Privacy Policy

Last updated: April 7, 2026

How Zarlu, Inc. collects, uses, and protects your information when you use Clinical Rota.

1. Introduction

This Privacy Policy describes how Zarlu, Inc. (“Zarlu,” “we,” “us,” or “our”) collects, uses, discloses, and protects your information when you visit the Clinical Rota website or use the Clinical Rota scheduling platform (“Service”). Clinical Rota is an AI-powered scheduling tool for healthcare organizations.

By using the Service, you agree to the practices described in this policy. If you do not agree, do not use the Service.

What Clinical Rota does not do:

  • We do not access, store, or process Protected Health Information (PHI) as defined by HIPAA. Clinical Rota handles physician and staff workforce scheduling data only.
  • We do not sell your personal information.
  • We do not use your scheduling data to train AI models.
  • We do not share your data with insurers or use scheduling patterns for performance surveillance.

2. Information We Collect

2.1 Prospective Customer Information (Sales Outreach)

If you have not created a Clinical Rota account but receive a commercial email from us, we may have obtained your contact information from publicly available sources or third-party business data providers (such as Apollo.io). In that case, we may collect and process:

  • Name
  • Business email address
  • Phone number (if publicly listed)
  • Organization name and website
  • Job title
  • Department or specialty

We use this information solely to contact you about our products and services. This data is stored in our email outreach platform (Instantly.ai) and our lead enrichment provider (Apollo.io).

Your rights as a prospective contact:

  • Opt out of communications: Reply “unsubscribe” to any email from us, or email [email protected], and we will remove you from all outreach within 24 hours and add you to our permanent suppression list.
  • Request your data: You may request a copy of the information we hold about you by emailing [email protected].
  • Request deletion: You may request that we delete all information we hold about you by emailing [email protected]. We will delete your data from our outreach platforms within 30 days, except where retention is required by law.
  • We do not sell your personal information. Transferring your contact information between our data providers and outreach tools is done solely to contact you about our products and does not constitute a sale under the CCPA/CPRA.

California residents: See Section 10 for additional rights under the CCPA/CPRA. These rights apply to you whether or not you have a Clinical Rota account.

Residents of Virginia, Colorado, Connecticut, and other states with consumer privacy laws: See Section 11. You may have similar rights under your state’s law.

2.2 Demo Request and Contact Information

If you request a demo or contact us through the website, we collect:

  • Name
  • Email address
  • Organization name (if provided)

This information is collected through our scheduling partner Cal.com and is used solely to arrange a product demonstration and communicate with you about Clinical Rota.

2.3 Account Information

When your organization registers for Clinical Rota, we collect:

  • Name
  • Email address
  • Organization name and department
  • Role (administrator or staff member)
  • Contact preferences (notification settings)

Administrators who set up an organization may also provide:

  • Organization configuration (department names, shift types, scheduling rules)
  • Team member names, email addresses, and roles

2.4 Scheduling and Workforce Data

When your organization uses the Service, we process:

  • Shift assignments and schedules (published, draft, and historical)
  • Duty hour logs and ACGME compliance data
  • Time-off requests and availability preferences
  • Contact information for on-call and “running late” notifications (phone number, pager)
  • Department and service assignments
  • Credential status and qualifications
  • People groups created by individual users

This data is provided by your organization’s administrators or imported from existing scheduling systems.

2.5 Usage Data

We automatically collect:

  • Log data (IP address, browser type, operating system, referring URL)
  • Service usage patterns (features used, pages visited, timestamps)
  • Device information
  • Schedule viewing and interaction events

2.6 Cookies and Tracking Technologies

Our marketing website uses:

  • PostHog – web analytics to understand page visits, referral sources, and engagement. PostHog may collect page URLs, device and browser information, and IP address (which may be anonymized). See PostHog’s privacy policy for details.
  • Google Ads conversion tracking – to measure the effectiveness of our advertising (subject to Google’s privacy policies)

The Service application uses:

  • PostHog – product analytics to understand how features are used, identify issues, and improve the Service. PostHog does not have access to your scheduling data, contact information, or workforce records.
  • Essential cookies required for authentication and session management

We do not use third-party advertising cookies within the application.

