Privacy policy

Rosea App

Effective Date: 03.04.2026
Latest Update: 03.04.2026

1. Introduction

Welcome to Rosea ("we," "our," or "us"), a mobile application developed by CS TECHNOLOGIES, LDA. Your privacy is important to us. This Privacy Policy explains how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws.

Please read this Privacy Policy carefully as it describes our privacy practices and how we will collect, use, and disclose any personal information we collect from you, or that you provide to us, in connection with Rosea. This Privacy Policy forms part of and is incorporated into the Terms of Use for Rosea.

Data Controller: CS TECHNOLOGIES, LDA is the data controller for the personal data processed through Rosea. If you have questions about how we process your data, you may contact us at: legal@carrotsauce.com.

2. Data We Collect

Rosea is designed with privacy at its core. The App does not require account creation, does not collect personal identifiers, and stores all user data exclusively on your device. We may collect and process only the following limited information:

2.1. Automatically Collected Data

Certain limited data is automatically collected by the third-party services integrated into Rosea, even without explicit action on your part. This includes: device type and operating system version (collected by Expo for delivering app updates). We do not operate our own analytics or tracking systems.

2.2. Communications

Information you provide when contacting our customer support team or submitting feedback (for example, your email address and the content of your message).

2.3. On-Device Data (Not Collected by Us)

We do not store any personal diary entries, severity logs, symptom records, trigger data, treatment logs, or face photos on our servers. All such data is kept exclusively on your device.

If you choose to enable iCloud synchronisation, your on-device data will be stored in your personal iCloud account. This data is managed by Apple under Apple's own privacy policy and terms of service. CS TECHNOLOGIES, LDA does not have access to data stored in your iCloud account.

2.4. On-Device Analytics (Not Collected by Us)

Rosea generates weekly reports summarising your severity trends, triggers, and treatment effectiveness. These reports are generated entirely on your device using your locally stored data. No analytics data is transmitted to our servers or any third party.

3. How We Use Your Data

We process personal data only for the following limited purposes:

• To deliver app updates through Expo

• To respond to your requests, resolve disputes, and troubleshoot problems when you contact us

• To maintain, improve, and optimise the App

• To comply with legal obligations applicable to our business

• To protect the security and integrity of our services

4. Legal Basis for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases for processing your personal data:

• Contract Performance (GDPR Article 6(1)(b)): Processing necessary to fulfil our commitments to you, including providing access to Rosea and delivering app updates.

• Legitimate Interests (GDPR Article 6(1)(f)): Processing necessary for our legitimate interests, such as improving our services and ensuring security. We balance these interests against your rights and freedoms.

• Legal Obligation (GDPR Article 6(1)(c)): Processing necessary to comply with legal obligations to which we are subject, such as tax or accounting requirements.

• Vital Interests (GDPR Article 6(1)(d)): In exceptional circumstances, to protect your vital interests or those of another person.

4.1. Automated Decision-Making

Rosea generates on-device weekly reports and summaries based on your diary entries (for example, identifying your most frequent triggers or showing severity trends). These are generated entirely on your device using simple logic and do not constitute automated decision-making or profiling that produces legal effects or similarly significant effects on you. No personal data is transmitted to our servers for this purpose.

4.2. Supervisory Authority Contact Information

• EEA: https://edpb.europa.eu/about-edpb/board/members_en‍ ‍

• UK: https://ico.org.uk/global/contact-us/‍ ‍

• Switzerland: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html‍ ‍

• Portugal (our lead supervisory authority): Comissão Nacional de Proteção de Dados (CNPD) — https://www.cnpd.pt/

4.3. US Privacy Laws

Some US states require us to provide additional details about the categories of personal information we collect and how we use it. In the last 12 months, we collected the following categories of personal information, depending on the services used:

• Identifiers (such as device and online identifiers collected by Expo)

We collect personal information for the business and commercial purposes described in Section 3. In some US states you have additional rights, subject to exemptions under your state's law, including the right to:

• Request a copy of the specific pieces of information we collect about you

• Request deletion of personal information we collect or maintain

• Request correction of inaccurate personal information

• Opt out of the sale or sharing of personal information

• Receive a copy of your information in a readily portable format

• Not receive discriminatory treatment for exercising your rights

We do not "sell" or "share" your personal data as those terms are defined under applicable US state privacy laws. We do not have knowledge of any sale or sharing of the personal data of minors under 16 years of age. We do not collect or process sensitive personal information except where strictly necessary to provide you with our service.

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.

• Right to Rectification: Request correction of inaccurate or incomplete data.

• Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.

• Right to Restriction of Processing: Request that we restrict the processing of your personal data in certain circumstances.

• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.

• Right to Object: Object to our processing of your personal data based on legitimate interests.

• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority (see Section 4.2).

To exercise any of these rights, contact us at: legal@carrotsauce.com. We will respond to your request within 30 days (or such other period as required by applicable law). We may ask you to verify your identity before processing your request.

6. Data Sharing and Transfers

6.1. Third-Party Service Providers

We use the following third-party service provider to support theoperation of Rosea:

• Expo (Expo, Inc.): App delivery and update services. Processes: device information for delivering updates.

This provider acts as a data processor on our behalf and is bound by a data processing agreement that ensures compliance with applicable data protection laws.

6.2. Legal Compliance

We may disclose your personal data if required to do so by law, regulation, or legal process, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

6.3. International Data Transfers

Because our third-party service provider may be located outside the European Economic Area (EEA), your personal data may be transferred to and processed in countries outside the EEA, including the United States. When such transfers occur, we ensure that appropriate safeguards are in place, including:

- European Commission Standard Contractual Clauses (SCCs) as adopted under Commission Implementing Decision (EU) 2021/914

- Adequacy decisions where the European Commission has determined that a third country provides an adequate level of data protection

- Other legally recognised transfer mechanisms as appropriate

You may request further information about the safeguards we apply to international transfers by contacting us at legal@carrotsauce.com.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specifically:

• Support correspondence: Retained for up to 2 years after your last interaction with us, unless a longer retention period is required for legal purposes.

• On-device data: Controlled entirely by you. This data is deleted when you uninstall the App or manually delete it. If you have enabled iCloud synchronisation, that data is subject to Apple's retention policies.

You can delete all your data at any time through the App's settings or by uninstalling the App.

8. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or misuse. These measures include:

• All user data is stored locally on your device, not on external servers

• iCloud synchronisation, if enabled, uses Apple's encryption and security infrastructure

• Regular security reviews of our systems and processes

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to enhance our protective measures.

9. Third-Party Websites

Rosea may contain links to third-party websites or services. This Privacy Policy does not apply to those websites. We encourage you to read the privacy policies of any third-party services before providing your personal data to them.

10. Children's Privacy

Rosea is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at legal@carrotsauce.com so that we can take appropriate action.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Effective Date" and "Latest Update" dates at the top of this policy

• Present the updated Privacy Policy to you within the App and require your acknowledgment before you may continue using Rosea

If you do not agree with the updated Privacy Policy, you may stop using the App. Your continued use of Rosea after acknowledging the updated Privacy Policy constitutes your acceptance of the changes.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:

Email:legal@carrotsauce.com

Company: CS TECHNOLOGIES, LDA

Important Disclaimer

Rosea is a personal rosacea diary designed to help you track symptoms, triggers, and treatments. The App does not offer medical diagnoses, treatment recommendations, or professional health advice.

If you are experiencing severe skin conditions or require professional care, we strongly recommend consulting with a qualified dermatologist or healthcare provider.