Introduction
to11, Inc. (“to11,” “we,” “us,” or “our”) operates an LLM development platform (the “Platform”) that helps customers route, trace, observe, and manage prompts in applications that leverage large language models and AI agents. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you interact with the Platform, our websites (including to11.ai and related subdomains), our APIs, our documentation, our sales and support channels, and any other services that link to this Privacy Policy (collectively, the “Services”).
By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Services.
Scope and roles
The Platform is designed primarily for business customers. When a business customer (“Customer”) uses the Services to process personal information about its own end users or employees (“Customer Data”), to11 generally acts as a service provider, processor, or contractor (depending on applicable law) and processes that data on the Customer’s behalf under our Data Processing Addendum or Master Services Agreement. The Customer is the business or controller responsible for that data, and its own privacy notice governs how it collects and uses that information.
This Privacy Policy applies when to11 acts as a business or controller, including:
- information we collect from visitors to our websites;
- information we collect from prospects, customers, and partners during sales, onboarding, billing, and support;
- information we collect from individual developers who sign up for accounts (including free-tier or trial accounts); and
- information we collect automatically through cookies and similar technologies.
If you are an end user of a Customer’s application and have questions about how that application uses your information, please contact the Customer directly.
Personal information we collect
We collect personal information in three ways: (a) information you provide to us, (b) information collected automatically, and (c) information from third parties.
3.1 Information you provide
- Account and profile data — name, email, password, employer, job title, and profile photo.
- Billing data — billing contact, billing address, tax identifiers, and limited payment-card information (full card numbers are handled by our PCI-compliant payment processor and are not stored by to11).
- Customer content and prompts — content you submit to the Platform, including prompts, datasets, fine-tuning data, evaluation suites, model outputs, logs, and configuration. This content may contain personal information if you choose to include it.
- Support and communications data — the content of emails, chat messages, support tickets, and recorded calls with our team.
- Survey, event, and marketing data — responses you provide in surveys, webinar registrations, conference badge scans, and marketing preferences.
3.2 Information collected automatically
- Usage data — pages viewed, features used, API endpoints called, request and response metadata (size, latency, status codes, model identifiers), and error information.
- Device and network data — IP address, approximate location derived from IP, device type, operating system, browser type and version, language settings, and referring URLs.
- Authentication data — session tokens, single sign-on identifiers, and security event logs.
- Cookies and similar technologies — see Section 8 below.
3.3 Information from third parties
- Identity providers — if you sign in via Google, Microsoft, GitHub, Okta, or another identity provider, we receive your directory profile information as permitted by you or your administrator.
- Payment and fraud-prevention partners — tokenized card data, transaction status, and fraud signals.
- Enrichment and marketing providers — business contact information (name, employer, role, professional email) used to qualify prospects.
- Publicly available sources — company and professional information from public websites, social networks, and registries.
How we use personal information
We use personal information for the following purposes:
- Provide the Services — create and manage accounts, authenticate users, deliver requested features, process transactions, and provide customer support.
- Operate and improve the Platform — monitor performance, debug issues, develop new features, and improve reliability, safety, and quality of outputs.
- Security and abuse prevention — detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Acceptable Use Policy.
- Communications — respond to inquiries; send transactional messages (such as service notices, security alerts, and billing receipts); and, where permitted, send marketing communications, product updates, and event invitations.
- Personalization — remember preferences and tailor onboarding, in-product messaging, and documentation suggestions.
- Analytics and research — understand how the Services are used, measure marketing effectiveness, and conduct research and analysis.
- Legal and compliance — comply with applicable laws, respond to lawful requests from public authorities, enforce our agreements, and protect the rights, property, or safety of to11, our users, and others.
- Corporate transactions — evaluate and conduct mergers, acquisitions, financings, reorganizations, and similar transactions.
