Privacy Policy

Rocklane, LLC ("Rocklane", "we", "us", "our") provides healthcare growth infrastructure, AI marketing systems, intake automation, attribution, reputation tooling, and revenue intelligence exclusively to healthcare operators and their authorized representatives.

References to "Services" mean our website, marketing pages, calculators, content, client portal, admin platform, dashboards, APIs, integrations, email and SMS workflows, and any related professional services delivered under a signed agreement.

References to "Personal Information" mean information that identifies, relates to, or could reasonably be linked to an identified or identifiable natural person, as defined by applicable law.

References to "Protected Health Information" or "PHI" mean information governed by the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and the regulations adopted under it.

This policy applies to website visitors, prospective clients, contacts of clients, authorized users of the client portal and admin platform, third-party partners and vendors who interact with us, and other individuals who communicate with Rocklane.

It does not apply to information processed on behalf of a client under a Business Associate Agreement or Data Processing Agreement. In those engagements, the client is the controller of the data and Rocklane acts as a service provider, processor, or business associate as defined by the applicable framework.

We collect information you provide directly to us, information we receive automatically when you use the Services, and limited information from third parties such as identity providers, analytics partners, and integration partners.

• Identity and contact information you submit through forms, calls, or messages, such as name, business email, phone number, company name, role, location, and stated bottleneck.
• Business diagnostics and operational context you share with us during scoping, audits, calculators, and engagements.
• Account credentials and authentication identifiers, including Sign in with Apple, Sign in with Google, and password-based credentials.
• Communications you exchange with us, including email content, chat messages, recorded discovery calls when you consent, support tickets, and notes our team adds for context.
• Device, browser, and usage data automatically collected through our website, dashboards, and email infrastructure, such as IP address, user agent, referring page, pages viewed, time on page, click events, and email engagement.
• Cookie identifiers and similar technologies described in the Cookies and tracking section below.
• Information from third-party services you authorize us to access, such as Google Analytics, Google Search Console, ad platforms, CRM systems, scheduling tools, and call tracking providers, used solely to deliver the contracted services.
• For client engagements, operational and patient-related data only as scoped in the Statement of Work, with PHI processed exclusively under a signed Business Associate Agreement.

We process information for a limited and clearly defined set of business purposes.

• Provide, operate, and improve the Services and the client portal experience.
• Respond to inquiries, scope engagements, prepare proposals, and deliver contracted work.
• Authenticate users, secure sessions, and protect against unauthorized access, fraud, and abuse.
• Generate aggregate and de-identified analytics about how the Services are used.
• Send transactional emails such as account, security, billing, and service-delivery notifications.
• Send infrequent product or insight communications to prospects and clients who have requested them, with a one-click unsubscribe link in every such message.
• Meet legal, regulatory, audit, accounting, tax, and contractual obligations, including healthcare compliance obligations.
• Defend, exercise, or establish legal claims and enforce our agreements.

Where the General Data Protection Regulation, United Kingdom General Data Protection Regulation, or similar laws apply, we rely on the following legal bases.

• Performance of a contract when we deliver Services you or your organization have requested.
• Compliance with a legal obligation when applicable law requires us to retain or disclose information.
• Our legitimate interests in operating, securing, and growing the business, balanced against your interests and rights.
• Your consent where required, including for certain cookies and certain marketing communications. You can withdraw consent at any time without affecting prior processing.

When an engagement involves PHI, we operate as a Business Associate under a written Business Associate Agreement ("BAA") with the covered entity. The BAA governs permitted uses and disclosures, safeguards, breach notification, subcontractor flow-down, audit rights, and termination.

We do not request or accept PHI through public website forms, the contact form, or the strategy-call form. If PHI is submitted unintentionally, we will work in good faith to remove it from our systems and confirm deletion to the sender.

Within client engagements, PHI is processed only for the purposes defined in the BAA and the related Statement of Work. We apply the minimum-necessary standard, role-based access controls, encryption in transit and at rest, audit logging, and documented administrative and physical safeguards.

We use a small set of cookies and similar technologies to operate the Services, remember preferences, secure sessions, and understand aggregate usage.

• Strictly necessary cookies that enable login, session security, load balancing, and core site functionality. These cannot be disabled in our systems.
• Functional cookies that remember preferences such as cookie-consent state and accessibility settings.
• Analytics cookies used to measure aggregate site usage. These are set only after consent in jurisdictions that require it.
• Marketing cookies used by trusted advertising platforms when you have consented. These are set only after consent in jurisdictions that require it.

Our marketing site honors Global Privacy Control ("GPC") signals where required by applicable law by treating the signal as an opt-out of the sale or sharing of Personal Information for cross-context behavioral advertising. We do not currently respond to Do Not Track browser signals because there is no consistent industry standard for handling them.

We engage carefully selected third parties to host the Services, send transactional email, process payments, run analytics, and provide AI capabilities under appropriate contractual safeguards. Categories include cloud hosting, database and authentication, transactional email delivery, payment processing, analytics, AI and large-language-model inference, customer support tooling, and call tracking.

We require contractual commitments from each provider that limit them to documented instructions, require appropriate security, and prohibit unauthorized use. We maintain a current subprocessor list available to clients under their agreement.

We do not sell Personal Information and we do not share Personal Information with advertising networks or data brokers in a way that constitutes a sale or share under United States state privacy laws.

