top of page
Logo

Privacy Policy

Effective Date: 01 August 2026 Last Updated: 01 August 2026

Founder Support S.R.L. ("Rosa," "Company," "we," "us," or "our") is committed to protecting the privacy of individuals who use our application, website, and related services, including all artificial intelligence-powered features (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use the Service, including information obtained through Connected Accounts such as WhatsApp, Instagram, Gmail, Microsoft Outlook, Google Calendar, Apple Calendar, and Microsoft Calendar.

This Privacy Policy should be read together with our Terms of Service, which it incorporates by reference. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Our Role and Responsibilities (Controller / Processor)

1.1 For personal data relating to your account, your use of the Service, and your direct interactions with us, Founder Support S.R.L. acts as the data controller for the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data protection legislation, including Italian Legislative Decree 196/2003 as amended by D.Lgs. 101/2018.

1.2 For Content accessed from your Connected Accounts, including personal data of your own clients, contacts, and other third parties contained in your messages, emails, and calendar entries, you act as the controller of that personal data and Founder Support S.R.L. acts as a processor, processing such data solely on your documented instructions in order to provide the Service. This processing is governed by a Data Processing Agreement pursuant to Article 28 GDPR, which forms part of our Terms of Service.

1.3 As the controller of your clients' personal data, you are responsible for establishing a lawful basis for that processing and for providing any privacy notices to, and obtaining any consents from, the individuals concerned, as required by applicable law.

2. Information We Collect

2.1 Information You Provide Directly

(a) Account information, including your name, email address, phone number, business details  and password;
(b) preferences and configuration settings, including automation rules and AI permission levels; and
(c) information submitted in connection with customer support requests or other communications with us.

Provision of account information is necessary to create an account and use the Service; without it, we cannot provide the Service to you. Connecting a Connected Account is optional, but specific features will be unavailable if you choose not to connect one.

2.2 Information Obtained from Connected Accounts

When you authorize Rosa to connect to a third-party platform, we may access and process the following categories of information, depending on the permissions (scopes) you grant:

(a) WhatsApp: messages, contact information, and associated metadata necessary to identify tasks and, where enabled, to send automated responses, in accordance with the WhatsApp Business API and your authorization;
(b) Instagram: direct messages, contact or handle information, and associated metadata necessary to identify tasks and, where enabled, to send automated responses, in accordance with the Meta Platform Terms and your authorization;
(c) Gmail: email content, subject lines, sender and recipient information, attachment metadata, and labels necessary to identify tasks and deadlines and, where enabled, to draft or send responses;
(d) Microsoft Outlook: email content, subject lines, sender and recipient information, attachment metadata, and folder or category information necessary to identify tasks and deadlines and, where enabled, to draft or send responses; and
(e) Google Calendar, Apple Calendar, and Microsoft Calendar (Outlook Calendar): calendar events, schedules, attendees, locations, and availability necessary to identify tasks, deadlines, and scheduling conflicts.

We access only the information necessary to provide the features you have enabled. You may review, modify, or revoke these permissions at any time through the Service or through the relevant third-party platform's account settings.

2.3 Information Collected Automatically

(a) device information, including device type, operating system, and unique device identifiers;
(b) usage data, including features accessed, interaction logs, timestamps, and diagnostic or crash reports; and
(c) approximate location data, where enabled, for the purpose of time-zone determination and scheduling accuracy.

Some of this information is collected through cookies and similar technologies. We use the following:

Strictly Necessary

These are required for the Service to function and cannot be disabled.

TECHNOLOGY

Session cookies

Security tokens

PROVIDER

Founder Support SRL

Founder Support SRL

PURPOSE

Maintain your authenticated session and account state

CSRF protection and request integrity

RETENTION

Session (cleared on browser close)

Session

Functional

These enable features you have explicitly activated.

TECHNOLOGY

Firebase Cloud Messaging (FCM)

 

FCM device token

PROVIDER

Google LLC

Google LLC

PURPOSE

Deliver push notifications to your device for task reminders and booking alerts

Uniquely identifies your device for notification routing

RETENTION

Persistent; device registration token renewed by FCM

Until you disconnect the Service or revoke notification permissions

Firebase Cloud Messaging operates under Google's data processing terms. Data may be processed on Google infrastructure outside the EEA, subject to Standard Contractual Clauses. You can revoke push notification permissions at any time through your device settings, which will disable this functionality.

Third-Party SDK

Used during the account connection flow only.

TECHNOLOGY

Meta Embedded Signup JS SDK

PROVIDER

Meta Platforms, Inc.

