Privacy Policy | ROMEA.AI PTE. LTD.

PRIVACY POLICY

ROMEA.AI PTE. LTD.
UEN: 202554086K
68 Circular Road, #02-01, Singapore 049422
Effective Date: January 28, 2026 | Version 1.1

1. INTRODUCTION

ROMEA.AI PTE. LTD. ("Company," "we," "us," or "our"), operating under the trade name Romea AI, is committed to protecting the privacy and security of personal data. This Privacy Policy describes how we collect, use, disclose, and protect information in connection with our AI integration and automation services ("Services").

We provide business-to-business ("B2B") services primarily to healthcare practices, including plastic surgery clinics, medspas, and aesthetic medicine practices. Our clients are the data controllers of their patient and customer data, while we act as a data processor on their behalf.

2. SCOPE AND APPLICATION

2.1 Who This Policy Applies To

This Privacy Policy applies to:

  • Our business clients ("Clients") who engage our Services
  • Representatives, employees, and agents of our Clients
  • Visitors to our website and digital properties
  • End-users whose data is processed through our Services on behalf of Clients

2.2 Our Role as Data Processor

When we process personal data on behalf of our Clients, we act as a data processor (or "service provider" under certain laws). Our Clients remain the data controllers (or "businesses") responsible for determining the purposes and means of processing personal data. We process such data only in accordance with our Clients' documented instructions and applicable Data Processing Agreements.

3. INFORMATION WE COLLECT

3.1 Information from Clients

  • Business contact information: name, email, phone number, job title, company name
  • Account credentials and authentication data
  • Billing and payment information
  • Communications and correspondence with us
  • Service configuration preferences and settings

3.2 Information Processed on Behalf of Clients

When providing our Services, we may process the following categories of personal data as instructed by our Clients:

  • Patient/customer contact information
  • Appointment and scheduling data
  • Communication records (SMS, email, chat messages)
  • CRM and customer relationship data
  • Such other data as may be necessary to provide the Services

3.3 Automatically Collected Information

  • Log data and usage information
  • Device and browser information
  • IP addresses and general location data
  • Cookies and similar tracking technologies

4. SMS/TEXT MESSAGING PRIVACY

This section specifically addresses our practices regarding SMS and text messaging communications.

4.1 Collection of Mobile Phone Numbers

We collect mobile phone numbers when you voluntarily provide them through our website contact forms, during service inquiries, or through other opt-in mechanisms. By providing your mobile phone number and checking the consent checkbox on our forms, you expressly consent to receive SMS/text messages from Romea.AI Pte. Ltd.

4.2 Types of SMS Messages

If you opt in to receive SMS messages from us, you may receive:

  • Demo invitations and product information
  • Consultation scheduling and appointment reminders
  • Follow-up communications about our AI practice automation solutions
  • Service updates and important notices

4.3 Message Frequency and Costs

Message frequency varies based on your interactions and inquiries. Message and data rates may apply. Please check with your wireless carrier for details about your messaging plan.

4.4 No Sharing of SMS Opt-In Data

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes.

Text messaging originator opt-in data and consent will not be shared with any third parties.

We do not sell, rent, loan, trade, lease, or otherwise transfer for profit any phone numbers or personal information collected through SMS opt-in to any third party.

4.5 Opting Out of SMS Messages

You may opt out of receiving SMS messages at any time by:

  • Replying STOP to any SMS message you receive from us
  • Contacting us at support@romea.ai

After opting out, you will receive a final confirmation message, and no further SMS messages will be sent unless you re-subscribe.

4.6 Getting Help

For assistance with our SMS messaging program:

  • Reply HELP to any SMS message for assistance
  • Email us at support@romea.ai
  • Call us at +1 (424) 532 9801

4.7 Consent Requirements

Your consent to receive SMS messages is not a condition of purchase. You may choose not to receive SMS messages and still use our services through other communication channels.

5. HOW WE USE INFORMATION

5.1 Our Own Business Purposes

  • Providing, maintaining, and improving our Services
  • Communicating with Clients about Services (including via SMS where consent is given)
  • Processing payments and managing accounts
  • Ensuring security and preventing fraud
  • Complying with legal obligations
  • Analyzing and improving our Services

5.2 Processing on Behalf of Clients

We process Client data solely in accordance with our Clients' documented instructions and our Data Processing Agreements. We do not use Client data for our own purposes, sell Client data, or share Client data with third parties except as necessary to provide Services or as required by law.