We retain Personal Information for as long as needed for the purposes described in this policy, to satisfy our contractual and legal obligations, to resolve disputes, and to enforce our agreements.

• Marketing-form submissions are retained for up to 24 months from the last point of contact, unless deleted earlier on request.
• Account and authentication records are retained while the account is active and for a period after closure for security, audit, and legal-defense purposes.
• Client operational data and PHI are retained for the duration of the engagement and the period required by the BAA, the Statement of Work, and applicable law.
• Backups are retained on a rolling schedule and are overwritten in the ordinary course of business.

Rocklane is headquartered in the United States and our infrastructure operates primarily in the United States. If you access the Services from outside the United States, you understand that your information may be transferred to, stored in, and processed in the United States and in other jurisdictions where our service providers operate.

Where required, we rely on appropriate transfer mechanisms such as the European Commission Standard Contractual Clauses, the United Kingdom International Data Transfer Addendum, and equivalent frameworks adopted by relevant authorities.

We use administrative, technical, and physical safeguards that are aligned with healthcare industry expectations and the HIPAA Security Rule.

• Encryption in transit using current TLS for all production traffic, and encryption at rest for production databases and storage.
• Role-based access controls, multi-factor authentication for staff and admin users, and the principle of least privilege.
• Detailed audit logging for sensitive actions in the admin platform and client portal.
• Continuous monitoring, vulnerability scanning, and regular review of access and configurations.
• Documented backup, disaster recovery, and incident response procedures.

If we determine that a Breach of Unsecured Protected Health Information has occurred under HIPAA, we will notify the affected covered entity in accordance with the BAA and applicable law.

If we determine that a personal data breach has occurred under other applicable laws, we will notify affected individuals, regulators, and contractual counterparties as required by those laws.

Depending on where you reside, you may have rights with respect to your Personal Information, including the right to know, access, correct, delete, port, restrict, or object to processing, and the right to opt out of the sale or sharing of Personal Information.

To exercise a right, contact privacy@rocklanehealth.com and clearly describe the right you want to exercise. We will verify your identity before responding and we will respond within the timeframes required by applicable law.

If you are submitting a request on behalf of a household or as an authorized agent, additional verification may be required.

You have the right to appeal a refusal of your request. To submit an appeal, reply to our decision email with the word "appeal" in the subject line.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), gives you specific rights. We do not sell or share Personal Information as those terms are defined under the CCPA. We do not knowingly process the sensitive personal information of minors under 16 for sale or sharing.

California residents may request a notice of the categories of Personal Information collected, the categories of sources, the business or commercial purposes, and the categories of third parties with whom Personal Information was disclosed for a business purpose in the prior twelve months. To request this notice, contact privacy@rocklanehealth.com.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described above and the additional right to lodge a complaint with your local data protection authority. We will cooperate with any inquiry from a supervisory authority.

Every commercial email we send includes a clearly visible unsubscribe link. Clicking the link adds your email to our suppression list and removes you from future marketing sends. Transactional and account messages such as security notices, contract documents, billing communications, and service-delivery messages may continue because they are required to operate the Services.

We use AI and machine-learning tools to draft content, score leads, summarize transcripts, generate recommendations, and accelerate analysis. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without meaningful human review.

Where AI features process client data, prompts and outputs are scoped to the engagement, are not used to train public models without explicit permission, and are governed by the same access controls described in the Security section.

The Services are not directed to children under 16 and we do not knowingly collect Personal Information from children. If you believe a child has provided us with Personal Information, contact privacy@rocklanehealth.com and we will take steps to delete it.

When you choose Sign in with Apple, Apple shares a stable user identifier with us and, depending on your selection, your name and an email address. We use this information solely to create and authenticate your Rocklane account, secure your session, and contact you about the service.

We do not sell or share Sign in with Apple data with advertising networks or data brokers and we do not use it to build advertising profiles. Apple's handling of your Apple ID is governed by the Apple Privacy Policy.

If you elect to hide your email, Apple provides a unique private relay address in the form of a random alias at privaterelay.appleid.com. We treat that relay address as your primary contact email and send all account, security, and service communications through it. We never attempt to unmask, reverse, or correlate the relay address with your real Apple ID email.

To keep delivery working, our sending domains remain registered with Apple's Private Email Relay service so messages can be forwarded to you. If you disable email forwarding in your Apple ID settings or stop using Sign in with Apple for this account, we may lose the ability to reach you and your account access may be affected. You can request deletion of the relay address and associated account data at any time by contacting privacy@rocklanehealth.com.

You can revoke Rocklane's access to Sign in with Apple at any time from your Apple ID settings under Sign in with Apple. Revoking access will sign you out and may prevent future logins through Apple. To also delete the underlying account and associated personal data held by Rocklane, contact privacy@rocklanehealth.com so we can complete the deletion in line with our retention obligations.

Our Services may link to third-party websites, integrations, and services we do not control. We are not responsible for the privacy practices or content of those properties. We encourage you to review the privacy policies of any third-party site before sharing information with it.

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes we will update the effective date at the top of this page and, when appropriate, notify you by email or through the Services. Your continued use of the Services after an update means you accept the updated policy.

Questions, requests, complaints, and privacy inquiries can be sent to privacy@rocklanehealth.com. You can also reach our team through the contact form on the Rocklane website. We will route privacy and security requests to the appropriate internal owner promptly.