Contact Us’ form is kept 12 months from the date the last correspondence was sent or received by Rosa. For technical data, please read our Cookie Policy and Data Processors page for more information.
Personal data processed when anyone uses our applications
What is it?
Each time someone downloads and uses Rosa’s mobile application, creates an account with Rosa, books an appointment or otherwise uses Rosa’s services, Rosa may process your personal data, including using cookies and/or other tracking technologies.
What personal data does Rosa process?
When you use our applications, we may process the following data:
- Usage and connection data relating to your use of our applications or services, including
- technical data which may include personal data, such as your IP address, OS and browser version;
- your preferences (e.g. language preferences);
- data about your usage of Rosa’s application(s) (as a health professional or as a patient) (including data about the searches made and the appointments booked - with your consent, such data is linked to a UserID which does not allow us to identify you by your name or email address but it allows us to better understand how you use our services, how a feature is used, and to measure the impact of (new) features).
- User (patient or health professional) account data.
When you get in touch with us via our applications (including via email), we may collect the following data:
- First name and last name,
- Email address,
- Reason why you contact us,
- Content of your message, as well as
- Technical data which may include personal data, such as your IP address, OS and browser version, basic user details about usage of Rosa’s website or application(s).
To find out more about how Rosa collects personal data on its applications, and how to manage your cookie preferences, please read the page Data Processors as well as our Cookie Policy.
For which purpose and on what legal basis?
Purposes: To operate Rosa’s applications and enable users to use their features; To check if cookies can be placed; To improve Rosa’s services, ensure the security of Rosa’s website and applications and enhance the user’s experience on Rosa’s applications.
Legal basis: Performance of a contract (Art. 6.1, (b) GDPR).
Purposes: For statistical and analytical purposes; and To respond to questions or feedback voluntarily provided.
Legal basis: Consent (art. 6.1 (a) GDPR).
Who has access to that information?
That information might be accessed by Rosa and its data processors, as described on the Data Processors page and in our Cookie Policy.
If you download Rosa’s mobile application from an app store (such as Apple’s App Store or Google Play store), your data might be collected and processed by that online mobile app store for their own purposes. For more information, we encourage you to read their Privacy Policy.
How to exercise your rights?
Users can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Retention
This depends on the type of information collected. Data received via the ‘Contact Us’ form is kept for 10 years following termination of their agreement with Rosa. For technical data (including those collected via cookies or similar technologies), please read our Cookie Policy and Data Processors page for more information.
Personal data processed for platform safety
What is it?
To ensure compliance with our applicable Terms or applicable laws or regulatory obligations, to protect the security, integrity or availability of the Services, and to prevent harm to Rosa, its users, patients or third parties, Rosa may review account activity, content and usage data and, where reasonably necessary given the nature, severity and recurrence of an issue, take one or more measures as further described in the Terms of Service for Health Professionals and in the Terms of Services for Visitors and Users. These may include removing content, suspending access to the Services, terminating an account, or notifying and reporting the matter to relevant parties or authorities.
What personal data does Rosa process?
- Account information (e.g. name, contact details, account status);
- Content or communications relevant to the issue under review;
- Usage data relevant to the issue under review;
- A record of any measure taken and the reason for it.
For which purpose and on what legal basis?
Purposes: To ensure compliance with applicable Terms or applicable laws or regulatory obligations; to protect the security, integrity or availability of the Services; and to prevent harm to Rosa, its users, patients or third parties.
Legal basis: Legitimate interest (art. 6.1 (f) GDPR).
Who has access to that information?
This data is only accessible to Rosa and, where applicable, to the parties or authorities notified as part of a measure (see Section 11 below).
How to exercise your rights?
Users can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Retention
Rosa keeps the data relevant to a safety matter, and the record of any measure taken, for as long as necessary to act on and document the matter, and as required to comply with applicable legal obligations.
7. If you are a research participant
This section covers everything Rosa does with your data when you provide feedback to Rosa or participate in a survey or research program with Rosa. The following activities are carried out by Rosa as a data controller to enable us to improve our Services.
Personal data of research participants
What is it?
Rosa conducts research and collects feedback in order to improve its existing product and services and create new ones. For instance, Rosa might collect feedback from (potential) customers or other individuals.
What personal data does Rosa process?
Rosa might collect personal data such as your name, email address and/or feedback, or any other personal data, as explained by Rosa at the time of collection. Whenever possible, Rosa will collect pseudonymized or anonymized data.
For which purpose and on what legal basis?