6. DATA SHARING AND DISCLOSURE

We may share personal data in the following circumstances:

  • Service Providers: With trusted third-party service providers who assist us in operating our business, subject to appropriate confidentiality and security obligations
  • AI Technology Providers: With AI language model providers (such as OpenAI, Anthropic, Google) as necessary to provide our AI integration services
  • Legal Requirements: When required by law, regulation, legal process, or governmental request
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Consent: With consent or at the direction of the relevant data controller

We do not sell personal data to third parties.

We do not share SMS opt-in data, mobile phone numbers collected for SMS purposes, or text messaging consent information with any third parties for marketing or promotional purposes.

7. DATA RETENTION AND DELETION

7.1 Retention Periods

  • Client Account Data: Retained for the duration of the business relationship plus any period required for legal or regulatory compliance
  • Client-Processed Data: Retained in accordance with our Clients' instructions and applicable Data Processing Agreements, typically deleted within 30 days of service termination unless otherwise instructed
  • SMS Opt-In Records: Retained for as long as you remain subscribed to our SMS communications, plus any period required for legal compliance
  • Log and Analytics Data: Typically retained for 12 months for security and operational purposes

7.2 Deletion Procedures

Upon termination of Services or upon valid request from our Clients, we will delete or return Client data in accordance with our Data Processing Agreement. We implement secure deletion procedures that render data unrecoverable. Some data may be retained in backup systems for a limited period but will be deleted in accordance with our backup retention schedules.

8. DATA SECURITY

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and monitoring
  • Employee training on data protection
  • Incident response procedures

While we implement commercially reasonable security measures, no system can guarantee absolute security. We will notify affected parties and relevant authorities of any data breach as required by applicable law.

9. INTERNATIONAL DATA TRANSFERS

We operate globally and may transfer personal data across international borders. When transferring data outside the jurisdiction where it was collected, we implement appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms to ensure an adequate level of protection.

10. UNITED STATES – STATE-SPECIFIC DISCLOSURES

10.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information (note: we do not sell personal information)
  • Right to Limit Use: Limit the use and disclosure of sensitive personal information
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

Service Provider Status: When processing data on behalf of our Clients, we act as a "service provider" under the CCPA. California residents should direct their privacy requests to the business (our Client) that collected their information.

10.2 Texas Privacy Rights (TDPSA)

If you are a Texas resident, you have rights under the Texas Data Privacy and Security Act (TDPSA):

  • Right to Access: Confirm whether we are processing your personal data and access such data
  • Right to Correction: Correct inaccuracies in your personal data
  • Right to Deletion: Delete personal data provided by or obtained about you
  • Right to Portability: Obtain a copy of your personal data in a portable format
  • Right to Opt-Out: Opt out of targeted advertising, sale of personal data, and profiling

10.3 Other U.S. State Privacy Laws

We comply with applicable state privacy laws including those in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy legislation. Residents of these states may have similar rights to access, correct, delete, and opt-out of certain processing activities. Please contact us to exercise any applicable rights.

10.4 HIPAA Compliance

When our Services involve the processing of Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), we enter into Business Associate Agreements (BAAs) with our Clients and implement appropriate administrative, physical, and technical safeguards as required by HIPAA. We do not use or disclose PHI except as permitted by our BAAs and HIPAA.

10.5 TCPA and SMS Compliance

We comply with the Telephone Consumer Protection Act (TCPA) and CTIA guidelines for SMS messaging. We obtain express written consent before sending marketing text messages, honor opt-out requests promptly, and maintain records of consent as required by law.

11. AUSTRALIA – PRIVACY ACT 1988

If you are located in Australia, this section applies in addition to the general provisions of this Privacy Policy. We comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth).

11.1 Collection and Use

We collect personal information that is reasonably necessary for, or directly related to, one or more of our functions or activities. We will only use or disclose personal information for the primary purpose for which it was collected, unless an exception applies under the APPs.

11.2 Your Rights

Under Australian privacy law, you have the right to:

  • Request access to personal information we hold about you
  • Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information
  • Complain about a breach of the APPs

11.3 Overseas Disclosure

We may disclose personal information to overseas recipients, including service providers and AI technology providers located in the United States, Singapore, and other countries. Before disclosing personal information overseas, we take reasonable steps to ensure the recipient handles the information in accordance with the APPs.

11.4 Complaints

If you believe we have breached the APPs, you may lodge a complaint with us. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

12. SINGAPORE – PDPA COMPLIANCE

As a Singapore-incorporated company, we comply with the Personal Data Protection Act 2012 (PDPA) and its amendments.

