This is provided for transparency and is not legal advice; we recommend review by a licensed attorney or privacy professional.
elevenoone Privacy Policy
Last updated: June 27, 2026 Effective date: June 27, 2026
elevenoone ("elevenoone," "we," "us," or "our") operates the website at elevenoone.ai and the related companion-chat services (the "Services"). The Services let you chat — in text and voice — with openly artificial-intelligence ("AI") creator personas, and (where available) join live per-minute voice and video calls. This Privacy Policy explains what personal information we collect, how and why we use it, who we share it with, how long we keep it, and the privacy rights you have.
The personas are AI, not real people. Every persona on elevenoone is artificially generated. Conversations are with software, not humans. See AI & Voice Processing Disclosure and our Companion-Chatbot Notice.
1. Scope & Who This Applies To
This Policy applies to all visitors and registered users of the Services. It applies whether you access elevenoone from the United States, the European Economic Area ("EEA"), the United Kingdom, or elsewhere.
- If you are in California, see Your Privacy Rights (CCPA/CPRA).
- If you are in the EEA or UK, see Legal Bases and Your Privacy Rights (GDPR/UK GDPR).
- If you are a parent or guardian of a user under 18, see Children & Minors.
Age requirement. The Services are intended for users 13 and older. We do not knowingly collect personal information from children under 13. Users under 18 receive a reduced experience with additional protections — see Children & Minors.
2. Information We Collect
2.1 Account information
- Email address (required) — used for magic-link sign-in (we do not use passwords) and account communications.
- First name (optional) — used to personalize how personas address you.
2.2 Date of birth / age
We collect your date of birth or age to (a) enforce our 13+ requirement, (b) block users under 13, and (c) apply the reduced-experience protections for users under 18. Age signals are also used to apply age-appropriate safety measures. We treat age data as sensitive and use it only for these eligibility and safety purposes.
2.3 Conversation content (text)
The text of your conversations with personas, including messages you type and the AI-generated replies.
- Adults (18+): conversation history is stored server-side so personas can maintain context and continuity.
- Minors (13–17): conversations are not stored server-side and are not used to build persona "memory." They are processed transiently to generate a live reply and are not retained by us beyond what is technically necessary to return that reply.
2.4 Voice audio
When you use voice chat or live calls, we capture voice audio that you record or speak.
- Your audio is sent to our speech-to-text processor (ElevenLabs) and transcribed to text. The text transcript is then handled like other conversation content (stored for adults, not stored for minors).
- We synthesize the persona's reply audio using ElevenLabs text-to-speech.
- Voice-audio retention. Our intent is that raw voice-audio recordings are used only to produce the transcript and the synthesized reply and are deleted immediately after transcription; we do not retain voice recordings. See Sensitive Data & Voice and Data Retention. We do not create or store a "voiceprint" for the purpose of identifying you. See the biometric note.
2.5 Preferences and persona "memory" (adults only)
For adult users, we generate short per-persona "memory" summaries — condensed notes drawn from your prior conversations — so a persona can remember context (for example, a topic you discussed before). We also store your stated preferences and settings. Memory summaries are not created for users under 18.
2.6 Analytics & usage data
We collect engagement analytics events describing how you use the Services — for example, which creators/personas you interact with, which posts you view, and which buttons/features you use. We use this to operate, measure, and improve the Services.
2.7 Cookies and similar technologies
We use a small number of cookies, including httpOnly session cookies to keep you signed in and to secure your session. See Cookies & Tracking.
2.8 Device & network data
- IP address — used for security and rate-limiting (preventing abuse). We do not use IP-based rate-limiting to build advertising profiles.
- Basic technical data your browser/device sends (e.g., browser type), used to deliver and secure the Services.
2.9 Billing information
If you subscribe to the paid friend-tier or use per-minute calls, payment is handled by our third-party payment processor Stripe. We receive limited transaction and subscription-status data; we do not store full card numbers.
2.10 Safety/crisis signals
If our safety systems detect content indicating a possible crisis (e.g., self-harm), we log an anonymous count only — never the underlying message content — to operate and improve safety measures and (where required) for regulatory reporting. See Companion-Chatbot Notice.
3. How We Use Information
We use the information above to:
- Provide the Services — authenticate you (magic link), run text and voice conversations, deliver synthesized voice replies, and host live calls.
- Personalize — for adults, maintain persona memory and context; apply your preferences.
- Safety & moderation — detect abuse, enforce our rules, apply age-appropriate protections, and surface crisis resources.
- Billing — process friend-tier subscriptions and per-minute charges, prevent payment fraud.
- Analytics & improvement — understand usage, measure engagement, debug, and improve the Services.
- Security & abuse prevention — rate-limit, detect intrusions, and protect users and the platform.
- Communications — send service, transactional, and account messages.
- Legal & compliance — comply with law, respond to lawful requests, and enforce our terms.
We do not use your conversation content to serve third-party advertising.
