1. Overview
This Privacy Policy describes how Mendrix Inc. and its affiliated entities — including Mendrix Care Solutions LLC, Mendrix Medical Associates PC (California and Tennessee), Round-ing, NRUSA Luxury Med Spa, Mendrix Agency Group, Mendrix Care Capital, and A Beacon Affairs Foundation (collectively, "Mendrix," "we," "our," or "us") — collect, use, and protect your information when you use our websites, platforms, or services.
By using Round-ing or any Mendrix platform, you agree to the collection and use of information as described in this policy. If you do not agree, please discontinue use of the platform.
- We do not sell your personal information to third parties
- PHI is never sold, used for commercial purposes, or transmitted to third-party AI systems in identifiable form
- Our Round-ing platform's AI engine operates exclusively on de-identified data
- All data is encrypted at rest (AES-256) and in transit (TLS 1.3)
- BAAs are in place with all HIPAA-relevant vendors (AWS, Pinecone, Twilio)
2. Legal Frameworks
Round-ing operates under and complies with the following legal frameworks:
| Framework | Applies To | Our Status |
|---|---|---|
| HIPAA | Protected Health Information (PHI) handled on behalf of covered entities | Compliant — BAAs in place with all relevant subprocessors |
| CCPA / CPRA | California residents | Compliant — Do Not Sell/Share rights honored |
| GDPR | EU / EEA users and data subjects | Compliant — SCCs used for data transfers |
| PIPEDA | Canadian users | Compliant |
| Illinois BIPA | Biometric data of Illinois residents | Compliant — consent-first model |
3. Information We Collect
We may collect the following categories of information:
Identity & Contact
Name, address, phone number, email address, and date of birth.
Health Information
Medical records, diagnoses, insurance details, and clinical notes collected through our healthcare entities. This constitutes Protected Health Information (PHI) governed under HIPAA.
Financial Information
Billing and payment details processed through secure, PCI-DSS compliant third-party processors.
Employment & Credentialing
Resume, licensure, work history, and background check results collected through our staffing operations.
Technical Data
IP address, browser type, device identifiers, and usage activity collected through our websites and platforms.
Communications
Messages and inquiries you submit to us.
4. How We Use Your Information
- Delivering healthcare, staffing, NEMT, wellness, and SaaS services
- Supporting clinical care coordination, billing, and revenue cycle operations
- Recruiting, credentialing, and managing healthcare professionals
- Improving our platforms and services through analytics
- Complying with HIPAA, CMS regulations, and applicable state and federal law
- Sending service updates and, where you have consented, marketing communications
- Detecting and preventing fraud and security incidents
Round-ing does not display third-party advertisements, does not sell user data to data brokers, and does not use your healthcare or employment data for any purpose outside of delivering our platforms and services.
5. Legal Bases for Processing
For users subject to GDPR, we process personal data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Contract performance |
| Clock-in GPS verification | Contract performance + Legitimate interests |
| Biometric liveness check | Explicit consent |
| Credential document storage | Legal obligation + Contract performance |
| Invoice generation | Contract performance + Legal obligation |
| Platform analytics (anonymized) | Legitimate interests |
| Marketing communications | Consent (opt-in only) |
6. Disclosure of Information
We do not sell your personal information. We may share information with:
- Affiliated Mendrix entities providing integrated services
- Healthcare partners and facilities under executed Business Associate Agreements
- Technology and infrastructure vendors under appropriate data protection agreements
- Legal and regulatory authorities as required by law
- Professional advisors bound by confidentiality obligations
- Successor entities in connection with a merger or asset sale
Round-ing uses the following key third-party services to operate the platform. Each is bound by a Data Processing Agreement (DPA), and HIPAA-relevant vendors have executed Business Associate Agreements (BAAs).
| Vendor | Purpose | BAA | Data Sent |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, database (RDS Aurora), authentication (Cognito), monitoring (CloudWatch) | Yes | All platform data within private VPC |
| Pinecone | Vector embeddings for O·R·A AI search | Yes | De-identified embeddings only — no PHI |
| Twilio | SMS notifications and verification | Yes | Phone numbers, message content |
| Claimocity | Revenue cycle management integration | Yes | Billing-relevant data per integration scope |
| Sentry | Error monitoring and crash reporting | DPA only | Anonymized error logs, stack traces |
We do not use third-party language models (e.g. OpenAI, Anthropic, Google) to process PHI or individually identifiable health information. O·R·A's AI processing occurs within our private AWS infrastructure.
8. Your Rights
Depending on your location, you may have the right to access, correct, delete, or receive a portable copy of your personal information, and to opt out of marketing communications. California residents have additional rights under the CCPA/CPRA.
- Right of access — Request a copy of the personal data we hold about you
- Right to rectification — Correct inaccurate or incomplete data
- Right to erasure — Request deletion of your personal data, subject to legal retention obligations
- Right to data portability — Receive your data in a structured, machine-readable format
- Right to object — Object to certain processing activities, including direct marketing
- Right to restrict processing — Request that we limit how we use your data in certain circumstances
- Right to withdraw consent — Where processing is based on consent, withdraw it at any time
To submit a request, contact us at privacy@mendrix.org. We will respond within 30 days.
9. Data Retention
We retain information as long as necessary to fulfill the purposes described in this policy, satisfy legal and regulatory requirements, and resolve disputes. Medical records are retained per California and Tennessee law and applicable CMS standards.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account + 3 years | Legal and contractual obligations |
| Clock-in / attendance records | 7 years | Healthcare employment law requirements |
| Credential documents | Duration of employment relationship + 5 years | Regulatory compliance |
| Invoice and billing records | 7 years | Tax and accounting requirements |
| Biometric liveness results (pass/fail only) | 90 days | Audit support; no biometric templates stored |
| Analytics data (anonymized) | Indefinite | Platform improvement; no personal identifiers |
Upon account deletion, identifiable personal data is removed within 30 days, subject to legal retention requirements above.
