1. Introduction

This privacy policy serves to inform you about how Rotayo collects, processes, and manages personal data through its website, "rotayo.com"("the Website" ), and its accompanying web application ("the Platform"). The Platform functions as an online professional social media network dedicated to healthcare workers.

You may engage with Rotayo in multiple capacities—either as a client, a visitor to our Website, or a user of our Platform. Regardless of your user role, please understand that Rotayo takes your privacy seriously. We are committed to safeguarding your personal information in compliance with the applicable Belgian and European data protection legislation, including the General Data Protection Regulation ("GDPR").

Please read this privacy policy carefully. It describes not only your rights but also the way in which you can exercise them. By using our Website or Platform, disclosing your personal data, or accepting this privacy policy, you acknowledge the manner in which Rotayo collects and processes your personal data as described in this privacy policy.

2. Definitions

Term	Definition
Fellowship	The period of subspecialty medical training that a healthcare professional (such as a doctor, dentist, or veterinarian) can follow after completing a specialization ("i.e. residency"). This medical training mostly takes up to 1 or 2 years.
Host	Healthcare organizations looking for international healthcare professionals. Examples: hospitals, hospital groups, clinics, retirement homes, etc.
Observership	An observing internship for healthcare professionals, such as doctors. Usually unpaid, and usually, no local medical license is required. Sometimes a "tuition fee" is requested from the visitor (or rotator).
Residency	Specialization training in medicine, usually in a hospital or clinic under the direct or indirect supervision of a senior physician registered in that specialty. Often, successful completion of such training is a requirement to obtain a medical license to practice a particular medical specialty. Usually remunerated.
Resident	A doctor in postgraduate specialty training.
Rotation	A temporary activity in a health institution that may or may not be remunerated and may be clinically or academically oriented.
Rotator	Healthcare professionals looking for opportunities on the platform. Examples: pre-graduate or postgraduate healthcare professionals with varying degrees of specialty training, e.g. students, residents, fellows, registered specialists, and registered nurses.
Recruiter	A human resource professional who can view a healthcare professional's credentials, provided the latter chooses to share them. Recruiters may facilitate international work or training opportunities in healthcare institutions.
Credentials	Documents required for international license validation, including identification and educational records.

3. Who We Are and How to Contact Us

"Rotayo" refers to Rotayo BV, having its registered office at 2650 Edegem, Rotenaard 25, Belgium, and with company number 0793.391.011.

This privacy policy only describes our personal data processing activities as controllers. Under the "GDPR", controllers are the main decision-makers: they exercise overall control over the purposes and means of the processing of personal data.

Rotayo has appointed a data protection officer whom you can contact for questions about this privacy policy, your privacy, and the processing of your personal data.

Contact Information

E-mail: privacy@rotayo.com

4. What Personal Data Do We Process?

Rotayo processes different types of personal data depending on the functionalities you use on our "Website" and/or "Platform" and on the personal data you share with us.

4.1 Generic

Category	Details
Identification and Contact Details	Data that allows us to identify and contact you, such as: name and first name; phone number; email address; function/profession; company name; (company) address; company registration and VAT number.
Login Details	Data that allows you to login to your account and use the Platform, such as: user name (you are free to use your given name (first name, middle name and/or last name) or a part thereof, or a pseudonym or nickname of your choice); email address; password.
Payment Details	Data necessary to register and facilitate payments made in consideration for the use of our Platform and related services (if and to the extent applicable): Bank account number and sort code (IBAN (EU) and BIC); Payments due; Payment history.
Account Details	Data that allows you to personalize your Platform account and the information made available to you via our Platform and/or Website: indicated areas of interest; any other information uploaded to complete your account.
Technical Information	Data required to use our Website and/or Platform, for the proper functioning of our Website and/or Platform and for analytical purposes: technical information about your computer, mobile, and other devices used to visit our Website and/or Platform (such as, your IP address, unique device identifiers, user-ID, operating system, browser type); information regarding your usage of our Website and/or Platform (such as, history, logs, date, time, location, frequency, duration of the pages you have viewed, consent preferences); information regarding consent(s) given by you (such as, the date and time of your consent, the user agent, IP address, unique device identifiers or user-ID). We use cookies and similar technologies to collect this technical information. For more information, we refer to our cookie policy.
Personal & Credentialing Information	name and first name; email address; degree (e.g., medical doctor or registered nurse); identification documents; professional license; diploma; academic transcripts; profile picture; nationality; LinkedIn Profile; academic background; professional background and experience; medical expertise; years of experience since graduation; language proficiency; all other information you decide to share.