Purposes:To improve Rosa’s products and/or services (including analytics and security purposes); or As otherwise explained by Rosa at the time of collection.
Legal basis: Legitimate interest of Rosa (art. 6.1 (f) GDPR)
Who has access to that information?
That information is only accessed by Rosa, or as otherwise explained by Rosa at the time of collection. If you participate in interviews via a video conferencing tool, your name and email address may also be collected by the tool’s provider as part of its service.
How to exercise your rights?
Individuals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Retention
Rosa keeps the data for 5 years from the time of collection, unless otherwise explained by Rosa at the time of collection.
8. If you are a job applicant or prospective staff
This section covers everything Rosa does with your data when you apply for a position at Rosa or when Rosa is considering you for a role. The following activities are carried out by Rosa as a data controller to enable us to manage our recruitment process.
Personal Data of Prospective Staff
What is it?
This section refers to all the personal data that Rosa collects and processes as part of considering an individual (such as prospective employees, contractors, volunteers or students) for a role or position at Rosa.
What information does Rosa process?
Rosa may collect and process the following personal data in relation to a prospective staff:
- Personal contact details, including name, postal address, email address, and phone number;
- Date of birth and gender;
- Employment and education history and qualifications;
- Details relating to the right to work in Belgium (where applicable);
- Any other information provided to Rosa (as part of a curriculum vitae, letter of support, reference checks, during an interview or otherwise) or that Rosa receives from a referee.
For which purpose and on what legal basis?
Purposes: To process an application for a position at Rosa; To assess a candidate’s suitability for a specific role or position and to decide whether to hire that candidate; To communicate with candidates about their application and the application process; To check that the candidate is legally entitled to work in Belgium; To audit the performance and fairness of its recruitment process; To communicate with candidates about future opportunities.
Legal basis: Performance of a contract (i.e. - the contract Rosa will enter into with the candidate as a staff member) (art. 6.1(b) GDPR). Where the personal data processed includes special categories of personal data, such as information on racial or ethnic origin, or data concerning a disability, the processing either relates to personal data which is made public by the candidate (art. 9.2 (e) GDPR) or is necessary for the assessment of the working capacity of the candidate (art. 9.2 (h) GDPR). If the applicant is unsuccessful, Rosa may keep a copy of the application data with the applicant consent (art. 6.1 (a) GDPR).
With whom does Rosa share that personal data?
Rosa mainly processes such personal data internally but it may also share part of that information with referees, legal representatives, consultants and professional advisers.
How to exercise your rights?
Prospective staff can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Retention
If the applicant is successful, Rosa will keep that information for 5 years after termination of the employment agreement with Rosa. If the applicant is not successful, Rosa will keep that information until completion of the recruitment process and a further 3 years if the applicant gives their consent.
9. If you are a professional or organizational contact
This section covers everything Rosa does with your data when you interact with Rosa as a customer, partner, collaborator, vendor, or other professional stakeholder, including when Rosa contacts you to share information about its activities or services. The following activities are carried out by Rosa as a data controller to develop and manage its relationships, including prospecting and communicating.
Personal Data of Professional and Organizational Contacts
What is it?
This section refers to the personal data that Rosa collects and processes as part of running its activities, including when prospecting for, or communicating with, existing or potential customers, partners, collaborators, vendors, competitors, public authorities, and other relevant stakeholders.
What information does Rosa process?
Rosa may collect and process the following personal data:
- Personal contact details, including first name and last name, postal address, email address, and phone number;
- Occupation or job title;
- Any other information sent or disclosed to Rosa, including Rosa’s records of any communications or interactions with you.
About whom?
This personal data is about any individual acting in a professional or organizational capacity, including staff, representatives, and contact persons of existing or potential customers, partners, collaborators, vendors, competitors, public authorities, and other relevant stakeholders.
For which purpose and on what legal basis?
Purposes: To communicate with relevant individuals in the course of running Rosa’s activities; To identify and assess potential new customers, partners, collaborators, vendors and other relevant parties, and to decide whether to further develop a relationship with them; For statistical and analytical purposes.
Legal basis: Legitimate interest of Rosa (art. 6.1 (f) GDPR).
Purposes: To manage the contractual relationship with the relevant organization (where applicable).
Legal basis: Performance of a contract (i.e. - the contract Rosa enters into with the relevant organization) (art. 6.1(b) GDPR).
Purposes: To comply with applicable legal and regulatory obligations.
Legal basis: Compliance with a legal obligation (art. 6.1 (c) GDPR).
With whom does Rosa share that personal data?
