Ruma Care
Privacy Policy
Last Updated: June 1, 2026
1. Introduction
Welcome to Ruma, Inc. (“Ruma Care”). We are committed to protecting the privacy and security of the information we collect, use, and otherwise process. This Privacy Policy describes our practices in connection with information collected through our prior authorization automation platform and related services (collectively, the “Service”), as well as through our marketing website.
This Policy explains what information we collect, how we use and share it, and your rights with respect to it, including our obligations under the Health Insurance Portability and Accountability Act (“HIPAA”) and the California Consumer Privacy Act (“CCPA”), where applicable.
By accessing or using our Service, you agree to the practices described in this Privacy Policy. Your use of the Service is also subject to our Terms of Service and, where applicable, any Business Associate Agreement (“BAA”) executed between Ruma Care and your organization.
2. Scope and Who This Policy Applies To
This Privacy Policy applies to three groups of individuals:
• Healthcare Provider Customers (“Customers”): Clinics, physician practices, and other healthcare organizations that contract with Ruma Care to use our platform. When we process Protected Health Information (“PHI”) on behalf of a Customer, we do so as a Business Associate under HIPAA, and our handling of that PHI is governed by the applicable BAA, this Policy, and applicable law. The Customer is responsible for obtaining any patient authorizations required under applicable law.
• Authorized Platform Users: Employees, contractors, and staff of our Customers who are authorized to access and use the Service on behalf of their organization.
• Website Visitors: Individuals who visit our marketing website or otherwise communicate with us outside of the platform context.
This Policy does not apply to our employees or job applicants, who are covered by separate notices.
3. Information We Collect
Protected Health Information (PHI): Our Customers submit patient information to our platform to facilitate prior authorization submissions and related workflows. This may include patient names, dates of birth, diagnoses, medications, treatment histories, insurance information, clinical documentation, and other health-related information as defined by HIPAA. This data is provided and controlled by our Customers and is processed by Ruma Care solely as a Business Associate in accordance with the applicable BAA.
Authorized User Information: Names, email addresses, phone numbers, job titles, and login credentials for individuals authorized by our Customers to access the platform.
Account and Contact Information: If you create an account or contact us directly, we may collect your name, email address, organization name, phone number, and other information you provide.
Communications: Information you provide when you contact us with questions, feedback, support requests, or other inquiries.
Usage and Log Data: We collect information about how you interact with our platform and website. This may include IP addresses, browser and device types, operating systems, access times, pages and features accessed, referring URLs, and error logs.
Cookies and Similar Technologies: We use cookies and similar tracking technologies on our marketing website to understand visitor behavior and improve the website experience. Platform users may also encounter session cookies necessary for authentication and security. See Section 10 for more detail.
Clinical and Administrative Data: Data submitted by Customers or their authorized users for processing through our prior authorization workflows, including clinical notes, Letters of Medical Necessity (LMNs), payer correspondence, and authorization records.
Platform-Generated Outputs: Documents and other outputs generated by our platform in connection with PA submissions, including AI-assisted draft LMNs and appeal letters. Where these outputs relate to an identifiable patient, they may constitute PHI and are handled accordingly.
4. How We Use Your Information
• Process and manage prior authorization submissions on behalf of our Customers
• Generate AI-assisted clinical documentation, including LMNs and appeal letters, as directed by Customers
• Facilitate payer routing, submission tracking, and denial management workflows
• Create and manage authorized user accounts
• Provide customer support and respond to inquiries
• Send service-related communications, including updates, maintenance notices, and security alerts
• Analyze usage patterns to understand how the platform is used and identify opportunities for improvement
• Develop new features, workflows, and products
5. HIPAA and Protected Health Information
Ruma Care operates as a Business Associate under HIPAA when processing PHI on behalf of our healthcare provider Customers. In that capacity:
• We use and disclose PHI only as permitted or required by the applicable BAA and HIPAA.
• We do not use PHI for our own purposes beyond what is permitted under the BAA and applicable law.
• We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule to protect electronic PHI.
• In the event of a breach of unsecured PHI, we will notify the applicable Customer in accordance with the HIPAA Breach Notification Rule and the terms of the applicable BAA.
If you are a patient whose PHI is processed through our platform, your rights with respect to that PHI — including the right to access, amend, and restrict the use of your information — are governed by your healthcare provider’s Notice of Privacy Practices. Please contact your healthcare provider directly to exercise those rights.