10. Data Security
We maintain administrative, technical, and physical safeguards including:
AES-256 at rest · TLS 1.3 in transit · Encrypted database volumes on AWS RDS Aurora
Private AWS VPC · No public database endpoints · Network-level access controls
Role-based access controls · MFA enforced for admin accounts · Least-privilege principles
AWS CloudWatch · Sentry error tracking · Regular security assessments
In the event of a data breach affecting your personal data, we will notify affected users and relevant authorities within the timeframes required by applicable law.
11. Communications
We may contact you via email, SMS (through Twilio), or in-app notifications for the following purposes:
- Transactional messages (shift confirmations, clock-in alerts, invoice notifications)
- Compliance alerts (credential expiration warnings, license renewal reminders)
- Platform updates and security notices
- Marketing communications — only with your explicit prior consent, and only if you have opted in
You can manage your notification preferences in the Round-ing app settings or by contacting contact@mendrix.org. Opting out of marketing does not affect transactional or compliance messages necessary to provide the service.
12. Biometric Data
Biometric processing is only activated after you provide explicit, informed, and revocable consent during onboarding. You may withdraw consent at any time, which will disable biometric clock-in and replace it with alternative verification.
11.1 What we process
Round-ing's clock-in process includes a face liveness check to confirm the person is physically present and is not using a photo, video, or mask to spoof the verification. The liveness check captures a momentary video frame, processes it on-device or in our secure AWS infrastructure, and returns only a pass/fail result. No facial template, biometric identifier, or raw facial imagery is stored.
11.2 Illinois BIPA Compliance
For users in Illinois, Round-ing complies with the Biometric Information Privacy Act (BIPA). Before any biometric processing occurs, Illinois users receive a written policy disclosure and are asked for written consent. Biometric data (pass/fail liveness results) is retained for no longer than 90 days, or 3 years after your last interaction with Round-ing, whichever comes first, and is then permanently destroyed.
11.3 No third-party biometric sharing
We do not sell, lease, trade, or otherwise profit from biometric data. We do not share biometric processing results with any third party except where required by law or as necessary to provide the service (e.g., returning a verification result to the facility dashboard).
13. Geolocation Data
Round-ing collects GPS location data only at the moment of clock-in and clock-out for the purpose of verifying that the healthcare professional is physically within the configured geofence radius of the assigned facility.
We do not track your location continuously, outside of shift events, or in the background. Location data collected at clock-in is used to confirm presence and is retained as part of the attendance record per the retention schedule in Section 8. This data is not shared with advertisers or data brokers.
14. HIPAA Notice
Round-ing acts as a Business Associate under HIPAA when processing PHI on behalf of covered healthcare entities. We execute BAAs with all covered entity customers prior to handling any PHI. Our infrastructure — including AWS, Pinecone, and Twilio — is covered by BAAs. PHI is never transmitted to, processed by, or stored in any system or AI model not covered by a BAA.
13.1 Minimum Necessary Standard
We apply the HIPAA minimum necessary standard to all PHI access. O.R.A, our AI assistant, accesses only the operational data necessary to respond to a given query, and PHI is never used as training data for AI models.
13.2 Breach Notification
In the event of a breach of unsecured PHI, Round-ing will notify affected covered entities within 60 days of discovery, as required by the HIPAA Breach Notification Rule. Individual notification obligations remain with the covered entity.
15. Children's Privacy
Round-ing is a professional healthcare platform and is not directed at individuals under 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child without appropriate consent, we will delete it promptly. Contact us at privacy@mendrix.org if you believe we may have collected data from a child.
16. Do Not Sell or Share My Personal Information
Under the California Consumer Privacy Act (CCPA) as amended by the CPRA, California residents have the right to opt out of the sale or sharing of their personal information for cross-context behavioral advertising. Round-ing does not sell or share personal information for advertising purposes. There is nothing to opt out of with respect to data sales.
California residents may still submit a data access, deletion, or correction request by emailing privacy@mendrix.org with "CCPA Request" in the subject line.
17. International Data Transfers
Round-ing is headquartered in the United States. If you access the platform from outside the US — including from the EU, EEA, or UK — your data may be transferred to and processed in the United States. We rely on the following transfer mechanisms to ensure adequate protection:
- Standard Contractual Clauses (SCCs) — used for transfers to our EU-based data subjects and subprocessors
- UK International Data Transfer Agreements (IDTAs) — for UK data subjects post-Brexit
- Adequacy decisions — where applicable
All international transfers occur within our private AWS infrastructure, which maintains region-specific data residency configurations upon request for enterprise customers.
18. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features. When we make material changes, we will:
- Update the "Effective Date" at the top of this page
- Send an in-app notification and email to registered users
- For changes to biometric data handling, obtain fresh consent where required
Your continued use of Round-ing after a policy update constitutes your acceptance of the revised terms. If you disagree with the updated policy, you may close your account by contacting contact@mendrix.org.
19. Contact Us
For privacy-related questions, data subject requests, or to report a potential security issue, contact us at:
Mendrix Inc.
Marina del Rey, CA
privacy@mendrix.org
www.mendrix.org
Mendrix Inc.
Marina del Rey, CA
contact@mendrix.org
We aim to respond to all privacy inquiries within 5 business days and to fulfill data subject requests within 30 days (extendable to 60 days for complex requests with prior notice).
Round-ing™ · Operational Infrastructure for Post-Acute & Long-Term Care
A product of Mendrix Inc. · round-ing.com · © 2026 Mendrix Inc. All rights reserved.
Privacy Policy effective January 1, 2026 · Version 1.0