Rosa mainly processes such personal data internally but it may also share part of that information with referees, legal representatives, consultants and professional advisers.
How to exercise your rights?
You can exercise your rights by contacting Rosa’s DPO at gdpr@rosa.be.
Retention
Correspondence for prospection, sales and support and commercial agreements, including negotiation documents and relevant correspondence, are kept permanently.
10. Your Rights Regarding Personal Data Processed by Rosa
All individuals have the right to:
- know if Rosa processes personal data about them, what categories of personal data are being processed and for what purpose;
- request the rectification of inaccurate personal data about them;
- request the erasure of personal data about them, or oppose the further processing of personal data about them, for a legitimate reason;
- object at any time to the use of their personal data for marketing purposes;
- for certain personal data and in certain circumstances, obtain a copy of the personal data about them in a structured and interoperable format.
To exercise these rights, the individuals should contact the following person(s):
- The relevant health professional, if the request concerns personal data that Rosa processes on behalf of that health professional;
- Rosa (at gdpr@rosa.be) if the request concerns personal data that Rosa processes for its own purposes.
Please refer to each section of this Policy to confirm who to contact to exercise your rights.
The Belgian Data Protection Authority is the regulatory agency in charge of data protection in Belgium. It is competent to handle individual complaints about the processing of personal data. More information about data protection regulations and how to file a complaint can be found on their website.
11. How we share and transfer data
Service providers
Rosa relies on services provided by other companies to perform its activities. In that context, Rosa may share personal data with service providers, including hosting and other information technology service providers, email communication software providers, customer relationship management services, web analytics services, etc. These companies may be considered as “data processors” under the applicable privacy laws.
You can find more information about these companies on the page Data Processors.
Legal disclosure and safety
In addition, Rosa may have to share your personal data with limited third-parties if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a judicial or regulatory request or court order, (ii) protect and defend our rights or property, or (iii) prevent fraud and address security risks; (iv) comply with applicable laws and protect the safety and integrity of the Services.
Where Rosa suspects unlawful or abusive activity on its platform, it may report such activity to the relevant authorities or regulatory bodies. Rosa may also notify affected users of abusive or fraudulent behaviours where it considers this appropriate to protect their safety or the integrity of the Services. Where Rosa is required to disclose personal data to authorities pursuant to a court order or by operation of law, it will do so in accordance with applicable legal requirements.
International transfers
In order to provide its services, Rosa may use service providers located outside the European Economic Area. If the transfer takes place to a third country which has not been recognized as offering an adequate level of protection for personal data by the Commission, Rosa ensures that the necessary measures are put in place in accordance with Articles 46 and 49 of the GDPR, and in particular, where necessary, that (i) the recipient is covered by a suitable framework recognized by the Commission as providing an adequate level of protection for personal data, including the EU-US Data Privacy Framework; or (ii) that the European Union standard contractual clauses or equivalent ad hoc clauses are incorporated into the contract concluded between Rosa and those service providers.
12. Security Measures
Rosa must implement appropriate security measures to protect the personal data it processes against unauthorized access, modification, or destruction. Rosa relies on technologies or services of its subcontractors for parts of these measures.
Rosa must evaluate these security measures regularly and adapt them if required, to take into account the evolutions of the risks, the technology, and the costs associated with these measures.
You can find more information about the security measures currently in place on the page Technical and Organizational Security Measures.
13. Retention Period
Rosa does not retain your personal data longer than strictly necessary for the purposes for which the personal data was collected or otherwise processed, or for the execution of a contract or for fulfilling a legal obligation, always in accordance with applicable laws and as set out in this privacy policy. For details of the retention period applicable to each processing activity, please refer to the relevant section above.
In all cases, Rosa may retain your personal data for a longer period if there is a legal or regulatory reason to do so, or for a shorter period if you object to the processing of your personal data and if there is no other legitimate reason to retain it.
14. Changes to the Privacy Policy
This is version 3.2 of our privacy policy and it is current as of 6 July 2026. We keep this privacy policy under regular review to ensure it is current and we may change this privacy policy over time to reflect the changes in our services and data processing activities. If we do so, we will post the updated privacy policy on this webpage. Please refer back to this privacy policy to review any amendments as any revised privacy policy will apply to all personal data we process.
Changes that we have made since the previous version (v 3.1): this Policy has been updated to (i) reorganise its content by the categories of individuals to whom it applies, (ii) include the processing of appointment history data based on consent, (iii) clarify processing activities related to invoicing, and (iv) explain the processing activities that Rosa may undertake in cases of suspected abuse or misuse of its services.