4.2 Diversity and Inclusion (ESG)

Rotayo strives for worldwide diversity and inclusion in medical practice. Diversity and inclusion are one of the strategic pillars of Rotayo, as part of environmental, social, and governance (ESG) factors that determine its ethical and sustainable impact. The underlying personal data may be (optionally, i.e., not mandatory) processed by Rotayo in order to fulfill one of Rotayo's strategic goals, i.e., to promote diversity, equity, inclusion, and belonging in medical practice globally.

Category	Details
Gender Data	Gender pronouns.

5. For which purposes do we process your personal data, on which legal basis, and for how long?

5.1 Management and Booking of Appointments and Responding to Your Requests

Purpose	To book and confirm your appointment(s) and/or introductory session; To send any related (background) information to our appointment and/or introductory session (such as commercial offers, additional information about services performed and/or to be performed); To respond to your requests, specified in a contact form or the contact page on our Website.
Type of Personal Data	Identification and contact details; Technical information; Any accompanying message and/or information you share with us via the relevant contact form or page on our Website.
Legal Basis	Performance of a contract.
Retention Term	As long as necessary to contact you as part of the performance of the contract (including as long as necessary to answer your request or to manage any appointments). For more details about the retention period, you can always send an email to: privacy@rotayo.com.

5.2 Login to the Platform

Purpose	To create a (personal) user account; To allow you to have access (through your account) to the Platform; To comply with our obligations in respect to the Platform towards our clients and to enable such clients (and their appointed end users (i.e., you)) to access and use the Platform.
Type of Personal Data	Identification and contact details; Login details. We might use cookies and similar technologies to remember your login details to facilitate your next login. For more information, we refer to our cookie policy.
Legal Basis	Performance of a contract.
Retention Term	As long as necessary for the performance of the agreement concluded between you or the organization pursuant to which you have access to the Platform (e.g., your employer, principal, etc.) and Rotayo; Your identification and contact details will, in any event, be deleted no later than 60 months after the termination of said agreement. For more details about the retention period, you can always send an email to: privacy@rotayo.com. For information on the retention period of personal data processed through cookies, we refer to our cookie policy.

5.3 Matching of Rotators on the Platform

Purpose	To match Rotators with Hosts or Recruiters on the Platform for various positions including Fellowship, Observership, Research positions, Residency training, and job openings.
Type of Personal Data	Identification and contact details; Gender data (not mandatory); Personal information Rotator.
Legal Basis	Gender Data: consent; Other personal data: performance of a contract.
Retention Term	As long as necessary for the performance of the agreement concluded between you or the organization pursuant to which you have access to the Platform (e.g., your employer, principal, etc.) and Rotayo; Your identification and contact details will, in any event, be deleted no later than 60 months after the termination of said agreement. For more details about the retention period, you can always send an email to: privacy@rotayo.com.

5.4 Credentialing of Healthcare Workers on the Platform

Purpose	To facilitate the verification and validation of healthcare credentials submitted by healthcare professionals; To enable Recruiters and Hosts to assess the qualifications of healthcare professionals; To streamline the international validation process of healthcare credentials.
Type of Personal Data	Identification and contact details; Professional certificates, licensures, educational documents; Any additional documents required for credentialing and international validation.
Legal Basis	Explicit consent from healthcare professionals; Performance of a contract (if credentialing is necessary for providing services or employment through the platform).
Retention Term	As long as necessary for the performance of the agreement concluded between you or the organization pursuant to which you have access to the Platform (e.g., your employer, principal, etc.) and Rotayo; Your identification and contact details will, in any event, be deleted no later than 60 months after the termination of said agreement. For more details about the retention period, you can always send an email to: privacy@rotayo.com.