6. How We Share Your Information
We do not sell your personal information or PHI. We may share information in the following circumstances:
• With Customers: We share PHI and platform outputs with the Customer that submitted or controls the data, as directed by them and in accordance with our BAA.
• With Service Providers: We share information with third-party vendors who perform services on our behalf, such as cloud infrastructure, data storage, security monitoring, and customer support. These vendors are contractually required to protect the information and use it only for the purposes for which it was disclosed. Vendors who handle PHI must sign a BAA with us.
• With Payers and Healthcare Entities: As part of our core service, we submit prior authorization requests and related clinical documentation to health insurance payers, pharmacy benefit managers, and other entities involved in the authorization process, as directed by our Customers.
• For Legal Compliance: We may disclose information if required by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Ruma Care, our customers, or the public.
• In Connection with a Business Transaction: In the event of a merger, acquisition, financing, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify affected parties of any material change in how information is handled.
• With Your Consent: We may share your information with third parties when we have your explicit consent, or the consent of the relevant Customer in the case of PHI.
7. Data Security
We implement a comprehensive set of administrative, technical, and physical safeguards to protect the information we process, including PHI. Our security program includes:
• Encryption of data at rest and in transit using industry-standard protocols
• Role-based access controls and multi-factor authentication
• Regular security assessments, vulnerability scanning, and penetration testing
• Employee security awareness training and background screening
• Incident response and breach notification procedures
• SOC 2 compliance program
While we take extensive measures to protect your information, no security system is completely impenetrable. We cannot guarantee the absolute security of information transmitted to or stored on our platform. In the event of a security incident involving PHI, we will respond in accordance with our incident response procedures, our BAA obligations, and applicable law.
8. Data Retention
We retain personal information and PHI for as long as necessary to fulfill the purposes for which it was collected, including to satisfy our legal, regulatory, contractual, and audit obligations. PHI is retained in accordance with the terms of the applicable BAA and our Customer’s instructions, and in compliance with HIPAA’s record retention requirements.
When information is no longer needed, we securely delete or de-identify it in accordance with our data retention policy and applicable law. Authorized users may request deletion of their account information by contacting us at the address below.
9. Your Privacy Rights
If you are a California resident, you have the following rights with respect to personal information that is not PHI governed by HIPAA:
• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for which we use it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of personal information we have collected about you, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information we hold about you.
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To exercise your California privacy rights, please contact us at the address in Section 14. We will verify your identity before responding to your request and will respond within the timeframes required by applicable law.
Depending on where you are located, you may have additional rights under applicable law, including rights of access, correction, deletion, restriction, portability, and objection. Please contact us to learn more about your rights and how to exercise them.
10. Cookies and Tracking Technologies
Our marketing website uses cookies and similar technologies to understand how visitors interact with our site, improve the website experience, and for basic analytics. We do not use third-party advertising cookies or engage in cross-site behavioral tracking.
You can control cookie preferences through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling certain cookies may affect the functionality of our website.
Our platform uses session cookies that are necessary for authentication and secure access. These cookies cannot be disabled without impairing your ability to use the platform.
11. Children’s Privacy
Our Service is designed for use by healthcare professionals and organizations. We do not knowingly collect personal information directly from individuals under the age of 13. PHI relating to minor patients may be processed through our platform as directed by our healthcare provider Customers, who are responsible for obtaining any necessary parental consents and authorizations under applicable law.
If you believe we have inadvertently collected personal information from a child under 13 without appropriate authorization, please contact us at the address below and we will take steps to delete it.
12. Third-Party Links and Services
Our website or platform may contain links to third-party websites, services, or resources. This Privacy Policy does not apply to those third-party sites, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access.
Our platform integrates with electronic health record (EHR) systems, payer portals, and other healthcare technology systems as directed by our Customers. The privacy practices of those systems are governed by their own policies and applicable agreements.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features of our Service. When we make material changes, we will update the “Effective Date” at the top of this Policy and provide notice through the platform or by email to Customers.
We encourage you to review this Policy periodically. Your continued use of our Service after the effective date of an updated Policy constitutes your acceptance of the changes.
14. Contact Us
If you have questions, concerns, or requests relating to this Privacy Policy or our privacy practices, please contact us at:
Ruma Care
San Francisco, California
Email: team@rumacare.com
For requests relating to PHI controlled by one of our healthcare provider Customers, please contact your healthcare provider directly.