4.1 Use of Customer Data to train models
We do notuse Customer Data (prompts, completions, fine-tuning data, or other content submitted through the Platform’s APIs or workspaces) to train our own AI models, and we do not share Customer Data with third-party model providers for training, except where the Customer explicitly opts in. We may use aggregated and de-identified usage metadata to operate, secure, and improve the Services.
Legal bases for processing (where applicable)
Where U.S. state laws (and, for international visitors, the GDPR or UK GDPR) require a specific legal basis, we rely on one or more of the following: performance of a contract with you; our legitimate interests in operating, securing, and improving the Services; compliance with legal obligations; protection of vital interests; and, where required, your consent.
How we disclose personal information
We disclose personal information in the following circumstances:
- Service providers and processors — to vendors that help us operate the Services, including cloud infrastructure (e.g., hyperscale cloud providers), analytics, email delivery, customer support, CRM, billing, and security tooling. These vendors are bound by written contracts that limit their use of personal information to providing services to us.
- Model and inference providers — where a Customer configures the Platform to route requests to a third-party model provider, we disclose the content of those requests to the selected provider solely to fulfill the request.
- Affiliates — entities under common control with to11, subject to this Privacy Policy.
- Customer administrators— if you use the Services through an employer or other organization, that organization’s administrators may access and manage your account and usage data.
- Professional advisors — auditors, lawyers, bankers, insurers, and accountants.
- Business transfers — parties involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of some or all of our assets.
- Legal and safety — government authorities, courts, law enforcement, and other third parties when we believe disclosure is required or permitted by law, necessary to enforce our terms, or necessary to protect the rights, property, or safety of to11, our users, or others.
- With your direction or consent — to parties you instruct us to share with, such as integration partners.
We do not sell personal information for money. See Section 9 for how U.S. state laws treat certain advertising and analytics disclosures as a “sale” or “sharing” and how to opt out.
Data retention
We retain personal information for as long as necessary to provide the Services and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law (for example, for tax, accounting, or legal hold purposes). Retention periods are determined based on the type of data, the purpose of processing, contractual requirements, and legal obligations. Customer Data is retained and deleted in accordance with the Customer’s agreement with us and the configuration of the Customer’s workspace.
Your U.S. state privacy rights
Several U.S. states — including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), New Jersey (NJDPA), New Hampshire (NHDPA), Minnesota (MCDPA), Maryland (MODPA), Nebraska (NDPA), Tennessee (TIPA), Indiana (INCDPA), Kentucky (KCDPA), and Rhode Island — give residents rights in their personal information. The specific rights available to you depend on the state in which you reside.
9.1 Rights available under most state laws
Subject to limits and exceptions in applicable law, you may have the right to:
- Know / access — confirm whether we process your personal information and obtain a copy.
- Correct — request correction of inaccurate personal information.
- Delete — request deletion of personal information we have collected from you.
- Portability — receive your personal information in a portable, machine-readable format.
- Opt out of sale or sharing — direct us not to sell or share your personal information.
- Opt out of targeted advertising — direct us not to use your personal information for cross-context behavioral advertising.
- Opt out of certain profiling — direct us not to profile you in furtherance of decisions that produce legal or similarly significant effects.
- Limit the use of sensitive personal information — direct us to use sensitive personal information only for purposes permitted by law.
- Non-discrimination — not be discriminated against for exercising your rights.
9.2 California residents (CCPA/CPRA)
This section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”).
Categories of personal information collected in the last 12 months:
- Identifiers (e.g., name, email, IP address, account ID)
- California Customer Records (Cal. Civ. Code § 1798.80(e)) (e.g., billing information)
- Commercial information (e.g., subscription and transaction records)
- Internet or other electronic network activity information (e.g., usage and device data)
- Geolocation data (approximate, derived from IP)
- Professional or employment-related information
- Inferences drawn from the above
- Sensitive personal information limited to account credentials and, where provided voluntarily, Customer content that may contain such data
Sources, purposes, and recipients of each category are described in Sections 3, 4, and 6.
