Privacy Policy

Revenue Optimization & Intelligence (“ROI,” “we,” “us,” or “our”) operates the platform available at www.roithatworks.com (the “Platform”). This Privacy Policy describes how we collect, use, store, and protect information when you access or use our Platform. By using the Platform, you agree to the practices described in this policy.

1. Information We Collect

We collect information you provide directly, information generated through your use of the Platform, and information from third-party services you authorize.

Account and Registration Information. When you create an account, you provide your name, email address, organization name, and payment details. We store this information to manage your subscription and communicate with you.

Usage and Platform Data. We collect information about how you interact with the Platform, including pages visited, features accessed, queries submitted, and actions taken (such as claims processed through the EDI Lab or denial codes entered into the CARC lookup tools). This data is used to improve the Platform and support your account.

Consulting Session Information. If you engage private consulting services, communications and session notes may be retained to deliver those services. You should not share Protected Health Information (PHI) during consulting sessions except as specifically agreed under a signed Business Associate Agreement (BAA). See Section 6 for more detail.

Technical and Log Data. Our servers automatically collect IP addresses, browser type, device information, timestamps, and referring URLs when you access the Platform. This information is used for security, performance monitoring, and aggregate analytics.

Payment Information. Payments are processed by Stripe. We do not store your full credit card numbers on our servers. Stripe’s privacy practices are governed by the Stripe Privacy Policy.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Platform and its features
• Process payments and manage your subscription
• Communicate with you about your account, updates, and service notices
• Deliver consulting services you have purchased
• Analyze usage patterns to improve content, tools, and user experience
• Detect, investigate, and prevent fraudulent transactions and abuse
• Comply with legal obligations

We do not sell your personal information to third parties.

3. Information Sharing

We do not sell, rent, or trade your personal information. We may share information in the following limited circumstances:

• Service Providers. We work with third-party vendors who assist us in operating the Platform, including hosting (Oracle Cloud Infrastructure), payment processing (Stripe), and analytics services. These vendors are contractually bound to protect your information and use it only for the purposes we specify.
• Legal Requirements. We may disclose information when required by law, court order, or governmental authority, or when necessary to protect our rights, your safety, or the safety of others.
• Business Transfers. In the event of a merger, acquisition, or sale of substantially all of our assets, your information may be transferred to the successor entity. We will provide notice before your information becomes subject to a materially different privacy policy.

4. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies to maintain session state, remember your preferences, and analyze traffic patterns. Specifically, we use:

• Essential cookies required for authentication and session management
• Functional cookies that remember your settings and preferences
• Analytics cookies that help us understand how visitors use the Platform (aggregated, non-identifying data)

You may configure your browser to refuse cookies or alert you when cookies are being set. Disabling essential cookies may impair your ability to use certain features of the Platform.

5. Data Security

We implement reasonable technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, or destruction. Our Platform is hosted on Oracle Cloud Infrastructure, which operates under Oracle’s HIPAA-compliant cloud environment pursuant to a signed Business Associate Agreement.

Specific safeguards include:

• TLS/SSL encryption for all data transmitted to and from the Platform
• Access controls limiting who can access production systems
• Regular security reviews and risk assessments

No method of electronic transmission or storage is 100% secure. While we work to protect your information, we cannot guarantee its absolute security. If you believe your account has been compromised, contact us immediately at hello@roithatworks.com.

6. Protected Health Information (PHI) and HIPAA

Revenue Optimization & Intelligence provides revenue cycle management tools intended for use by healthcare organizations and RCM professionals. Depending on how you use the Platform, your activities may involve Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA).

Platform Tools. The Platform’s denial analysis, claims scrubbing, EDI, and audit tools are designed to support RCM workflows. If your organization processes PHI through these tools, you are responsible for ensuring that your use of the Platform complies with HIPAA and any applicable state privacy laws. You should not input identifiable patient data into Platform tools unless you have entered into a signed Business Associate Agreement (BAA) with us.

Business Associate Agreements. If your organization requires a BAA, please contact us at hello@roithatworks.com before submitting any PHI. We will work with you to execute an appropriate agreement prior to any PHI being processed through the Platform.

Consulting Sessions. Private consulting sessions may involve discussion of patient accounts, claim details, or other PHI in the course of providing RCM guidance. By engaging consulting services and submitting PHI in that context, you represent that you have the authority to share such information and that doing so complies with your organization’s HIPAA obligations. We handle all PHI disclosed in consulting contexts with the care required under applicable law.

No PHI in Payment Transactions. Do not include patient names, claim numbers, or any PHI in payment descriptions, metadata, or communications routed through our payment processor (Stripe). Stripe does not sign Business Associate Agreements.

7. Data Retention

We retain your account information and usage data for as long as your account is active or as needed to provide you services. Upon cancellation of your subscription, we will retain your data for a period of 90 days, after which it will be deleted or anonymized, unless a longer retention period is required by law or agreed upon in writing.

Consulting session notes and related work product may be retained for up to seven (7) years to support professional accountability and legal compliance obligations, consistent with standard RCM professional practice.

You may request deletion of your account and associated data by contacting us at hello@roithatworks.com. Requests will be honored within 30 days, subject to any legal obligations requiring retention.

8. Your Rights and Choices

Depending on your jurisdiction, you may have rights with respect to your personal information, including:

• Access. You may request a copy of the personal information we hold about you.
• Correction. You may request correction of inaccurate or incomplete information.
• Deletion. You may request deletion of your personal information, subject to legal retention requirements.
• Portability. You may request that we provide your data in a portable, machine-readable format.
• Opt-Out of Marketing. You may opt out of marketing communications at any time by using the unsubscribe link in any email or by contacting us directly. Transactional and account-related communications are not subject to opt-out.

To exercise any of these rights, contact us at hello@roithatworks.com. We will respond within 30 days.

9. Third-Party Services

The Platform may contain links to third-party websites or services. This Privacy Policy does not apply to third-party sites, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Platform.

Third-party service providers we currently use include:

• Oracle Cloud Infrastructure — hosting and infrastructure (HIPAA BAA in place)
• Stripe — payment processing (Stripe Privacy Policy governs; no PHI to be submitted)
• Google Fonts — web typography (font delivery only)

This list may change as our technology stack evolves. Material additions of data processors will be reflected in an updated Privacy Policy.

10. Children’s Privacy

The Platform is intended for use by healthcare professionals and organizations. It is not directed at children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. When we make material changes, we will post the updated policy on this page and update the “Last Updated” date. For significant changes, we will provide at least 30 days’ advance notice by email to the address on your account. Continued use of the Platform after the effective date of the updated policy constitutes acceptance.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Revenue Optimization & Intelligence
Mindy Corbett, Founder & Privacy Officer
Email: hello@roithatworks.com
Website: www.roithatworks.com