12.1 Data Protection Obligations

We are committed to meeting our obligations under the PDPA, including the Consent, Purpose Limitation, Notification, Access and Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, and Openness obligations.

12.2 Your Rights Under PDPA

Under the PDPA, you have the right to:

  • Request access to your personal data in our possession
  • Request correction of any errors or omissions in your personal data
  • Withdraw consent for the collection, use, or disclosure of your personal data
  • Request information about how your personal data has been used or disclosed in the past year

12.3 Data Protection Officer

For inquiries or complaints regarding our handling of personal data in Singapore, please contact our Data Protection Officer at privacy@romea.ai.

13. UNITED KINGDOM – UK GDPR

If you are located in the United Kingdom, this section applies in addition to the general provisions of this Privacy Policy. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

13.1 Legal Basis for Processing

We process personal data on the following legal bases:

  • Contract: Processing necessary for the performance of a contract
  • Legitimate Interests: Processing necessary for our legitimate business interests, where not overridden by your rights
  • Legal Obligation: Processing necessary to comply with legal obligations
  • Consent: Where you have given consent for specific processing purposes

13.2 Your Rights Under UK GDPR

You have the following rights:

  • Right of access to your personal data
  • Right to rectification of inaccurate personal data
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making and profiling

13.3 International Transfers

We may transfer personal data outside the UK. Where we do so, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement, UK Addendum to the EU Standard Contractual Clauses, or transfers to countries with adequacy regulations.

13.4 Complaints

If you have concerns about our data handling practices, you may lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk.

14. EUROPEAN UNION – GDPR

If you are located in the European Economic Area (EEA), this section applies in addition to the general provisions of this Privacy Policy. We comply with the General Data Protection Regulation (EU) 2016/679 (GDPR).

14.1 Data Controller and Processor

ROMEA.AI PTE. LTD. acts as a data processor when processing personal data on behalf of our Clients. For our own business operations (e.g., Client contact information, website visitors), we act as data controller.

14.2 Legal Basis for Processing

We process personal data based on one or more of the following legal bases under Article 6 of the GDPR:

  • Performance of a contract with you or to take steps at your request before entering a contract
  • Compliance with a legal obligation to which we are subject
  • Our legitimate interests, where not overridden by your fundamental rights and freedoms
  • Your consent, where specifically obtained

14.3 Your Rights Under GDPR

Under the GDPR, you have the following rights:

  • Right of Access (Art. 15): Obtain confirmation of processing and access to your personal data
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data
  • Right to Erasure (Art. 17): Request deletion of your personal data in certain circumstances
  • Right to Restriction (Art. 18): Request restriction of processing in certain circumstances
  • Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used format
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
  • Rights re: Automated Decisions (Art. 22): Not be subject to solely automated decision-making with legal or significant effects

14.4 International Transfers

When we transfer personal data outside the EEA, we implement appropriate safeguards in accordance with Chapter V of the GDPR, including the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful mechanisms.

14.5 Data Protection Authority

You have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

15. EXERCISING YOUR RIGHTS

15.1 How to Submit Requests

To exercise any of your privacy rights, you may contact us at:

15.2 Verification

We may need to verify your identity before processing your request. We may ask you to provide information that matches information we have on file.

15.3 End-User Requests

If you are an end-user whose data is processed through our Services, please direct your privacy requests to the relevant business (our Client) that collected your information. We will assist our Clients in responding to such requests as required by our Data Processing Agreements and applicable law.

15.4 Response Time

We will respond to verifiable requests within the timeframes required by applicable law, typically within 30 days. If we require more time, we will inform you of the reason and extension period.

16. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies on our website to enhance your experience, analyze usage, and for marketing purposes. You can manage your cookie preferences through your browser settings. For detailed information about the cookies we use, please refer to our Cookie Policy.

17. THIRD-PARTY LINKS AND SERVICES

Our Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services you access.

18. CHILDREN'S PRIVACY

Our Services are not directed to individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected such information, please contact us immediately.

19. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated policy on our website with a new effective date. We encourage you to review this Privacy Policy periodically.

20. CONTACT INFORMATION

If you have questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact us:

ROMEA.AI PTE. LTD.
Trading as: Romea AI
UEN: 202554086K
Address: 68 Circular Road, #02-01, Singapore 049422
Email: privacy@romea.ai
Website: www.romea.ai
Phone: +1 (424) 532 9801

Last Updated: January 28, 2026

This Privacy Policy should be reviewed by qualified legal counsel in your jurisdiction before use.