3. How We Use Your Information

We use your information to:

  • Provide the Service – generate, display, and manage schedules; send shift notifications and alerts; track duty hour compliance; facilitate “running late” and coverage communications
  • Maintain your account – manage authentication, organization settings, and user preferences
  • Improve the Service – analyze usage patterns (in aggregate) to improve features and performance
  • Communicate with you – send service-related notices, respond to support requests, and provide product updates
  • Ensure security – detect and prevent fraud, abuse, and unauthorized access
  • Comply with law – respond to legal process and enforce our Terms of Service

We do not use your scheduling data, workforce records, or organizational information for:

  • Training AI models
  • Advertising or marketing purposes
  • Sale to third parties
  • Performance surveillance or workforce scoring beyond what your organization configures

4. How We Share Your Information

4.1 AI Processing

Clinical Rota uses artificial intelligence to assist with schedule generation, optimization, and compliance monitoring. AI processing occurs on infrastructure we control. Your scheduling data is not transmitted to third-party AI providers for model training.

4.2 Infrastructure Providers

ProviderPurpose
CloudflareWebsite hosting, DNS, CDN, edge functions
PostHogWebsite and product analytics

As the Service launches additional infrastructure, this list will be updated. We will notify you of material changes as described in Section 15.

4.3 Sales Outreach Providers

ProviderPurpose
Apollo.ioLead enrichment and contact data
Instantly.aiEmail outreach delivery

We use these providers solely to contact prospective customers about our products and services. See Section 2.1 for details on what information is processed.

4.4 Scheduling and Communication Partners

ProviderPurpose
Cal.comDemo scheduling

We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of Zarlu, our users, or the public.

4.6 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

We may share information with your explicit consent for purposes not described in this policy.

5. HIPAA and Healthcare Data

Clinical Rota is a workforce scheduling tool. It is designed to handle physician and staff scheduling data – shift assignments, duty hours, availability, contact information, and credential status. Clinical Rota does not access, store, or process Protected Health Information (PHI) as defined under HIPAA.

If your organization’s workflow requires any integration that could cause PHI to flow through Clinical Rota, we will execute a Business Associate Agreement (BAA) before that integration is activated.

For organizations that require a BAA for any vendor connecting to their infrastructure, we are prepared to discuss and execute appropriate agreements. Contact us at [email protected].

6. Data Storage and Security

6.1 Where We Store Data

Your data is stored on servers in the United States.

6.2 Security Measures

We implement commercially reasonable security measures including:

  • Encryption in transit using TLS 1.3
  • Encryption at rest for all scheduling data and personal information
  • Authentication via magic link email verification
  • Role-based access controls – administrators and staff members see different data based on their role
  • Audit logging of schedule changes and administrative actions

6.3 No Absolute Guarantee

While we use commercially reasonable safeguards, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6.4 Breach Notification

In the event of a data breach affecting your personal information, we will notify affected organizations within 72 hours of confirmation, and cooperate with your organization’s incident response procedures. We will also comply with all applicable state breach notification laws.

7. Data Retention

7.1 Prospective Customer Data (Sales Outreach)

Contact information obtained from public sources or third-party data providers for sales outreach is retained for the duration of any active outreach campaign. If you do not respond or opt out, your data is removed from active outreach lists within 6 months of the last campaign. If you request deletion, we will remove your data from our outreach platforms within 30 days.

We maintain a permanent suppression list of email addresses that have opted out, so that we do not contact you again. This list contains only the email address and the date of the opt-out request.

7.2 Demo Request Data

Contact information from demo requests is retained while we are in active communication with you. If you do not become a customer, your information is deleted within 12 months of your last interaction.