5.5 Operation of Our Website and Platform

Purpose	To use our Website and/or Platform; To ensure the proper functioning of our Website and/or Platform; To allow us to recognize the end-user that is using our Website and/or Platform; To remember your preferences (such as consent preferences) so that we can automatically read and respect your preferences on all subsequent and future end-user sessions; To allow us to keep evidence of particular consents you have provided to us; To comply with our obligations in respect to the Platform towards our customers and to enable such customers (and their appointed end users (i.e., you)) to access and use the Platform (if applicable).
Type of Personal Data	Technical information (your technical information may be linked to your user account). We use cookies and similar technologies to collect this technical information. For more information, we refer to our cookie policy.
Legal Basis	Performance of a contract; Legitimate interest.
Retention Term	The retention period varies from as long as the duration of a session/Website/Platform visit, to as long as necessary for Rotayo's legitimate interest or the performance of the agreement concluded between you or the organization pursuant to which you have access to the Platform (e.g., your employer, principal, etc.) (as applicable); Technical information will in any event be deleted or pseudonymized 24 months after the collection of the data; For more details about the retention period, you can always send an email to: privacy@rotayo.com. For information on the retention period of personal data processed through cookies, we refer to our cookie policy.

5.6 Personalization of Platform Account

Purpose	To further supplement your personal account on our Platform; To personalize the content provided to you on our Website and/or Platform; To enhance your user experience on our Website and/or Platform.
Type of Personal Data	Account details
Legal Basis	Consent. This information is provided voluntarily to supplement an account and you may withdraw your consent to the processing of your account details, at any time, by sending an email to privacy@rotayo.com.
Retention Term	Account details will be deleted from Rotayo's databases upon active deletion of this personal data by you in your account on our Platform, and will, in any case, be deleted no later than 3 months after termination of the agreement concluded between you or the organization pursuant to which you have access to the Platform (e.g., your employer, principal, etc.) and Rotayo; Account details will, in any event, be deleted as soon as you withdraw your consent. For more details about the retention period, you can always send an email to: privacy@rotayo.com.

5.7 Analytical Purposes

Purpose	To improve our Website and/or Platform; To tailor our Website and/or Platform to your use; To monitor the effectiveness and accessibility of our Website and/or Platform; For other technical, statistical, and diagnostic purposes; Personal data collected from you for these purposes will only be used by us (to the greatest reasonable extent possible) in an aggregated and de-identified format.
Type of Personal Data	Technical information. We use cookies and similar technologies to collect this technical information. For more information, we refer to our cookie policy.
Legal Basis	Consent.
Retention Term	The retention period varies from as long as the duration of a session/Website/Platform visit, to as long as your consent is not withdrawn (as applicable); Technical information will, in any event, be deleted or pseudonymized (i) upon your withdrawal of consent; and (ii) 60 months after the collection of the data. For more details about the retention period, you can always send an email to: privacy@rotayo.com. For information on the retention period of personal data processed through cookies, we refer to our cookie policy.

5.8 Payments

Purpose	To fulfill payments for the license to our Platform and rendered services (both as applicable).
Type of Personal Data	Identification and contact details; Payment details.
Legal Basis	Performance of a contract.
Retention Term	As long as necessary for the performance of the agreement concluded between you or the organization pursuant to which you have access to the Platform (e.g., your employer, principal, etc.) and Rotayo; Your personal data will, in any event, be deleted no later than 10 years after the termination of said agreement. For more details about the retention period, you can always send an email to: privacy@rotayo.com.

5.9 Direct Marketing

Purpose	To send promotional offers, newsletters, or other marketing communications related to our services; To conduct market research and surveys to improve our services.
Type of Personal Data	Identification and contact details.
Legal Basis	Consent or legitimate interest (where applicable).
Retention Term	Until you opt-out or unsubscribe from receiving marketing communications; Personal data used for direct marketing will be deleted upon your request. For more details about the retention period, you can always send an email to: privacy@rotayo.com.

6. Personal Data of Third Parties

If you disclose any personal data of third parties to us, you guarantee that you have informed those third parties and you have received all necessary consents to communicate the third parties' personal data to Rotayo.

7. Cookies

Our Website and Platform use cookies and similar technologies. For more information, we refer to our cookie policy.