4. Legal Bases for Processing (EEA/UK GDPR)
If you are in the EEA or UK, we rely on the following legal bases:
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Creating/operating your account; delivering chats, voice replies, and calls | Contract (Art. 6(1)(b)) |
| Voice-audio capture & speech-to-text; synthesized voice replies | Consent (Art. 6(1)(a)), given when you enable voice |
| Persona memory & personalization (adults) | Consent or legitimate interests (Art. 6(1)(f)) |
| Age/DOB collection and minor protections | Legal obligation (Art. 6(1)(c)) and legitimate interests |
| Analytics, security, rate-limiting, product improvement | Legitimate interests (Art. 6(1)(f)) |
| Billing and fraud prevention | Contract and legal obligation |
| Safety / crisis-resource referrals | Legitimate interests and, where applicable, vital interests (Art. 6(1)(d)) |
| Marketing communications (if any) | Consent |
To the extent any audio or related data is treated as a special category of personal data under Art. 9, we rely on your explicit consent (Art. 9(2)(a)). You may withdraw consent at any time (this does not affect prior processing) — see Your Privacy Rights.
5. AI & Voice Processing Disclosure
- All personas are AI. You are always interacting with artificially generated software, not a human being. AI output can be inaccurate, incomplete, or inappropriate; do not rely on it as professional advice.
- Voice in. When you speak to a persona, your voice audio is transcribed to text by ElevenLabs, and the text drives the AI response.
- Voice out. The persona's spoken reply is synthesized by ElevenLabs text-to-speech.
- LLM processing. AI replies are generated by Anthropic's large language models. Your prompts/conversation text are processed by Anthropic to generate responses.
- Images / live avatars. Persona imagery is generated via Higgsfield; live-call avatars are rendered via Simli.
- No voiceprint identification. We do not use your voice to create a biometric identifier for the purpose of recognizing or authenticating you. See Sensitive Data & Voice.
6. How We Share Information; Sub-Processors
We do not sell your personal information.
We do not sell your personal information for money, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do not trade your conversation content or voice data to third parties for their own marketing.
"Share," under California law, refers specifically to disclosing personal information for cross-context behavioral advertising. We do not do this.
Service providers / sub-processors
We disclose personal information to vendors who process it on our behalf and under contract to run the Services. These are service providers / processors, not buyers of your data:
| Sub-processor | Purpose | Data categories involved | Location (TBD/verify) |
|---|---|---|---|
| Anthropic | LLM that generates AI replies | Conversation text/prompts | United States |
| ElevenLabs | Voice speech-to-text (STT) and text-to-speech (TTS) | Voice audio, transcripts, reply text | United States / United States |
| Higgsfield | Persona image generation | Prompts / generation requests | United States |
| Simli | Live-call avatar rendering | Live call audio/video stream data | United States |
| Resend | Transactional email delivery (magic links, account email) | Email address | United States / United States |
| Upstash (Redis) | Primary data store / session & state | Account data, adult conversation history, memory, counters | United States |
| Vercel | Application hosting & delivery | Technical/log data, IP | United States / global edge |
| Stripe | Subscription & per-minute billing | Billing/transaction data | United States |
We may also disclose information: (a) to comply with law or legal process; (b) to protect rights, safety, and security; and (c) in connection with a merger, acquisition, or asset sale, subject to this Policy.
7. Children & Minors
Under 13 — not permitted
The Services are not for children under 13. We do not knowingly collect personal information from anyone under 13 (consistent with the Children's Online Privacy Protection Act, "COPPA"). If we learn we have collected personal information from a child under 13 without verifiable parental consent, we will delete it. If you believe a child under 13 has provided us information, contact contact@elevenoone.ai.
Users 13–17 — reduced experience
For users 13–17:
- Conversations are not stored server-side and are not used to build persona memory.
- We apply additional safety and content protections by default.
- We provide clear notices that responses are AI-generated and not from a human, and break reminders during extended sessions, consistent with California's companion-chatbot law (see SB-243 notice).
Age verification & parental controls
We are implementing age-verification and parental-control features. Where parental consent or parental rights apply (including under COPPA for any inadvertent under-13 data), parents/guardians may request to review, delete, or stop further collection of their child's information by contacting contact@elevenoone.ai. We may need to verify your identity and your relationship to the child before acting.
8. Your Privacy Rights
8.1 California residents (CCPA/CPRA)
You have the right to:
- Know / Access the categories and specific pieces of personal information we collect, use, and disclose.
- Delete personal information we hold about you (subject to exceptions).
- Correct inaccurate personal information.
- Opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information, so there is nothing to opt out of — but you may still submit a request, and we honor opt-out preference signals (see GPC).
- Limit the use and disclosure of sensitive personal information to what is necessary to provide the Services. We use sensitive information (e.g., precise age/DOB, voice audio, and the contents of communications) only for the permitted purposes described in this Policy.
- Non-discrimination for exercising your rights.
