Privacy Policy

Last updated: March 3, 2026

1. Controller and Scope

Eleven of Ten LLP (elevens.ai) ("we", "our", "us"), operating OpenRounds, is the controller for personal data processed through the OpenRounds web and mobile services (the "Service"). This policy applies to all users, with additional disclosures for US, EU/EEA, and UK users in Section 10.

Legal entity website: https://www.elevens.ai
Contact: admin@openrounds.ai

2. Data We Collect, Why, and Legal Basis

We collect data needed to operate the Service and keep it secure. For EU/EEA and UK users, we list legal bases below.

Category	Examples	Purpose	EU/UK Legal Basis	Retention
Account and profile data	Email, name, credential, specialty, timezone	Authentication, account management, personalization	Contract; legitimate interests	Until account deletion, then deletion workflow
Professional verification data	NPI, verification status, optional institutional/credential verification fields	Provider verification, trust and abuse prevention	Contract; legitimate interests; consent for optional uploads	Until account deletion (or earlier on request where applicable)
Usage and device data	Event data, IP-derived region/country, app/browser details, push token/device id	Security, product analytics, notification delivery	Legitimate interests; consent where required by law	Analytics: 90 days; push tokens until removed or account deletion
Engagement and user-generated data	Bookmarks, reading history, feedback, article chat inputs, submissions, personal sources	Core service features and relevance tuning	Contract; legitimate interests	Until account deletion unless shorter retention applies
CME and learning records	Assessments, credits, certificates, exports, COI responses, activity evaluations	CME tracking and user reporting features	Contract; legitimate interests	Until account deletion unless required longer by law/contract
Communications data	Subscriber state, unsubscribe state, service emails	Transactional and newsletter communication	Consent and/or contract; legitimate interests for essential service notices	Until unsubscribe or account deletion

3. Data Sources

Directly from you (account setup, profile edits, submissions, CME features).
Automatically from your use of the Service (events, device/session data).
From service providers and integrations you use (e.g., authentication, push delivery, Slack installation metadata).
From the CMS NPPES registry for NPI verification when requested by you.

4. Processors and Recipients

We use processors to provide infrastructure and features:

Supabase (authentication, database, storage).
Vercel (hosting/runtime infrastructure).
Anthropic (AI analysis features).
Resend (email delivery).
Expo (mobile push notification delivery).
Slack (workspace integration when installed by users).
CMS NPPES (optional NPI verification lookup).

We disclose data to authorities only when required by law, and to professional advisers as needed for legal/compliance operations.

5. International Transfers

Your data may be processed in countries outside your own, including the United States. Where required, we rely on recognized transfer mechanisms, including contractual safeguards such as standard contractual clauses, plus supplementary technical and organizational measures.

To request transfer safeguard details relevant to your account, contact admin@openrounds.ai.

6. Cookies and Similar Technologies

We use essential cookies for authentication/session security. We do not use third-party advertising cookies. Product analytics are first-party and used for service performance and feature quality. If we introduce non-essential cookies in the future, we will request consent where required by law.

7. Retention

Analytics events are retained for up to 90 days.
Account/profile and feature data are retained while your account is active.
Account deletion triggers removal of associated personal data through deletion workflows and cascades.
Certain records may remain in backups/logs for limited periods required for security, fraud prevention, and recovery.

8. Security

We use technical and organizational safeguards, including TLS in transit, access controls, service-role restrictions, and rate-limit protections. No system can be guaranteed 100% secure.

9. Automated Processing and Profiling

We use automated systems for summarization, ranking, and personalization. These features are intended to improve relevance and efficiency and are not designed to make decisions with legal or similarly significant effects about you.

10. Regional Privacy Notices

US Notice

You may request access, correction, deletion, and a portable copy of certain personal data.
You may opt out of promotional emails using unsubscribe links.
We do not sell personal data and do not process personal data for cross-context behavioral advertising.
To submit a rights request, email admin@openrounds.ai.

EU/EEA (GDPR) Notice

Your rights include access, rectification, erasure, restriction, objection, and portability.
Where processing is based on consent, you may withdraw consent at any time.
You can object to processing based on legitimate interests, and we will assess your objection under GDPR standards.
You have the right to lodge a complaint with your local supervisory authority.

UK Notice

UK users have equivalent rights under UK GDPR and the Data Protection Act 2018.
You may lodge a complaint with the UK Information Commissioner's Office (ICO).

11. Exercising Your Rights

Send requests to admin@openrounds.ai from your account email where possible so we can verify identity. We may request additional verification before fulfilling requests.

12. Children's Privacy

The Service is not intended for children under 18. If we become aware that personal data from a child under 18 has been collected, we will take appropriate deletion steps.

13. Policy Changes

We may update this policy periodically. Material changes will be posted in the Service and, where appropriate, communicated by email.

14. Contact

Privacy inquiries and rights requests: admin@openrounds.ai