← Rovn home

How Rovn handles your data

This Privacy Policy explains what information Rovn LLC ("Rovn", "we", "us") collects, how we use it, when we share it, how we protect it, and the choices you have. We wrote it in plain English. We will revise it as our HIPAA program is formally completed.

1. Who Rovn is

Rovn LLC is a Delaware-organized limited liability company (EIN 33-2009460). Rovn operates healthcare workforce trust infrastructure, including worker Wallets, role-ready packets, Rovn Connect facility workflows, messaging, credential evidence, and audit-receipted AI assistance.

2. What we collect

Information you provide

• Account information: name, email, role, employer or facility, phone number.
• Healthcare worker credential information: licensure (state, number, status), education, certifications, employment history, references, immunizations, background check status, OIG/SAM screening results, NPDB query results, and packet consent events.
• Organization information: facility or operator name, type, NPI where applicable, hiring contact, role-demand fields, credentialing workflow fields, and integration configuration.
• Communication: messages you exchange with us or with the other side of the marketplace through Rovn.

Information collected automatically

• Usage data: pages visited, features used, request metadata.
• Device data: IP address, user agent, approximate location.
• Cookies and similar technologies for authentication, security, and basic analytics. We do not sell this data.

Information from third parties

• Primary-source verification responses from NPDB, Nursys e-Notify, OIG, SAM, BON, and other credentialing sources.
• Background-check results from contracted vendors (e.g., Checkr) under your authorization.
• Identity-verification results (e.g., Persona) under your authorization.

3. How we use it

• Operate the Rovn network and connect healthcare workers with organizations.
• Build and maintain your Wallet, credential packet, packet coverage, source receipts, and consent history.
• Route evidence to identity, license, issuer, exclusion, and human-review workflows to keep the marketplace safe.
• Comply with legal obligations including healthcare workforce regulations.
• Improve product quality, fix bugs, and detect abuse.
• Communicate with you about your account, packet, applications, and platform changes.

4. When we share

• With your consent. A worker credential packet is not released to an organization without an explicit consent event. Organizations see only the role-relevant fields they need for review.
• With service providers under contract. Cloud infrastructure (AWS), background checks, identity verification, primary-source query gateways, email and analytics. Each is bound by a contract that limits use to operating Rovn's services and requires appropriate safeguards. We sign BAAs with vendors that handle PHI.
• For legal reasons. To comply with valid legal process, protect rights and safety, or respond to a regulator with jurisdiction.
• In a corporate transaction. If Rōvn is acquired or reorganized, your data may transfer subject to the same protections.

Rōvn does not sell personal information.

5. Legal bases (where applicable)

Where applicable laws require a legal basis for processing (e.g., GDPR), we rely on contractual necessity, your consent, our legitimate interest in operating the marketplace, and compliance with legal obligations.

6. How long we keep it

We retain account and credential data for as long as you maintain an active account, plus the period required by law and regulation. Audit and consent records are retained for the longer of seven years or the period required by applicable healthcare workforce regulations. You can request deletion subject to legal retention requirements.

7. How we protect it

Rovn operates on a HIPAA-eligible AWS foundation in us-east-2. Controls in place today include encrypted RDS storage with customer-managed KMS, private VPC, CloudTrail audit logging, GuardDuty, Security Hub, KMS key rotation, AWS Backup with a verified restore drill, signed packet-release events, and minimum-necessary disclosure to organizations. See our Security and HIPAA pages for details and the program work in progress.

8. Your rights and choices

• Access and portability. You can request a copy of your packet.
• Correction. You can correct errors in your information.
• Deletion. You can request deletion subject to legal retention.
• Consent withdrawal. You can revoke a packet release at any time.
• Opt-out of marketing. You can unsubscribe from non-transactional emails.
• State-specific rights. Residents of states that grant additional rights (e.g., California, Colorado, Connecticut, Virginia, Utah) can exercise those rights by contacting privacy@rovn.to.

9. HIPAA and PHI

Rovn has accepted the AWS BAA. Rovn signs BAAs with customers when Rovn handles PHI on their behalf. Rovn signs BAAs with sub-processors that handle PHI. Rovn is formalizing the operating-company HIPAA program (Risk Assessment, policies, workforce training, access reviews, incident response). Rovn does not represent itself as a fully attested HIPAA-compliant operating company until that program is complete and we update this Policy and the HIPAA page accordingly.

10. Children

Rōvn is not directed to children under 16 and we do not knowingly collect data from children.

11. International users

Rōvn operates from the United States. If you access Rōvn from outside the United States, you understand that your data is processed in the United States.

12. Changes to this policy

We will post material changes here and update the "Last updated" date below. For significant changes that affect your data we will notify you via email or in-product notice.

13. Contact us

Questions about this Policy: privacy@rovn.to. Security issues: security@rovn.to. Mailing address available on request.

Last updated 2026-04-25.