8.2 EEA / UK residents (GDPR / UK GDPR)
You have the right to:
- Access your personal data.
- Rectification (correction) of inaccurate data.
- Erasure ("right to be forgotten").
- Portability — receive your data in a portable format.
- Restriction of processing.
- Object to processing based on legitimate interests.
- Withdraw consent at any time (e.g., for voice processing), without affecting prior processing.
- Lodge a complaint with your local supervisory authority.
8.3 How to exercise your rights
Submit a request to contact@elevenoone.ai (or via any in-product privacy controls). We will verify your identity before acting, respond within the timeframes required by applicable law, and will not discriminate against you for exercising your rights. An authorized agent may submit a request on your behalf with proof of authorization.
9. Data Retention
We keep personal information only as long as needed for the purposes described, then delete or de-identify it.
| Data | Retention |
|---|---|
| Account (email, name, DOB/age) | For the life of your account; deleted after account closure + a short wind-down window |
| Adult conversation history & persona memory | Retained while account is active; deletable on request |
| Minor (13–17) conversations | Not stored server-side; processed transiently only |
| Voice audio (raw recordings) | Deleted immediately after transcription; not retained |
| Transcripts | Treated as conversation content (per above) |
| Analytics/engagement events | Up to 24 months, then aggregated or de-identified; aggregated/de-identified where possible |
| IP / rate-limiting data | Short-lived, retained only as needed for security |
| Crisis-signal counts | Stored as anonymous counts only, no content |
| Billing records | As required by tax/financial law (typically several years) |
10. Security
We use technical and organizational measures to protect personal information, including passwordless magic-link authentication, httpOnly session cookies, access controls, and reputable infrastructure providers. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
11. Cookies & Tracking
We use a minimal set of cookies, primarily httpOnly session cookies that are strictly necessary to keep you signed in and to secure your session. We do not use third-party advertising cookies for cross-context behavioral advertising. Where required, we will present a cookie notice/consent mechanism for any non-essential cookies. We use only strictly-necessary session cookies; we do not use analytics or advertising cookies.
12. Do Not Track & Global Privacy Control
Because browser "Do Not Track" signals are not standardized, we respond to them as described here. We do recognize and honor the Global Privacy Control (GPC) as a valid opt-out preference signal under California law. Since we do not sell or share personal information, a GPC signal does not change our practices, but it is respected.
13. International Data Transfers
We are based in the United States and use sub-processors that may process data in the United States and elsewhere. If you are in the EEA or UK, your personal data may be transferred outside your country. Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum. Where EEA/UK data is transferred, we rely on the EU Standard Contractual Clauses and the UK IDTA; the Service is directed primarily to users in the United States.
14. Sensitive Data & Voice
Certain data we process is sensitive:
- Voice audio. We capture voice audio to transcribe it and to provide voice replies. We do not create, store, or use a voiceprint or other biometric identifier to identify or authenticate you. To the extent any voice data could be considered a biometric identifier under laws such as the Illinois Biometric Information Privacy Act (BIPA) or treated as special-category data under GDPR, we process it only with your consent, for the limited purpose of operating voice features, under a published retention/deletion practice (see Data Retention). Because we do not create or store a voiceprint, we do not believe BIPA's biometric-consent and retention-schedule obligations apply.
- Age / date of birth. Treated as sensitive and used only for eligibility and safety.
- Emotional & companionship content. Conversations on a companion product may reveal sensitive personal feelings and circumstances. We treat this content with care, do not sell or share it, and apply the protections in this Policy. Please do not share information you do not want processed to generate replies.
15. Companion-Chatbot Notice (California SB-243)
Consistent with California's companion-chatbot law (SB-243):
- Clear AI disclosure. Where a reasonable person might be misled into thinking they are talking to a human, we provide a clear and conspicuous notice that the persona is artificially generated and not human.
- Minors. For users we know to be minors, we provide a default notice that responses are AI-generated, and we display break reminders during extended continuous use.
- Suitability notice. We disclose that companion chatbots may not be suitable for some minors.
- Crisis protocol. We maintain protocols intended to avoid generating self-harm/suicide content and to refer users to crisis resources (e.g., a suicide or crisis hotline) where risk is indicated. We log such events as anonymous counts only, never content, and will provide any annual reporting required by law.
16. Changes to This Policy
We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice as required.
17. Contact & How to File a Request
For privacy questions or to exercise your rights:
- Email: contact@elevenoone.ai
- Subject line suggestion: "Privacy Request — Access / Delete / Correct / Other"
- Postal / data-controller address: elevenoone, Inc., 1111B S Governors Avenue #52078, Dover, DE 19904, US
- EEA/UK representative (if appointed under GDPR Art. 27): Not applicable; the Service is directed to users in the United States
We will verify your identity before fulfilling a request and respond within the timeframe required by applicable law.
This policy reflects our current practices and is provided for transparency; it is not legal advice.