How Rōvn handles your data

This Privacy Policy explains what information Rovn LLC ("Rōvn", "we", "us") collects, how we use it, when we share it, how we protect it, and the choices you have. We wrote it in plain English. We will revise it as our HIPAA program is formally completed.

Sections

Who Rōvn is
What we collect
How we use it
When we share
Legal bases (where applicable)
How long we keep it
How we protect it
Your rights and choices
HIPAA and PHI
Children
International users
Changes to this policy
Contact us

1. Who Rōvn is

Rovn LLC is a Delaware-organized limited liability company (EIN 33-2009460). Rōvn operates direct healthcare hiring infrastructure, including a nurse credential passport, a Rōvn Ready trust score, and a hospital direct hiring workspace.

2. What we collect

Information you provide

Account information: name, email, role, employer or facility, phone number.
Nurse credential information: licensure (state, number, status), education, certifications, employment history, references, immunizations, background check status, OIG/SAM screening results, NPDB query results.
Hospital information: facility name, type, NPI, hiring contact, job posting fields, applicant decisions.
Communication: messages you exchange with us or with the other side of the marketplace through Rōvn.

Information collected automatically

Usage data: pages visited, features used, request metadata.
Device data: IP address, user agent, approximate location.
Cookies and similar technologies for authentication, security, and basic analytics. We do not sell this data.

Information from third parties

Primary-source verification responses from NPDB, Nursys e-Notify, OIG, SAM, BON, and other credentialing sources.
Background-check results from contracted vendors (e.g., Checkr) under your authorization.
Identity-verification results (e.g., Persona) under your authorization.

3. How we use it

Operate the Rōvn marketplace and connect nurses with hospitals.
Build and maintain your credential packet and Rōvn Ready score.
Verify identities, licenses, and exclusions to keep the marketplace safe.
Comply with legal obligations including healthcare workforce regulations.
Improve product quality, fix bugs, and detect abuse.
Communicate with you about your account, packet, applications, and platform changes.

With your consent. A nurse credential packet is not released to a hospital without an explicit consent event. Hospitals see only the role-relevant fields they need to make a hiring decision.
With service providers under contract. Cloud infrastructure (AWS), background checks, identity verification, primary-source query gateways, email and analytics. Each is bound by a contract that limits use to operating Rōvn's services and requires appropriate safeguards. We sign BAAs with vendors that handle PHI.
For legal reasons. To comply with valid legal process, protect rights and safety, or respond to a regulator with jurisdiction.
In a corporate transaction. If Rōvn is acquired or reorganized, your data may transfer subject to the same protections.

Rōvn does not sell personal information.

5. Legal bases (where applicable)

Where applicable laws require a legal basis for processing (e.g., GDPR), we rely on contractual necessity, your consent, our legitimate interest in operating the marketplace, and compliance with legal obligations.

6. How long we keep it

We retain account and credential data for as long as you maintain an active account, plus the period required by law and regulation. Audit and consent records are retained for the longer of seven years or the period required by applicable healthcare workforce regulations. You can request deletion subject to legal retention requirements.

7. How we protect it

Rōvn operates on a HIPAA-eligible AWS foundation in us-east-2. Controls in place today include encrypted RDS storage with customer-managed KMS, private VPC, CloudTrail audit logging, GuardDuty, Security Hub, KMS key rotation, AWS Backup with a verified restore drill, signed packet-release events, and minimum-necessary disclosure to hospitals. See our Security and HIPAA pages for details and the program work in progress.

8. Your rights and choices

Access and portability. You can request a copy of your packet.
Correction. You can correct errors in your information.
Deletion. You can request deletion subject to legal retention.
Consent withdrawal. You can revoke a packet release at any time.
Opt-out of marketing. You can unsubscribe from non-transactional emails.
State-specific rights. Residents of states that grant additional rights (e.g., California, Colorado, Connecticut, Virginia, Utah) can exercise those rights by contacting privacy@rovn.to.

9. HIPAA and PHI

Rōvn has accepted the AWS BAA. Rōvn signs BAAs with customer hospitals when Rōvn handles PHI on their behalf. Rōvn signs BAAs with sub-processors that handle PHI. Rōvn is formalizing the operating-company HIPAA program (Risk Assessment, policies, workforce training, access reviews, incident response). Rōvn does not represent itself as a fully attested HIPAA-compliant operating company until that program is complete and we update this Policy and the HIPAA page accordingly.

10. Children

Rōvn is not directed to children under 16 and we do not knowingly collect data from children.

11. International users

Rōvn operates from the United States. If you access Rōvn from outside the United States, you understand that your data is processed in the United States.

12. Changes to this policy

We will post material changes here and update the "Last updated" date below. For significant changes that affect your data we will notify you via email or in-product notice.

13. Contact us

Questions about this Policy: privacy@rovn.to. Security issues: security@rovn.to. Mailing address available on request.

Last updated 2026-04-25.