Sales and sharing.We do not sell personal information for monetary consideration. We may “share” personal information (i.e., disclose it for cross-context behavioral advertising) through advertising and analytics Cookies on our marketing websites. We do not knowingly sell or share personal information of consumers under 16.
Sensitive personal information. We do not use or disclose sensitive personal information for purposes other than those permitted by CCPA/CPRA without offering a right to limit.
Retention. We retain each category of personal information for the period described in Section 7.
How to exercise California rights:
- Email privacy@to11.ai from the address associated with your account.
- You may designate an authorized agent to submit a request on your behalf. The agent must provide written authorization, and we may require you to verify your identity and confirm that you provided the agent with authority.
- We will verify your identity using information associated with your account or by matching data points you provide with data we already maintain.
- We will respond within 45 days and may extend by an additional 45 days with notice.
Shine the Light. California residents may request information about our disclosure of personal information to third parties for their direct-marketing purposes by emailing privacy@to11.ai.
Notice of Financial Incentive. We do not currently offer financial incentives in exchange for personal information.
9.3 Virginia, Colorado, Connecticut, Oregon, Montana, Texas, and other state residents
Residents of these states may exercise the rights described in Section 9.1 by emailing privacy@to11.ai. If we deny your request, you may appeal by replying to our response or writing to privacy@to11.ai. We will respond to appeals within the period required by applicable law (generally 45–60 days). If your appeal is denied, you may contact your state attorney general.
9.4 Nevada
Nevada residents may submit a request to opt out of the sale of certain personal information under Nev. Rev. Stat. § 603A by emailing privacy@to11.ai.
Children’s privacy
The Services are intended for businesses and professional developers and are not directed to children under 13 (or under 16 where applicable). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@to11.ai so we can delete it.
International data transfers (GDPR / UK GDPR)
to11 is headquartered in the United States. If you access the Services from the European Economic Area (“EEA”), the United Kingdom, Switzerland, or other jurisdictions outside the United States, your personal information will be transferred to, stored, and processed in the United States and other countries where we or our service providers operate.
When we transfer personal information out of the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards, such as:
- the European Commission’s Standard Contractual Clauses(2021) and the UK’s International Data Transfer Addendum;
- the EU–U.S. Data Privacy Framework and its UK and Swiss extensions, where applicable; and
- supplementary measures such as encryption in transit and at rest, access controls, and transparency reporting.
If you are located in the EEA, UK, or Switzerland, you have the rights set out in Section 9.1 as well as the right to lodge a complaint with your local supervisory authority (for example, the UK Information Commissioner’s Office at ico.org.uk or your national Data Protection Authority). Our EU and UK representative under Article 27 can be reached at privacy@to11.ai.
Data security
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit and at rest, access controls, network segmentation, monitoring and logging, vulnerability management, secure software development, vendor security reviews, and employee security training. We are assessed against industry frameworks such as SOC 2 Type II and ISO/IEC 27001, and we publish additional detail on our Trust Center. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
Third-party services and links
The Services may contain links to third-party websites, integrations, or models. We are not responsible for the privacy practices of those third parties, and this Privacy Policy does not apply to their services. We encourage you to review the privacy policies of any third party before providing personal information to it.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date above. If we make material changes, we will notify you by posting a prominent notice on the Services or by emailing the address associated with your account. Your continued use of the Services after the effective date of any update constitutes acceptance of the revised Privacy Policy.
Contact us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
- privacy@to11.ai
- Data Protection Officer
- dpo@to11.ai
- to11, Inc., Attn: Privacy, 1111B S Governors Ave # 52102, Dover Delaware, 19901, USA.
- Privacy requests
- Email privacy@to11.ai.
For accessibility assistance with this Privacy Policy, please email accessibility@to11.ai.
Still have questions?
If you have questions, contact privacy@to11.ai. We aim to respond within two business days.