7.3 Scheduling and Workforce Data

We retain scheduling data, duty hour records, and related workforce information for as long as your organization’s account is active. Historical schedule data is retained to support compliance auditing (such as ACGME duty hour reviews) and organizational reporting.

7.4 Account Information

We retain account information for as long as the account is active. After account termination, we retain basic records as necessary for legal, accounting, and compliance purposes.

7.5 Usage and Log Data

Aggregate usage data may be retained indefinitely for analytics purposes. Individual log data is retained for a reasonable period for security and debugging purposes.

7.6 After Termination

Upon account termination, your organization may export its data during a 60-day export window. After the export period, we delete your data from active systems within 30 days. Backup deletion follows our standard backup rotation schedule, not to exceed 90 days after active deletion.

8. Data Ownership and Portability

8.1 Your Organization’s Data

Your organization retains all rights to the scheduling data, workforce information, and organizational configuration it provides to Clinical Rota (“Customer Data”). Zarlu claims no ownership of Customer Data.

8.2 Data Export

Your organization may export its data at any time through the Service in standard formats. Upon request, we will provide a complete data export within 10 business days.

8.3 Individual Staff Members

Individual physicians and staff members whose data is managed by their organization through Clinical Rota may contact their organization’s administrator to access, correct, or request deletion of their personal information. If your organization is unable to assist, contact us at [email protected].

9. Your Rights and Choices

9.1 Access and Portability

You may access your information at any time through the Service. Organization administrators may export organizational data.

9.2 Correction

You may update your personal information through the Service settings. Organization administrators may update organizational data.

9.3 Deletion

You may request deletion of your individual account by contacting your organization’s administrator or by emailing [email protected]. Organization administrators may request deletion of their entire organization’s data.

9.4 Communication Preferences

You may opt out of non-essential communications. Service-related notices (such as schedule change alerts and shift notifications you have enabled) cannot be opted out of while your account is active, but you may configure which notifications you receive.

9.5 Do Not Track

Browser Do Not Track signals are not consistently supported across the web, so our services may not respond to them in all cases. You can control cookies and similar technologies through your browser or device settings.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act. These rights apply whether you are a Clinical Rota account holder or a prospective customer who received a commercial email from us.

10.1 Right to Know

You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.

10.2 Right to Delete

You may request deletion of your personal information, subject to certain exceptions (such as legal compliance requirements or your organization’s data retention needs).

10.3 Right to Correct

You may request correction of inaccurate personal information.

10.4 Right to Opt Out of Sale or Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

10.5 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

10.6 Exercising Your Rights

To exercise these rights, contact us at [email protected]. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

10.7 Categories of Information

For the purposes of the CCPA/CPRA, we collect the following categories of personal information:

  • Identifiers – name, email address, phone number, IP address
  • Internet or electronic network activity – usage data, log data
  • Professional information – organization name, role, department, credential status
  • Inferences – none; we do not create consumer profiles

If you are a prospective customer who has not created a Clinical Rota account, the categories of information we collect are limited to Identifiers (name, business email address, phone number) and Professional information (organization name, job title, department or specialty). This information is sourced from publicly available data and third-party business data providers as described in Section 2.1.

11. Other State Privacy Laws

We comply with applicable state privacy laws, including those in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with consumer privacy legislation. If you are a resident of one of these states, you may have similar rights to those described in Section 10. Contact us at [email protected] to exercise your rights.

12. Children’s Privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us at [email protected] and we will promptly delete it.

13. International Users

The Service is hosted and operated in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

The Service may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

The “Last updated” date at the top of this page indicates when this policy was most recently revised.

16. Data Protection Contact

For privacy-related inquiries, data subject requests, or complaints:

Zarlu, Inc. Email: [email protected]

We aim to respond to all privacy inquiries within 30 days.

Questions about this policy? Contact us at [email protected].