PURPOSE

Facilitates OAuth authorization when connecting your WhatsApp Business or Instagram account to the Service

RETENTION

Active only during the connection flow; no persistent cookie is set by ROSAapp

The Meta SDK operates under Meta's own cookie and privacy policies. It may set cookies or local storage values on Meta's behalf during the authorization flow. Rosa does not control or access those values. Once the connection is established, this SDK is no longer active.

When you connect a Google or Microsoft account, you will be redirected to their login pages. Any cookies set during that process are governed by Google's or Microsoft's privacy policies respectively.

Managing Your Preferences

You may manage cookie and SDK behavior as follows:

  • Session and security cookies cannot be disabled without breaking the Service.

  • Push notifications (FCM): disable via your device's notification settings for ROSAapp.

  • Meta SDK: if you do not wish to connect a WhatsApp or Instagram account, you will not trigger this SDK. You may also disconnect a previously connected account at any time through Section 9 of this Privacy Policy.

  • Browser-level controls: most browsers allow you to block or delete cookies through their settings. Note that blocking strictly necessary cookies will impair your ability to use the Service.

3. How We Use Your Information

We use the information described in Section 2 for the following purposes:

(a) to provide, operate, and maintain the Service, including establishing and managing connections to Connected Accounts;
(b) to enable AI Features to analyze messages, emails, and calendar data in order to identify tasks, generate task entries, and create reminders;
(c) to generate AI-drafted responses and, where enabled, to transmit such responses on your behalf in accordance with your automation settings;
(d) to personalize your experience, including task prioritization and scheduling recommendations;
(e) to maintain, secure, and improve the Service, including diagnosing and resolving technical issues;
(f) to communicate with you regarding updates, security notices, and support matters; and
(g) to comply with applicable legal obligations and to enforce our Terms of Service.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following legal bases under Article 6 GDPR for processing carried out as a controller:

(a) Performance of a contract (Art. 6(1)(b)): processing necessary to provide the Service you have subscribed to, including the core functionality described in Section 3(a)–(d);
(b) Legitimate interests (Art. 6(1)(f)): processing for security, fraud prevention, service improvement, and diagnostic purposes (Section 3(e)), where those interests are not overridden by your rights and freedoms;
(c) Legal obligation (Art. 6(1)(c)): processing necessary to comply with applicable law (Section 3(g)); and
(d) Consent (Art. 6(1)(a)): where we rely on consent, such as for optional features or certain marketing communications, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Where processing involves special categories of personal data (Article 9 GDPR), we process such data only on the basis of explicit consent or another applicable exception.

For Content processed as a processor on your behalf (Section 1.2), the lawful basis for that processing is determined and provided by you as controller.

5. AI Processing of Information

5.1 The Service's AI Features process Content from your Connected Accounts in order to provide the functionality described in Section 3. This processing may involve transmitting relevant portions of your messages, emails, or calendar data to AI processing systems, which may include third-party providers operating under contractual data processing and confidentiality obligations.

5.2 We apply data minimization principles to such processing, transmitting only the information reasonably necessary for the AI Feature to perform the requested function.

5.3 We do not use the content of your private messages, emails, or calendar data to train artificial intelligence models for the benefit of other users.

5.4 AI Transparency (EU AI Act). In accordance with Regulation (EU) 2024/1689 ("EU AI Act"), we disclose the following:

(a) ROSAapp's AI features constitute an AI system as defined under the EU AI Act. The system assists service-owner professionals in managing client communications and scheduling; it does not make final legal or similarly significant decisions about individuals without human oversight.
(b) How the AI works: the AI Features analyze the text of your Content using large language models to detect actionable items (such as requests, questions, dates, and deadlines) and produce suggestions, summaries, and draft responses ranked by relevance. The AI Features do not score, profile, or make eligibility decisions about individuals.
(c) Where the Service generates automated responses transmitted on your behalf, you retain full control over which automation settings are enabled and may disable any such feature at any time through your account settings.
(d) AI-generated drafts, task suggestions, and scheduling recommendations are assistive outputs. You are not required to act on them, and no automated output is implemented without your prior configuration and ongoing consent.
(e) The AI system does not engage in prohibited practices under Article 5 of the EU AI Act, including subliminal manipulation, exploitation of vulnerabilities, or real-time biometric identification.
(f) You have the right to request human review of any automated output that materially affects you, and to object to automated processing, as described in Section 8.