8. Disclosures of Personal Data

Rotayo may share your personal data, as required for the purposes set forth in section 5, with:

Purpose	Sharing with third-party service providers (such as IT service providers, artificial intelligence providers, security providers, payment procurement providers, or hosting providers); Sharing with professional advisers (such as lawyers or auditors); Sharing with third parties to whom we intend or choose to sell, transfer or merge (parts of) our shares, business, or assets.
Additional Information	Your personal data may be used to train or fine-tune artificial intelligence models that are designed to extract information from healthcare credentials, provide feedback, and perform other related tasks. This data may be shared with our technology partners specializing in AI and data analytics, under strict data processing agreements that meet the requirements of GDPR. Upon request, Rotayo shall, as soon as possible after the request, inform you of the third parties with whom your personal data have been shared by providing you with a more detailed list. In addition, we may disclose your personal data if this is required by law, or if we determine in good faith that such disclosure is required in order to comply with any pending judicial inquiry, judicial order, or litigation and/or to safeguard our rights.
Processors and Sub-processors	Processors and sub-processors of Rotayo always act under the responsibility of Rotayo. If Rotayo engages processors or sub-processors, this will always be done in accordance with a data processing agreement that meets the requirements of the GDPR. We require all our processors or sub-processors to take appropriate technical and organizational (including security) measures to protect your personal data in line with our policies. We do not allow our processors or sub-processors to use your personal data for their own purposes. In the event we disclose your personal data as described above, we will implement appropriate safeguards to ensure the integrity and confidentiality of your personal data. Your personal data will only be viewed and made available to processors, sub-processors, employees, and other third parties on a "need-to-know" basis, limited to the extent necessary to perform their services.

9. International Transfers

As a global online platform, Rotayo is accessible by users from various countries around the world, including countries located outside the European Economic Area ("EEA"). Accordingly, Rotayo engages in the transfer of personal data across international borders, subject to the following conditions:

General Circumstances for Data Transfer	If you are located outside the EEA and are visiting our Platform and/or Website from outside the EEA. When Platform users, hereafter referred to as "Rotators," apply for positions or opportunities that require their data to be shared with "Hosts" or "Recruiters" located abroad.
Global Reach	It should be understood that, given the international nature of our Platform, data transfers could occur to and from any country.
Compliance and Safeguards	In any case where Rotayo, through its (sub-)processors, transfers your personal data to countries outside the EEA, such transfers will only be performed in accordance with applicable data protection legislation. This includes implementing appropriate safeguards such as standard contractual clauses or relying on adequacy decisions by the European Commission, where applicable, to ensure the secure and lawful transfer of your personal data. Further Information: Please contact us if you would like further information on the specific mechanism(s) we use when transferring personal data out of the EEA. You can reach us at privacy@rotayo.com.

11. Data Security

Rotayo is committed to ensuring that your personal data is secure and makes all reasonable and appropriate efforts to protect the confidentiality of your personal data. We have implemented appropriate technical and organizational measures, safeguards, and assurances to process your personal data in accordance with the GDPR, in particular to protect your personal data against loss, misuse, or unauthorized alteration or destruction.

Access Control	Rotayo's servers are located in Frankfurt, Germany, or Dublin, Ireland and are hosted by Amazon Web Services (AWS), which uses secured facilities for their servers. Only the founder team has access to the AWS account, and access requires two-factor authentication. More info on AWS protection: AWS Security Overview.
Integrity	Open Network & Interactions: Rotayo is a social-professional network where users have the freedom to post, reply, and interact openly with each other. This includes not just Rotators and hosts but also any member who has a verified profile on the platform. Each user has the ability to control their own privacy settings, specifying who can see their posts or profile. Subnetworks: Within specialized subnetworks like EUHA (EUHA), users have the option to restrict their interactions and visibility solely to the members of that subnetwork. This ensures that such specialized subnetworks can tailor the platform to match their professional requirements. From Rotayo's side, only the technical founder team has access to the database. Their access is protected with two-factor authentication.
Automatic Encryption	All data flowing across the AWS servers is automatically encrypted at the physical layer before it leaves the server.
Transmission Control	SSL certificate for websites obtained by AWS' Certificate Manager ;
Confidentiality	Rotayo uses a strong password policy. Weak passwords are rejected.
Recoverability	Backups are regularly checked for successful recovery.
Evaluation	Rotayo organizes an annual review of technical and organizational measures on effectiveness and plausibility.

Please contact us if you would like more information on the specific measures taken. Despite the above measures taken by us, you should be aware that there are always risks associated with sending personal data over the internet. The security and protection of your personal data can never be fully guaranteed, nor can we guarantee that unauthorized third parties will never be able to defeat those measures or use your personal data for improper purposes.

12. Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes determined in section 5 of this privacy policy, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you or the organization you work for. Afterwards, it is still possible that they can be found in our back-ups or archives, but they will no longer be actively processed in a file.
The applicable retention periods are set out in the table above under section 5.

13. Your Legal Rights

If and insofar as provided for in the applicable data protection legislation, you have the right:

To receive confirmation as to whether we process your personal data and, where this is the case, to access such personal data.
To have any inaccurate or incomplete personal data corrected without undue delay.
To have your personal data deleted by us under certain circumstances, namely when one of the following applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing is based, and where there is no other legal ground for the processing.
- You object to the processing in case the processing is for direct marketing purposes.
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation in EU or national law.
To obtain your personal data and to transfer them to another controller or processor.
To obtain a limitation of the processing of your personal data, to the extent possible and subject to the applicable data protection legislation, at any time, when one of the following applies:
- You contest the accuracy of the personal data, for a period enabling Rotayo to verify the accuracy of the personal data.
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.
- Rotayo no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims.
To receive your personal data in a structured, common and machine-readable format.
To prevent the processing of your personal data and the use of your personal data for direct marketing purposes.
Where the processing of your personal data is based on points (e) and (f) of article 6(1) of the GDPR, to object to the processing of personal data.

You can exercise these rights by sending an e-mail to: privacy@rotayo.com.
In the event you request a copy of your personal data being processed by Rotayo, your data will be delivered as soon as reasonably possible. Rotayo may either (i) charge a reasonable fee, taking into account the administrative costs of providing such a copy, or (ii) refuse to act on such a request, when the request for a copy is manifestly unfounded or excessive. Rotayo will inform you of the applicable fee before charging it.
Rotayo reserves the right to request a copy of the front side of your identity card if Rotayo is unable to identify you or if Rotayo has reason to doubt your identity. You may, however, blackline any information which is not necessary for identification or verification purposes.

If and to the extent provided for in the applicable data protection legislation, you have the right to file a complaint with the competent supervisory authority should the processing of your personal data violate the applicable regulations.

Contact Information for the Data Protection Authority

In Belgium, the competent authority is the Data Protection Authority (Gegevensbeschermingsautoriteit):
www.gegevensbeschermingsautoriteit.be
Drukpersstraat 35, 1000 Brussels, Belgium
+32 (0)2 274 48 00
contact@apd-gba.be.

We would, however, appreciate the chance to deal with your concerns before you approach the authority, so please contact us in the first instance.

15. Liability

If Rotayo has legitimately transmitted your personal data to a third party (not being its (sub-)processor), Rotayo shall not be liable for any unlawful processing or unlawful use by that third party.
Under no circumstances does Rotayo accept responsibility for any direct or indirect damages resulting from faulty or unlawful use of the personal data by a third party (not being its (sub-)processor).
Additionally, Rotayo is not liable if third parties unlawfully process or use your personal data and Rotayo has implemented appropriate technical and organizational measures to prevent such unlawful processing or use.
Rotayo is in any case only liable for the damage caused by the processing of personal data if it did not comply with its specific obligations under the GDPR. Rotayo shall in no event be liable for any special, incidental, indirect or consequential losses or damages.
The foregoing exclusions and limitations shall only apply to the maximum extent permitted by applicable law.

16. Changes to this Privacy Policy

Rotayo may amend this privacy policy at all times. Any changes we may make to our privacy policy will be indicated on the Website and/or Platform and, when proportionate and in line with the significance of the changes, may be notified to you by e-mail or advised to you on your next Website/Platform visit. The date of the most recent version is shown in the top right-hand corner of the privacy policy.
Please review Rotayo's privacy policy periodically to stay informed of changes that may affect you.
Amended versions of this privacy policy take effect ten (10) days after their publication on the Website, Platform and/or other form of announcement and, if necessary, will always be submitted for approval unless such modifications are necessary to comply with a legal requirement. In the latter case, such changes will take effect immediately.

17. Applicable Law and Competence

This privacy policy shall be governed, interpreted, and implemented in accordance with Belgian laws.
The Antwerp courts (department Antwerp) are exclusively competent to decide on any dispute that may arise from the interpretation or implementation of this privacy policy without prejudice to the consumer's right to present a dispute before a competent court on the basis of a mandatory statutory provision.

Privacy Policy