Privacy Policy

Last updated: March 20, 2026

1. Introduction and Scope

This Privacy Policy describes how **Spyglass Systems LLC**, operating as **Around Notes AI** ("we", "our", or "us"), collects, uses, and safeguards personal data and **Protected Health Information (PHI)** when you access spyglasssystems.com / aroundnotes.ai or use our AI-powered clinical documentation tools, including Around Notes™ (ARNOS).

We comply with the **General Data Protection Regulation (GDPR)**, **UK GDPR**, **California Consumer Privacy Act (CCPA/CPRA)**, the **Health Insurance Portability and Accountability Act (HIPAA)**, and other applicable laws. By using our services, you agree to this Privacy Policy.

2. Information We Collect

2.1 Personal and Account Information

We collect personal information you provide directly, including:

  • **Identifiers:** Name, email address, and professional contact details
  • **Professional Data:** Employer or institution affiliation, job title or specialty
  • **Authentication:** Account credentials, password hashes, and login metadata
  • **Billing/Payment:** Payment details handled through compliant third-party processors

2.2 Protected Health Information (PHI)

If you are a healthcare provider or Covered Entity, we may process **PHI** under a signed **Business Associate Agreement (BAA)** in compliance with HIPAA. PHI may include:

  • Patient demographic and clinical data
  • Dictated or transcribed clinical notes
  • Diagnostic impressions or treatment plans
  • AI-generated summaries or encounter documentation

2.3 Technical and Usage Data

We automatically collect limited technical information for security, diagnostics, and performance optimization:

  • IP address, device identifiers, and browser type
  • Operating system, app version, and access timestamps
  • Feature usage metrics, error logs, and audit trails
  • Cookies and tracking technologies (see Cookie Policy)

3. How We Use Information and Legal Basis

We process data for the purposes described below, under the corresponding lawful bases (GDPR Art. 6):

4. HIPAA and Business Associate Compliance

Around Notes AI functions as a **Business Associate** under HIPAA, bound by signed **Business Associate Agreements (BAAs)** with Covered Entities. We apply administrative, physical, and technical safeguards as required by 45 CFR §§164.308–164.312.

  • **Administrative:** Workforce training, incident response, and risk analysis programs
  • **Physical:** Secure data centers, controlled access, and device protection
  • **Technical:** AES-256 encryption, TLS 1.3, MFA, and audit logging
  • **Minimum Necessary Rule:** We limit PHI processing to what is strictly necessary for service delivery

5. Data Sharing and Disclosure

5.1 No Sale or Rent of Personal Data

**We do not sell, rent, or trade personal data or PHI.** Under CPRA, this includes any 'sharing' for cross-context behavioral advertising.

5.2 Limited and Controlled Sharing

We share data only with trusted entities under strict legal agreements:

  • **Subprocessors:** Amazon Web Services (hosting/databases), OpenAI and Google Cloud Services (AI processing in HIPAA-eligible configurations), Microsoft Clarity (analytics, where you have consented), and Stripe or similar (billing)—each under **DPAs and/or BAAs** as applicable.
  • **AI/LLM Providers:** For HIPAA-covered use, **PHI** is processed only through **HIPAA-eligible configurations** under **BAAs** with approved vendors (see our Security & Privacy page). **We do not use PHI to train public or shared models.** You may instead use **de-identified or minimal-data** inputs when you choose not to send PHI.
  • **Legal or Regulatory Requests:** When required by applicable law, subpoena, or court order.
  • **Corporate Events:** If involved in a merger or acquisition, under confidentiality safeguards.

6. Data Security

We use layered security controls to ensure confidentiality, integrity, and availability of information:

  • **Encryption:** AES-256 for data at rest; TLS 1.3 for all data in transit
  • **Access Controls:** Role-based permissions, MFA, and least-privilege principles
  • **Infrastructure:** HIPAA-ready AWS environments, with security controls covered by our independent **SOC 2 Type I** examination (Prescient Assurance, effective April 6, 2026)
  • **Monitoring:** 24/7 system monitoring and automated anomaly detection
  • **Incident Response:** Breach notifications within 72 hours of confirmed event
  • **Audits:** Annual third-party penetration testing and compliance review

7. Your Privacy Rights

Depending on your location and applicable law, you may exercise the following rights:

7.1 GDPR / UK GDPR

  • Access, rectify, or erase your data
  • Restrict or object to processing
  • Receive data in a portable format (Art. 20)
  • Lodge a complaint with your Data Protection Authority

7.2 CPRA (California)

  • Right to know categories and purposes of data collected
  • Right to delete personal data (with exceptions)
  • Right to opt-out of 'sharing' for advertising
  • Right to limit use of Sensitive Personal Information (SPI)

7.3 HIPAA (Covered Entity Users)

  • Access and obtain copies of PHI
  • Request corrections or restrictions
  • Receive an accounting of disclosures

8. International Data Transfers

Spyglass Systems LLC is based in the United States. **PHI and clinical application data** are stored and processed in **US-based HIPAA-eligible regions** (e.g., AWS US); **we do not knowingly route PHI to non-US regions.**

Some **non-PHI** processing (e.g., website analytics or account metadata for international users) may involve vendors or regions outside your country; where the **GDPR/UK GDPR** applies to that personal data, transfers from the EEA/UK/Switzerland follow:

  • **Standard Contractual Clauses (SCCs):** Implemented where required for transfers to countries without an adequacy decision.
  • **EU–U.S. Data Privacy Framework (DPF):** Relied on where applicable for U.S. recipients certified under the DPF.
  • **Supplementary Measures:** Encryption, access limitation, and contractual safeguards as appropriate.

9. Data Retention and Deletion

Data is retained only as long as necessary for lawful and operational purposes:

  • **Account Data:** Active + up to 7 years post-closure (for legal/tax compliance)
  • **PHI:** Retained or deleted per BAA and applicable health regulations
  • **Analytics Data:** Aggregated or anonymized data retained up to 26 months
  • **Backups:** Encrypted database backups retained for **7 days**, then aged out of backup systems (aligned with our Security & Privacy documentation)

10. Cookies and Tracking

We use cookies to operate and secure our website, and optional cookies for analytics or marketing. Manage your consent anytime in our Cookie Policy.

11. Children’s Privacy

Our services are intended for users aged **18 and older**. We do not knowingly collect data from individuals under 18, and we comply with **COPPA** regarding users under 13.

12. Policy Updates

We may modify this Privacy Policy to reflect legal or operational changes. Material updates will be announced via email, in-app message, or website notice.

The 'Last Updated' and 'Version' fields indicate the current version.

13. Contact and Data Protection Officer

For privacy inquiries or to exercise your rights, contact:

Data Protection Officer
Spyglass Systems LLC
PO Box 4033, Davis, CA 95617
Email: legal@aroundnotes.ai / legal@aroundnotes.ai

Email: legal@aroundnotes.ai

Data Protection Officer: legal@aroundnotes.ai

Address: Spyglass Systems LLC, PO Box 4033, Davis, CA 95617, USA

Response Time: We will respond to privacy requests within Within 30 days (or 45 days for CPRA requests)

This Privacy Policy is effective as of March 20, 2026
Version 2.3