6. Disclosure of Information

We do not sell personal information. We may disclose information in the following circumstances:

(a) Service Providers: to vendors that support the operation of the Service, including cloud hosting providers, AI processing providers, and customer support platforms, each subject to contractual confidentiality and data protection obligations (and, where required by GDPR, data processing agreements under Article 28);
(b) Connected Account Platforms: to WhatsApp, Meta, Instagram, Google, Microsoft, Apple, or other relevant platforms, strictly to the extent necessary to perform actions you have authorized;
(c) Legal Compliance: where required by applicable law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of the Company, our users, or others;
(d) Business Transfers: in connection with a merger, acquisition, reorganization, financing, or sale of assets, subject to appropriate confidentiality arrangements; and
(e) With Your Consent: for any other purpose disclosed to you and to which you have consented.

7. Data Retention

7.1 We retain personal information for as long as your account remains active or as necessary to provide the Service, and in any event no longer than 3 years after account closure unless a longer period is required by law.

7.2 Following deletion of your account or disconnection of a Connected Account, we will delete or anonymize associated information within 30 days, except where retention is required for legal, accounting, security, or regulatory purposes.

7.3 Content processed by AI Features for the purpose of generating tasks, summaries, or responses is retained only for as long as necessary to complete the relevant function, unless longer retention is required by law or necessary for the operation of the Service.

7.4 Where we act as a processor (Section 1.2), Content is retained and deleted in accordance with your instructions and the applicable Data Processing Agreement.

8. Your Rights and Choices

8.1 Rights Under GDPR (European residents)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR:

(a) Access: to request a copy of the personal information we hold about you (Article 15);
(b) Rectification: to request correction of inaccurate or incomplete data (Article 16);
(c) Erasure: to request deletion of your personal information where the legal basis for processing no longer applies (Article 17);
(d) Restriction: to request that we restrict processing in certain circumstances (Article 18);
(e) Portability: to receive your personal information in a structured, commonly used, machine-readable format and, where technically feasible, to have it transmitted to another controller (Article 20);
(f) Objection: to object to processing based on legitimate interests or carried out for direct marketing purposes (Article 21);
(g) Withdrawal of consent: to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing;
(h) Automated decision-making: not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Where such processing is necessary, you have the right to request human intervention, to express your point of view, and to contest the decision (Article 22); and
(i) Complaint to a supervisory authority: to lodge a complaint with the relevant data protection authority. For users in Italy, the competent authority is the Garante per la protezione dei dati personali (www.garanteprivacy.it), Piazza Venezia 11, 00187 Roma. For users in other EU member states, the competent authority is the supervisory authority of your country of habitual residence.

Where we process your clients' personal data as a processor, requests by those individuals should be directed to you as controller; we will assist you in responding as required by Article 28 GDPR.

9. Disconnecting Accounts and Revoking Access

You may disconnect any Connected Account at any time through the Service's settings, or by revoking Rosa's access directly through the relevant platform's permissions settings. Disconnection will prevent Rosa from accessing further data from that account and will disable any associated automation features. Information previously processed will be handled in accordance with Section 7.

10. Data Security

We implement technical and organizational measures designed to protect personal information, including encryption of data in transit and at rest, access controls, and secure storage practices. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms, in accordance with Articles 33–34 GDPR. No method of electronic transmission or storage is entirely secure, and we cannot guarantee absolute security.

11. International Data Transfers

Your information may be processed and stored in jurisdictions other than your country of residence. Where transfers of personal data from the EEA, UK, or Switzerland to third countries occur, we implement appropriate safeguards as required by Chapter V GDPR, including:

(a) Standard Contractual Clauses (SCCs) adopted or approved by the European Commission, where transfers are to countries without an adequacy decision; and
(b) reliance on adequacy decisions issued by the European Commission where available.

You may request a copy of the applicable safeguards by contacting us as described in Section 14.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. This is a contractual eligibility threshold and is distinct from the minimum age of consent to information society services under Article 8 GDPR, which in Italy is 14 years. We do not knowingly collect personal information from individuals below the applicable threshold. If we become aware that we have inadvertently collected such information, we will take reasonable steps to delete it promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you through the Service or by other reasonable means at least 30 days prior to taking effect, where feasible. The "Last Updated" date above indicates when this Privacy Policy was most recently revised. Continued use of the Service following the effective date constitutes acceptance.

14. Contact Us

For questions or requests regarding this Privacy Policy, your personal information, or to exercise any rights described in Section 8, please contact:

Founder Support S.R.L., Data Controller
Via del Campo 89, 21040 Morazzone (VA), Italy
P.IVA / Codice Fiscale: 04113720124
REA: VA-403086
PEC: foundersupport@namirialpec.it
Email: support@rosaapp.io
Website: www.rosaapp.io

Data Protection Officer:
[Insert DPO name and email, or remove this block after completing your Art. 37 assessment]

Garante per la protezione dei dati personali:
Website: www.garanteprivacy.it
Address: Piazza Venezia 11, 00187 Roma, Italy

bottom of page